Severity
Medium
Analysis Summary
Emotet Malware is constantly being detected in the wild, targeting organizations from multiple sectors and countries. Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “YourInvoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers. Lately, Emotet infections have been used to distribute other malware like Qakbot. So these can be multi-stage attacks that bundle other malware with emotet.
Impact
- Financial loss
- Exposure of sensitive data
Indicators of Compromise
Source IP
- 50[.]116[.]86[.]205
- 37[.]139[.]21[.]175
- 210[.]165[.]156[.]91
- 209[.]141[.]54[.]221
- 37[.]187[.]72[.]193
- 78[.]24[.]219[.]147
- 104[.]236[.]246[.]93
- 5[.]196[.]74[.]210
- 169[.]239[.]182[.]217
- 190[.]55[.]181[.]54
- 157[.]245[.]99[.]39
URL
- http[:]//210[.]165[.]156[.]91/
- http[:]//190[.]55[.]181[.]54[:]443/
- http[:]//78[.]24[.]219[.]147[:]8080/
- http[:]//157[.]245[.]99[.]39[:]8080/
- http[:]//5[.]196[.]74[.]210[:]8080/
- http[:]//169[.]239[.]182[.]217[:]8080/
- http[:]//37[.]187[.]72[.]193[:]8080/
- http[:]//104[.]236[.]246[.]93[:]8080/
- http[:]//37[.]139[.]21[.]175[:]8080/
- http[:]//50[.]116[.]86[.]205[:]8080/
- http[:]//209[.]141[.]54[.]221[:]8080/
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments coming from untrusted sources.