Rewterz Threat Alert – Emotet Malware Massive Email Campaign

Severity

Medium

Analysis Summary

Emotet Malware is constantly being detected in the wild, targeting organizations from multiple sectors and countries. Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “YourInvoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers. Lately, Emotet infections have been used to distribute other malware like Qakbot. So these can be multi-stage attacks that bundle other malware with emotet.

Impact

• Financial loss 
• Exposure of sensitive data

Indicators of Compromise

Source IP

• 50[.]116[.]86[.]205
• 37[.]139[.]21[.]175
• 210[.]165[.]156[.]91
• 209[.]141[.]54[.]221
• 37[.]187[.]72[.]193
• 78[.]24[.]219[.]147
• 104[.]236[.]246[.]93
• 5[.]196[.]74[.]210
• 169[.]239[.]182[.]217
• 190[.]55[.]181[.]54
• 157[.]245[.]99[.]39

URL

• http[:]//210[.]165[.]156[.]91/
• http[:]//190[.]55[.]181[.]54[:]443/
• http[:]//78[.]24[.]219[.]147[:]8080/
• http[:]//157[.]245[.]99[.]39[:]8080/
• http[:]//5[.]196[.]74[.]210[:]8080/
• http[:]//169[.]239[.]182[.]217[:]8080/
• http[:]//37[.]187[.]72[.]193[:]8080/
• http[:]//104[.]236[.]246[.]93[:]8080/
• http[:]//37[.]139[.]21[.]175[:]8080/
• http[:]//50[.]116[.]86[.]205[:]8080/
• http[:]//209[.]141[.]54[.]221[:]8080/

Remediation

• Block the threat indicators at their respective controls.
• Do not download email attachments coming from untrusted sources.