Emotet launches major new spam campaign

Cyber Security

The recent spike in Emotet activity shows that it remains an active threat

A week after adding a new email content harvesting module, and following a period of low activity, the malicious actors behind Emotet have launched a new, large-scale spam campaign.

What is Emotet?

Emotet is a banking Trojan family notorious for its modular architecture, persistence techniques, and worm-like self-propagation. It is distributed through spam campaigns employing a variety of seemingly legitimate guises for their malicious attachments. The Trojan is often used as a downloader or dropper for potentially more-damaging, secondary payloads. Due to its high destructive potential, Emotet was the subject of a US-CERT security notice in July 2018.

The new campaign

According to our telemetry, the latest Emotet activity was launched on November 5, 2018, following a period of low activity. Figure 1 shows a spike in the Emotet detection rate in the beginning of November 2018, as seen in our telemetry data.

Figure 1 – Overview of ESET product detections of Emotet in the past two weeks

Breaking those detections down by country, as seen in Figure 2, this latest Emotet campaign appears to be most active the Americas, the UK, Turkey and South Africa.

Figure 2 – Distribution of ESET detections of Emotet in November 2018 (including both file and network detections)

In the November 2018 campaign, Emotet makes use of malicious Word and PDF attachments posing as invoices, payment notifications, bank account alerts, etc., seemingly coming from legitimate organizations. Alternately, the emails contain malicious links instead of attachments. The email subjects used in the campaign suggest a targeting of English and German-speaking users. Figure 3 shows Emotet activity in November 2018 from the perspective of document detections. Figures 4, 5 and 6 are example emails and attachments from this campaign.

Figure 3 – Distribution of ESET detections of Emotet-related documents in November 2018

Figure 4 – Example of a spam email used in the latest Emotet campaign

Figure 5 – Example of a malicious Word document used in the latest Emotet campaign

Figure 6 – Example of a malicious PDF used in the latest Emotet campaign

The compromise scenario in this November 2018 campaign starts with the victim opening a malicious Word or PDF file attached to a spam email seemingly coming from a legitimate and familiar organization.

Following the instructions in the document, the victim enables macros in Word or clicks on the link in the PDF. The Emotet payload is subsequently installed and launched, establishes persistence on the computer and reports the successful compromise to its C&C server. In turn, it receives instructions on which attack modules and secondary payloads to download.

The modules extend the initial payload’s functionality with one or more of credential-stealing, network propagation, sensitive information harvesting, port forwarding, and other capabilities. As for the secondary payloads, this campaign has seen Emotet dropping TrickBot and IcedId on compromised machines.

Conclusion

This recent spike in Emotet activity just goes to show that Emotet continues to be an active threat – and an increasingly worrying one due to the recent module updates. ESET systems detect and block all Emotet components under detection names listed in the IoCs section.

Indicators of Compromise (IoCs)

Example hashes

Note that new builds of Emotet binaries are released approximately every two hours, so hashes may not be the latest available.

Emotet

SHA-1 ESET detection name
51AAA2F3D967E80F4C0D8A86D39BF16FED626AEF Win32/Kryptik.GMLY trojan
EA51627AF1F08D231D7939DC4BA0963ED4C6025F Win32/Kryptik.GMLY trojan
3438C75C989E83F23AFE6B19EF7BEF0F46A007CF Win32/Kryptik.GJXG trojan
00D5682C1A67DA31929E80F57CA26660FDEEF0AF Win32/Kryptik.GMLC trojan

Modules

SHA-1 ESET detection name
0E853B468E6CE173839C76796F140FB42555F46B Win32/Kryptik.GMFS trojan
191DD70BBFF84D600142BA32C511D5B76BF7E351 Win32/Emotet.AW trojan
BACF1A0AD9EA9843105052A87BFA03E0548D2CDD Win32/Kryptik.GMFS trojan
A560E7FF75DC25C853BB6BB286D8353FE575E8ED Win32/Kryptik.GMFS trojan
12150DEE07E7401E0707ABC13DB0E74914699AB4 Win32/Kryptik.GMFS trojan
E711010E087885001B6755FF5E4DF1E4B9B46508 Win32/Agent.TFO trojan

Secondary payloads

TrickBot

SHA-1 ESET detection name
B84BDB8F039B0AD9AE07E1632F72A6A5E86F37A1 Win32/Kryptik.GMKM trojan
9E111A643BACA9E2D654EEF9868D1F5A3F9AF767 Win32/Kryptik.GMKM trojan

IcedId

SHA-1 ESET detection name
0618F522A7F4FE9E7FADCD4FBBECF36E045E22E3 Win32/Kryptik.GMLM trojan

C&C servers (active as of November 9, 2018)

187.163.174[.]149:8080
70.60.50[.]60:8080
207.255.59[.]231:443
50.21.147[.]8:8090
118.69.186[.]155:8080
216.176.21[.]143:80
5.32.65[.]50:8080
96.246.206[.]16:80
187.163.49[.]123:8090
187.207.72[.]201:443
210.2.86[.]72:8080
37.120.175[.]15:80
77.44.98[.]67:8080
49.212.135[.]76:443
216.251.1[.]1:80
189.130.50[.]85:80
159.65.76[.]245:443
192.155.90[.]90:7080
210.2.86[.]94:8080
198.199.185[.]25:443
23.254.203[.]51:8080
67.237.41[.]34:8443
148.69.94[.]166:50000
107.10.139[.]119:443
186.15.60[.]167:443
133.242.208[.]183:8080
181.229.155[.]11:80
69.198.17[.]20:8080
5.9.128[.]163:8080
104.5.49[.]54:8443
139.59.242[.]76:8080
181.27.126[.]228:990
165.227.213[.]173:8080





Products You May Like

Articles You May Like

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs
Kids’ VTech tablets vulnerable to eavesdropping hackers
Coinbase abandons its cautious approach with plan to list up to 30 new cryptocurrencies
WhiteSource Bolt for GitHub: Free Open Source Vulnerability Management App for Developers
HypeHop is a product to fix sponsored videos

Leave a Reply

Your email address will not be published. Required fields are marked *