2018-05-04 - MALSPAM PUSHING EMOTET MOVED FROM LINKS TO ATTACHMENTS THIS WEEK

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-05-04-Emotet-malspam-infection-traffic.pcap.zip   1.03 MB (1,029,190 bytes)

• 2018-05-04-Emotet-malspam-infection-traffic.pcap   (1,148,850 bytes)

• Zip archive of the emails:  2018-05-03-two-examples-of-Emotet-malspam.zip   170 kB (169,724 bytes)

• 2018-05-03-Emotet-malspam-1537-UTC.eml   (178,234 bytes)
• 2018-05-03-Emotet-malspam-1627-UTC.eml   (178,116 bytes)

• Zip archive of the malware:  2018-05-04-Emotet-malware.zip   174 kB (174,314 bytes)

• 2018-05-03-attached-Word-doc-with-macro-for-Emotet.doc   (129,536 bytes)
• 2018-05-04-downloaded-Emotet-binary.exe   (142,848 bytes)

NOTES:

• I hadn't found any new Emotet since Monday 2018-04-30, but @mesa_matt told me this campaign was still active.
• After searching around, I found two examples from Thursday 2018-05-03 using attachments instead links to the Word documents.
• Two email examples I found showed ACH-related subject lines, but I saw other examples with various subject lines common to Emotet malspam.
• Unfortunately, I couldn't find emails for any of those other examples.
• Otherwise, this seems like more of the same, execpt it's extremely limited in distribution compared to previous weeks.
• Examples of Emotet malspam from last week (ones with links instead of attachments) are in my data dumps posted on 2018-04-25, 2018-04-26, and 2018-04-27.

Shown above:  Flow chart for recent Emotet malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxp://alian.de/4wBYki/
• hxxp://againstperfection.net/6kWq0/
• hxxp://globalreachadvertising.com/zfFgSQ/ &bnsp; (taken off line by the time I checked)
• hxxp://www.fanoff.com/ZVljVr/
• hxxp://thurtell.com/TCyk/
• hxxp://72.67.198.45/whoami.php
• hxxp://216.110.246.70/whoami.php

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS, EXAMPLE 1 OF 2:

Received: from 10.0.0.22 (60.247.97.180) by [removed] for [removed];
        Thu, 3 May 2018 11:37:53 -0400
Date: Thu, 3 May 2018 23:37:53 +0800
From: "[removed]" <[removed]@[removed]>
To: [removed]
Message-ID: <134428643353.201853153753@[recipient's email domain]>
Subject: ACH Payment info
Attachment name: Outstanding Invoices.doc

 

EMAIL HEADERS, EXAMPLE 2 OF 2:

Received: from 10.0.0.52 ([200.94.97.237]) by [removed] for [removed];
        Thu, 03 May 2018 08:27:31 -0700
Date: Thu, 03 May 2018 10:27:30 -0600
From: "[removed]" <[removed]@[removed]>
To: [removed]
Message-ID: <16037604816.201853152730@[recipient's email domain]>
Subject: ACH Payment Advice
Attachment name: Scan.doc

 

Shown above:  Malicious Word document attached to one of the emails.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 81.169.145.164 port 80 - alian.de - GET /4wBYki/
• 173.11.129.38 - SYN packets with RST from server
• 75.128.208.218 port 80 - SYN packets with RST from server
• 208.102.59.69 port 80 - SYN packets with RST from server
• 146.88.218.179 port 443 - SYN packets with RST from server
• 66.42.182.18 port 443 - SYN packets with RST from server
• 156.212.247.178 port 80 - SYN packets with RST from server
• 104.157.254.106 port 8080 - SYN packets with RST from server
• 69.41.8.88 port 8080 - SYN packets with RST from server
• 173.78.254.86 port 8080 - 173.78.254.86:8080 - GET /
• 72.67.198.45 port 80 - 72.67.198.45 - GET /whoami.php
• 72.67.198.45 port 80 - 72.67.198.45 - GET /
• 216.110.246.70 port 80 - 216.110.246.70 - GET /whoami.php
• 216.110.246.70 port 80 - 216.110.246.70 - GET /

 

FILE HASHES

MALWARE FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  b26fa7e3f85d5bd8ccca12d893dea59e60bca6bbdf035a2cc516c5da51d00d9a
  File size:  129,536 bytes
  File name:  Scan.doc, Outstanding Invoices.doc, or [any random name].doc
  File description:  Word document with macro to download and install Emotet

• SHA256 hash:  9982f6f51b44d7651ef644cb181b979deed85933967d5cc6b55fb3e316b03836
  File size:  142,848 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\Microsoft\Windows\[random name].exe
  File description:  Emotet malware binary

Shown above:  Emotet malware persistent on my infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-05-04-Emotet-malspam-infection-traffic.pcap.zip   1.03 MB (1,029,190 bytes)
• Zip archive of the emails:  2018-05-03-two-examples-of-Emotet-malspam.zip   170 kB (169,724 bytes)
• Zip archive of the malware:  2018-05-04-Emotet-malware.zip   174 kB (174,314 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.