2018-05-04 - MALSPAM PUSHING EMOTET MOVED FROM LINKS TO ATTACHMENTS THIS WEEK
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-05-04-Emotet-malspam-infection-traffic.pcap.zip 1.03 MB (1,029,190 bytes)
- 2018-05-04-Emotet-malspam-infection-traffic.pcap (1,148,850 bytes)
- Zip archive of the emails: 2018-05-03-two-examples-of-Emotet-malspam.zip 170 kB (169,724 bytes)
- 2018-05-03-Emotet-malspam-1537-UTC.eml (178,234 bytes)
- 2018-05-03-Emotet-malspam-1627-UTC.eml (178,116 bytes)
- Zip archive of the malware: 2018-05-04-Emotet-malware.zip 174 kB (174,314 bytes)
- 2018-05-03-attached-Word-doc-with-macro-for-Emotet.doc (129,536 bytes)
- 2018-05-04-downloaded-Emotet-binary.exe (142,848 bytes)
NOTES:
- I hadn't found any new Emotet since Monday 2018-04-30, but @mesa_matt told me this campaign was still active.
- After searching around, I found two examples from Thursday 2018-05-03 using attachments instead links to the Word documents.
- Two email examples I found showed ACH-related subject lines, but I saw other examples with various subject lines common to Emotet malspam.
- Unfortunately, I couldn't find emails for any of those other examples.
- Otherwise, this seems like more of the same, execpt it's extremely limited in distribution compared to previous weeks.
- Examples of Emotet malspam from last week (ones with links instead of attachments) are in my data dumps posted on 2018-04-25, 2018-04-26, and 2018-04-27.
Shown above: Flow chart for recent Emotet malspam infections.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs:
- hxxp://alian.de/4wBYki/
- hxxp://againstperfection.net/6kWq0/
- hxxp://globalreachadvertising.com/zfFgSQ/ &bnsp; (taken off line by the time I checked)
- hxxp://www.fanoff.com/ZVljVr/
- hxxp://thurtell.com/TCyk/
- hxxp://72.67.198.45/whoami.php
- hxxp://216.110.246.70/whoami.php
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS, EXAMPLE 1 OF 2:
Received: from 10.0.0.22 (60.247.97.180) by [removed] for [removed];
Thu, 3 May 2018 11:37:53 -0400
Date: Thu, 3 May 2018 23:37:53 +0800
From: "[removed]" <[removed]@[removed]>
To: [removed]
Message-ID: <134428643353.201853153753@[recipient's email domain]>
Subject: ACH Payment info
Attachment name: Outstanding Invoices.doc
EMAIL HEADERS, EXAMPLE 2 OF 2:
Received: from 10.0.0.52 ([200.94.97.237]) by [removed] for [removed];
Thu, 03 May 2018 08:27:31 -0700
Date: Thu, 03 May 2018 10:27:30 -0600
From: "[removed]" <[removed]@[removed]>
To: [removed]
Message-ID: <16037604816.201853152730@[recipient's email domain]>
Subject: ACH Payment Advice
Attachment name: Scan.doc
Shown above: Malicious Word document attached to one of the emails.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
NETWORK TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 81.169.145.164 port 80 - alian.de - GET /4wBYki/
- 173.11.129.38 - SYN packets with RST from server
- 75.128.208.218 port 80 - SYN packets with RST from server
- 208.102.59.69 port 80 - SYN packets with RST from server
- 146.88.218.179 port 443 - SYN packets with RST from server
- 66.42.182.18 port 443 - SYN packets with RST from server
- 156.212.247.178 port 80 - SYN packets with RST from server
- 104.157.254.106 port 8080 - SYN packets with RST from server
- 69.41.8.88 port 8080 - SYN packets with RST from server
- 173.78.254.86 port 8080 - 173.78.254.86:8080 - GET /
- 72.67.198.45 port 80 - 72.67.198.45 - GET /whoami.php
- 72.67.198.45 port 80 - 72.67.198.45 - GET /
- 216.110.246.70 port 80 - 216.110.246.70 - GET /whoami.php
- 216.110.246.70 port 80 - 216.110.246.70 - GET /
FILE HASHES
MALWARE FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: b26fa7e3f85d5bd8ccca12d893dea59e60bca6bbdf035a2cc516c5da51d00d9a
File size: 129,536 bytes
File name: Scan.doc, Outstanding Invoices.doc, or [any random name].doc
File description: Word document with macro to download and install Emotet
- SHA256 hash: 9982f6f51b44d7651ef644cb181b979deed85933967d5cc6b55fb3e316b03836
File size: 142,848 bytes
File location: C:\Users\[username]\AppData\Local\Temp\Microsoft\Windows\[random name].exe
File description: Emotet malware binary
Shown above: Emotet malware persistent on my infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-05-04-Emotet-malspam-infection-traffic.pcap.zip 1.03 MB (1,029,190 bytes)
- Zip archive of the emails: 2018-05-03-two-examples-of-Emotet-malspam.zip 170 kB (169,724 bytes)
- Zip archive of the malware: 2018-05-04-Emotet-malware.zip 174 kB (174,314 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.