Discover and read the best of Twitter Threads about #Emotet

Most recents (17)

Update on #Emotet. We are noticing now that bots are starting to spam on what we are calling the Epoch 4 botnet. There is only attachment based malspam seen so far with .docm or .xlsm(really XLSM with a lame AF Template "Excell") or password protected ZIPs(operation ZipLock). 1/x
all roads lead to same 7 URLs payloads:
/visteme.mx/shop/wp-admin/PP/
s://newsmag.danielolayinkas.com/content/nVgyRFrTE68Yd9s6/
/av-quiz.tk/wp-content/k6K/
/ranvipclub.net/pvhko/a/
s://goodtech.cetxlabs.com/content/5MfZPgP06/
/devanture.com.sg/wp-includes/XBByNUNWvIEvawb68/
2/x
s://team.stagingapps.xyz/wp-content/aPIm2GsjA/

We are seeing Red Dawn Templates for the docm files:

3/x
Read 4 tweets
Schadsoftware-Bereinigung: #BKA nutzt #Emotet-Takedown als Türöffner für mehr Befugnisse und neue Gesetze

"#Bundeskriminalamt hat ein Schadsoftware-Update auf zehntausenden Windows-PCs weltweit installiert, um sie zu bereinigen..." /1

von @andre_meister
netzpolitik.org/2021/schadsoft…
"Experten kritisieren die konstruierte Rechtsgrundlage dieser brisanten Aktion. Der #BKA-Präsident fordert, das Gesetz an die Praxis anzupassen." /2
"Im @Bundestag gab #BKA-Präsident Holger Münch zu, dass es für eine komplette Bereinigung der Systeme keine #Rechtsgrundlage gibt und die Aktion an der Grenze des rechtlich Möglichen stattfand." /3
Read 25 tweets
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Read 19 tweets
#KRITIS Sektor #Medien und #Kultur

"Lieferschwierigkeiten bei ePaper/eMagazines"

Die #Ransomware hat die #Funke Mediengruppe ganz schön hart getroffen.

Dieses fiese 2021 Oo

Was alles fehlt? 1/5
hilfe.onleihe.de/pages/viewpage…
Na bei Onleihe eine ganze Liste an ePaper/eMagazines.

...folgende Liste betroffener Medien erhalten:

Auto Bild
Computer Bild
Musikexpress
Rolling Stone
Sport Bild
Jüdische Allgemeine
Blick
Glückspost
Schweizer Landliebe
Schweizer Illustrierte
LandIDEE
Le Temps 2/5
Schweizer Versicherung
Weltwoche
Audio Video Foto Bild
Auto BILD Reisemobil
Auto Test
Bike Bild
B.Z.
BILD am Sonntag
BILD Bundesausgabe
Börse Online
Euro am Sonntag
Euro
Metal Hammer
Bild der Frau Schlank & Fit
Bild der Frau Gut Kochen & Backen
die aktuelle
Frau im Spiegel 3/5
Read 5 tweets
Quick #Emotet thread with detections / mitigations etc since there has been a spike in the past few months.

Firstly, it is worth blocking the URL's, Domains and IP addresses found at the following links -

paste.cryptolaemus.com
feodotracker.abuse.ch/downloads/ipbl…
urlhaus.abuse.ch/downloads/csv_…
Cryptolaemus also contains Emotet hashes in their releases - check for these on your network if possible.

Next, It is worth setting up detections in your SIEM for any communications to the URL's, Domains and IP addresses found at the following links -
Read 7 tweets
Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… Image
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
Read 28 tweets
Nueva víctima de #Egregor
CENCOSUD 🇨🇱🇦🇷

Posible vector de acceso:
- RDP Expuesto a Internet
- También se habla de un INSIDER (?) 😬

OJO, en Chile otra empresa del RETAIL se encuentra infectada com #Emotet.

[#Ransomware] ALERTADOS el 15 oct. 2020 👇
Interesante...

#Egregor envía a imprimir automáticamente la nota de rescate.

#Maze habla por los parlantes indicando que tú equipo y datos han sido encriptados.
Read 5 tweets
We've discovered a new #Emotet malware #phishing campaign that leverages Google Sites & a previously compromised PetFoods website. We were asked to look into the following email. Thanks to the fantastic tools from @RiskIQ @PassiveTotal we finally connected the dots. #infosec Image
We plan to write up the details soon but here's a general overview. First looked at some of the indicators of compromise and surprisingly found that a Google search for "Mel Redins" revealed ZERO searches in Google. That's pretty hard to do these days. #infosec #osint #emotet Image
Same thing with searching for the email that Mel Redins provided. Also zero searches in Google and haveibeenpwned(.)com . #infosec #osint #emotet Image
Read 12 tweets
i delete original because @VirITeXplorer point out that email is from yestarday IT IS RIGHT
antispam screenshot said 30_07_2020
email screenshot said 29_07_2020
URLs are from 29_07_2020
1/2
avevo scritto 30 perchè la schermata dell'antispam riporta 30
poi la email riporta 29
Gli urls contattati dal DOC sono del 29 (@VirITeXplorer ha ragione) come da link pastebin e abusech
ho rifatto anche il tweet lasciando solo le date delle schermate così non c'è diatriba
Read 3 tweets
Best-of-Thread aus dem T-Systems-Forensik_Bericht_Public_V1 zum #Emotet-Befall beim #Kammergericht Berlin:

"Durch Untersuchung eines Clients ist eine Infektion ab spätestens 20.09.2019 um 17:52 nachgewiesen." (1/10)
"Eine Infektion über einen USB-Stick kann weder ausgeschlossen, noch nachgewiesen werden.
Der genaue Infektionsweg kann nicht bestimmt werden." (2/10)
"Die ersten Indikatoren deuteten auf einen schwerwiegenden Fall einer Emotet Infektion mit nicht abzuschätzenden Folgen für das Netzwerk, die Systeme und Daten des Kammergerichts hin." (3/10)
Read 10 tweets
1/6
Based on the evidence published, some bullets in Everis case:

#Ryuk not was involved, the ransome note is different.

#Ryuk/#Bitpaymer take long time to been deployed.

#Ryuk has been saw in combination of #Emotet->#Trickbot.
2/6
0day Bonjour Updater
Oct 10, Morphisec published “the abuse of an Apple zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows” , related with #Bitpaymer adversaries.
3/6
BlueKeep
Over the weekend @GossiTheDog, report that his honeypot saw activity related with Bluekeep, working with @MalwareTechBlog they found that the final payload is a #MoneroMiner. Some IOC's shared today are related with this activity.
Read 8 tweets
The first #Emotet spam run of the last quarter of 2018 adds malicious PDF files in the infection chain. PDF attachments have malicious link that downloads a doc with malicious macro. If allowed to run, the macro in the doc executes a PowerShell code that downloads the payload. ImageImageImageImage
Notably, some emails ditch the PDF and carry the malicious document itself (as per usual). No matter, antivirus capabilities in Windows Defender ATP block the malicious PDF and doc files in this campaign as Trojan:O97M/Sonbokli.A!cl. Office 365 ATP blocks the malicious emails.
The payload of this campaign is #Emotet (SHA-256: 86770d8bd51a10131e0b4b3b1bc3f49578d05b372d7f19ace910bb7abc5f70a8)
Read 3 tweets
A couple of fresh malware campaigns in the past few days were halted by Windows Defender AV, whose cloud-based machine learning technologies detected and blocked #Hancitor and #Emotet malware runs at the onset.
The previously unknown #Hancitor and #Emotet variants, which were distributed via email, were flagged by various ML models. Our machine learning technologies combined results from multiple algorithms to correctly determine the malware.
#Hancitor is known for being a sophisticated malware that has been used in targeted attacks in the past and for using unusual APIs and memory injection techniques. #Emotet, on the other hand, is one of the most active banking malware today.
Read 5 tweets
New high-volume #spam campaign has links pointing to malicious documents that download banking Trojan #Emotet ImageImageImage
A fresh #Emotet variant (SHA1:9214359938285f26785f7eaf25a74dddea678065) is the payload of a massive spam campaign
Malicious docs use filenames like "Invoice number <random digits>.doc", "Invoice <random> reminder.doc", "Invoice <random> Message.doc", etc Image
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!