Discover and read the best of Twitter Threads about #Emotet

Most recents (21)

#Emotet’s operators were busy updating their systeminfo module, with changes that enable malware operators to improve the targeting of specific victims and distinguish tracking bots from real users. #ESETresearch 1/7
The operators completely changed the attributes that are collected and sent to the attacker’s C&Cs. The new list includes processor brand, size of physical memory in MB and an approximate % of it being in use. 2/7 ImageImageImage
The magic number – used by the server to verify that the systeminfo module is up to date – is obtained in a different way too. Instead of being part of the main function, 64 functions are used, with the module selecting one that returns the correct value. 3/7 ImageImage
Read 7 tweets
1/ @ESET (see tweet below) has reported that #Emotet uses LNK attachments for the initial infection vector.

We can download a sample from Bazaar by @abuse_ch for doing our own analysis (sample from 2022-05-02).

bazaar.abuse.ch/sample/ce7191e…

#CyberSecurity
2/ exiftool works very well to find out the path and command line arguments of the malicious LNK file:
3/ The analyzed sample from @Netskope calls PowerShell directly. However, in our sample, cmd.exe is called first, then PowerShell with a base64 encoded command argument.

Picture taken from here - an analysis worth reading:
netskope.com/blog/emotet-ne…
Read 8 tweets
You may have noticed lately a lot of talk of MOTW (Mark of the Web). The reason why this is important is because of Microsoft's changes that are rolling out this year to set the default treatment of files containing macros(VBA/XLM4.0) from the Internet to being blocked. 🧵1/x
We all cheered the changes from Microsoft on the default treatment of macros first for Excel 4.0 macros and then later for VBA macros. XLM announcement: techcommunity.microsoft.com/t5/excel-blog/… VBA announcement: docs.microsoft.com/en-us/deployof… 2/x
As I have been saying for awhile, most threat actors realized they needed to get ahead of this and start working on alternatives or ways to bypass this new protection. As can be seen in the Microsoft links, most of these defaults roll out in July to the majority of installs. 3/x
Read 9 tweets
#Emotet E5 Update - Within the last several hours, we have seen some bots on the Epoch 5 botnet begin to drop SystemBC now as a module and execute it. This is the first drop beyond Cobalt Strike that we have seen since Emotet returned. This is a significant change 1/x
For the instance of SystemBC we saw dropped, the C2 was 96.30.196[.]207:4177
45.32.132[.]182:4177
SystemBC sample here:
tria.ge/220310-3dqqnac…
This did not seem to be dropped on all bots on the E5 botnet but it was at least some that were geolocated in the USA. 2/x
We have heard of other researchers also seeing the same drops of SystemBC. This activity seemed to start around 18:00-19:00UTC today. We will keep you informed if we see any more drops or anything on E4 which seems to be having problems even functioning correctly. GG Ivan. 3/3
Read 3 tweets
🚨🚨WARNING 🚨🚨 We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: tria.ge/211207-t5l24sb… Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x
Also note the strange fingerprint of 0. The full config observed here H/T: @TheHack3r4chan pastebin.com/raw/KtUC5CGL What does this mean? This means the game has changed and Ivan has shortened the pipeline to exfil/Ransomware substantially. 2/x
No Trickbot or other intermediate garbage. Straight to CS and lateral movement to DCs/Critical Parts of the network. You need to pay attention to this and you need to prepare. It has started, block this C2 now! 3/x
Read 5 tweets
Interesting #maldoc
#TrickBot is distributed using a maldoc that uses #Emotet Template:

Process:
- It drops a small dll (1.xml) and executes its by creating an Outlook instance that calls rundll to execute 1.xml
- Drops a PS file and executes it
- Downloads and executes TrickBot ImageImageImage
Maldoc:
b2859b4165a3047632174c1cd26b6756

1.xml:
8de70541621842ae7e3e6e21b41ee155

TrickBot download urls:
http://91.92.109.142/wolf.png
http://192.99.255.33/images/wolf.png
http://83.138.53.103/images/wolf.png
http://172.96.189.216/images/wolf.png
TrickBot:
ad5ad0ce03a4de9de5829cdf2ec78d59
b4dcf8f35e2ba2fa4af1ec6c95d4c179
efaf7ddf9bc9398f18c76bf16e23755e
ff1f685e2a3381d277e71580e1166b06
a051cc64e345d440606d3c28463b8f95
Read 3 tweets
Update on #Emotet. We are noticing now that bots are starting to spam on what we are calling the Epoch 4 botnet. There is only attachment based malspam seen so far with .docm or .xlsm(really XLSM with a lame AF Template "Excell") or password protected ZIPs(operation ZipLock). 1/x
all roads lead to same 7 URLs payloads:
/visteme.mx/shop/wp-admin/PP/
s://newsmag.danielolayinkas.com/content/nVgyRFrTE68Yd9s6/
/av-quiz.tk/wp-content/k6K/
/ranvipclub.net/pvhko/a/
s://goodtech.cetxlabs.com/content/5MfZPgP06/
/devanture.com.sg/wp-includes/XBByNUNWvIEvawb68/
2/x
s://team.stagingapps.xyz/wp-content/aPIm2GsjA/

We are seeing Red Dawn Templates for the docm files:

3/x
Read 4 tweets
Schadsoftware-Bereinigung: #BKA nutzt #Emotet-Takedown als Türöffner für mehr Befugnisse und neue Gesetze

"#Bundeskriminalamt hat ein Schadsoftware-Update auf zehntausenden Windows-PCs weltweit installiert, um sie zu bereinigen..." /1

von @andre_meister
netzpolitik.org/2021/schadsoft…
"Experten kritisieren die konstruierte Rechtsgrundlage dieser brisanten Aktion. Der #BKA-Präsident fordert, das Gesetz an die Praxis anzupassen." /2
"Im @Bundestag gab #BKA-Präsident Holger Münch zu, dass es für eine komplette Bereinigung der Systeme keine #Rechtsgrundlage gibt und die Aktion an der Grenze des rechtlich Möglichen stattfand." /3
Read 25 tweets
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Read 19 tweets
#KRITIS Sektor #Medien und #Kultur

"Lieferschwierigkeiten bei ePaper/eMagazines"

Die #Ransomware hat die #Funke Mediengruppe ganz schön hart getroffen.

Dieses fiese 2021 Oo

Was alles fehlt? 1/5
hilfe.onleihe.de/pages/viewpage…
Na bei Onleihe eine ganze Liste an ePaper/eMagazines.

...folgende Liste betroffener Medien erhalten:

Auto Bild
Computer Bild
Musikexpress
Rolling Stone
Sport Bild
Jüdische Allgemeine
Blick
Glückspost
Schweizer Landliebe
Schweizer Illustrierte
LandIDEE
Le Temps 2/5
Schweizer Versicherung
Weltwoche
Audio Video Foto Bild
Auto BILD Reisemobil
Auto Test
Bike Bild
B.Z.
BILD am Sonntag
BILD Bundesausgabe
Börse Online
Euro am Sonntag
Euro
Metal Hammer
Bild der Frau Schlank & Fit
Bild der Frau Gut Kochen & Backen
die aktuelle
Frau im Spiegel 3/5
Read 5 tweets
Quick #Emotet thread with detections / mitigations etc since there has been a spike in the past few months.

Firstly, it is worth blocking the URL's, Domains and IP addresses found at the following links -

paste.cryptolaemus.com
feodotracker.abuse.ch/downloads/ipbl…
urlhaus.abuse.ch/downloads/csv_…
Cryptolaemus also contains Emotet hashes in their releases - check for these on your network if possible.

Next, It is worth setting up detections in your SIEM for any communications to the URL's, Domains and IP addresses found at the following links -
Read 7 tweets
Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… Image
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
Read 28 tweets
Nueva víctima de #Egregor
CENCOSUD 🇨🇱🇦🇷

Posible vector de acceso:
- RDP Expuesto a Internet
- También se habla de un INSIDER (?) 😬

OJO, en Chile otra empresa del RETAIL se encuentra infectada com #Emotet.

[#Ransomware] ALERTADOS el 15 oct. 2020 👇
Interesante...

#Egregor envía a imprimir automáticamente la nota de rescate.

#Maze habla por los parlantes indicando que tú equipo y datos han sido encriptados.
Read 5 tweets
We've discovered a new #Emotet malware #phishing campaign that leverages Google Sites & a previously compromised PetFoods website. We were asked to look into the following email. Thanks to the fantastic tools from @RiskIQ @PassiveTotal we finally connected the dots. #infosec Image
We plan to write up the details soon but here's a general overview. First looked at some of the indicators of compromise and surprisingly found that a Google search for "Mel Redins" revealed ZERO searches in Google. That's pretty hard to do these days. #infosec #osint #emotet Image
Same thing with searching for the email that Mel Redins provided. Also zero searches in Google and haveibeenpwned(.)com . #infosec #osint #emotet Image
Read 12 tweets
Best-of-Thread aus dem T-Systems-Forensik_Bericht_Public_V1 zum #Emotet-Befall beim #Kammergericht Berlin:

"Durch Untersuchung eines Clients ist eine Infektion ab spätestens 20.09.2019 um 17:52 nachgewiesen." (1/10)
"Eine Infektion über einen USB-Stick kann weder ausgeschlossen, noch nachgewiesen werden.
Der genaue Infektionsweg kann nicht bestimmt werden." (2/10)
"Die ersten Indikatoren deuteten auf einen schwerwiegenden Fall einer Emotet Infektion mit nicht abzuschätzenden Folgen für das Netzwerk, die Systeme und Daten des Kammergerichts hin." (3/10)
Read 10 tweets
1/6
Based on the evidence published, some bullets in Everis case:

#Ryuk not was involved, the ransome note is different.

#Ryuk/#Bitpaymer take long time to been deployed.

#Ryuk has been saw in combination of #Emotet->#Trickbot.
2/6
0day Bonjour Updater
Oct 10, Morphisec published “the abuse of an Apple zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows” , related with #Bitpaymer adversaries.
3/6
BlueKeep
Over the weekend @GossiTheDog, report that his honeypot saw activity related with Bluekeep, working with @MalwareTechBlog they found that the final payload is a #MoneroMiner. Some IOC's shared today are related with this activity.
Read 8 tweets
The first #Emotet spam run of the last quarter of 2018 adds malicious PDF files in the infection chain. PDF attachments have malicious link that downloads a doc with malicious macro. If allowed to run, the macro in the doc executes a PowerShell code that downloads the payload. ImageImageImageImage
Notably, some emails ditch the PDF and carry the malicious document itself (as per usual). No matter, antivirus capabilities in Windows Defender ATP block the malicious PDF and doc files in this campaign as Trojan:O97M/Sonbokli.A!cl. Office 365 ATP blocks the malicious emails.
The payload of this campaign is #Emotet (SHA-256: 86770d8bd51a10131e0b4b3b1bc3f49578d05b372d7f19ace910bb7abc5f70a8)
Read 3 tweets
A couple of fresh malware campaigns in the past few days were halted by Windows Defender AV, whose cloud-based machine learning technologies detected and blocked #Hancitor and #Emotet malware runs at the onset.
The previously unknown #Hancitor and #Emotet variants, which were distributed via email, were flagged by various ML models. Our machine learning technologies combined results from multiple algorithms to correctly determine the malware.
#Hancitor is known for being a sophisticated malware that has been used in targeted attacks in the past and for using unusual APIs and memory injection techniques. #Emotet, on the other hand, is one of the most active banking malware today.
Read 5 tweets
New high-volume #spam campaign has links pointing to malicious documents that download banking Trojan #Emotet ImageImageImage
A fresh #Emotet variant (SHA1:9214359938285f26785f7eaf25a74dddea678065) is the payload of a massive spam campaign
Malicious docs use filenames like "Invoice number <random digits>.doc", "Invoice <random> reminder.doc", "Invoice <random> Message.doc", etc Image
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!