Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
SlickRockWeb 🇺🇲🇺🇦 Profile picture
SlickRockWeb 🇺🇲🇺🇦
@SlickRockWeb
CEO of SlickRockWeb, SEO guy & part time citizen journalist. A numbers cruncher, problem solver, and now @DFRLab trained Digital Sherlock #infoSec #infoOps

Sep 4, 2020, 12 tweets

We've discovered a new #Emotet malware #phishing campaign that leverages Google Sites & a previously compromised PetFoods website. We were asked to look into the following email. Thanks to the fantastic tools from @RiskIQ @PassiveTotal we finally connected the dots. #infosec

We plan to write up the details soon but here's a general overview. First looked at some of the indicators of compromise and surprisingly found that a Google search for "Mel Redins" revealed ZERO searches in Google. That's pretty hard to do these days. #infosec #osint #emotet

Same thing with searching for the email that Mel Redins provided. Also zero searches in Google and haveibeenpwned(.)com . #infosec #osint #emotet

We found evidence of other examples of the same phishing email going back at least a few weeks. We haven't fully investigated these past phishing emails but with the exception of slight variations in the text they are very similar. #infosec #osint #emotet

So how does it work? Or initial analysis tried 2 look at the click sequence & we were able 2 identify the following chain of network requests from the initial link embedded in the #phishing email. It directs unsuspecting users 2 go to what seems like a legitimate Google Sites URL

The storageonnet(.)top URL stood out in the sequence. "Top" TLDs are not very common. And this domain had been registered recently on 07-29-2020. Another red flag. We checked into the domain using @PassiveTotal from the good folks at @RiskIQ and found a number of additional clues

When we tried 2 recreate the sequence we were unable to. That happens more & more now as malware can look 4 very specific requirements to function and/or part of the network had already been dismantled. Using
@PassiveTotal
we found some #Osint details to find these screenshots

From those screenshots we deduced the hackers were using Google Sites & an embedded frame using the storageonnet(.)top domain to retrieve the word document infected with #emotet from yet another URL. Using the initial Google Sites URL allowed them to bypass spam filters #infosec

From both @PassiveTotal and @HybridAnalysis we finally pieced together that final URL called that contained the #Emotet malware was from an infected Petfoods ecommerce store supposedly in India. #infosec #osint

That's enough of the basic details and it goes without saying that you should not go to any of these links without proper protection. #infosec #emotet #osint

Oh right forgot, as of a few days ago at Virustotal only Kaspersky was identifying storageonnet(.)top as potentially malicious / problematic. The petskingdom(.)in domain more surprisingly is only flagged in a couple of places. #emotet #malware #infosec #osint

Japan, France, New Zealand Warn of a very significant sudden uptick in #Emotet Trojan attacks starting at the end of August. #infosec #malware #osint
thehackernews.com/2020/09/emotet…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling