We've discovered a new #Emotet malware #phishing campaign that leverages Google Sites & a previously compromised PetFoods website. We were asked to look into the following email. Thanks to the fantastic tools from @RiskIQ @PassiveTotal we finally connected the dots. #infosec
We plan to write up the details soon but here's a general overview. First looked at some of the indicators of compromise and surprisingly found that a Google search for "Mel Redins" revealed ZERO searches in Google. That's pretty hard to do these days. #infosec #osint #emotet
Same thing with searching for the email that Mel Redins provided. Also zero searches in Google and haveibeenpwned(.)com . #infosec #osint #emotet
We found evidence of other examples of the same phishing email going back at least a few weeks. We haven't fully investigated these past phishing emails but with the exception of slight variations in the text they are very similar. #infosec #osint #emotet
So how does it work? Or initial analysis tried 2 look at the click sequence & we were able 2 identify the following chain of network requests from the initial link embedded in the #phishing email. It directs unsuspecting users 2 go to what seems like a legitimate Google Sites URL
The storageonnet(.)top URL stood out in the sequence. "Top" TLDs are not very common. And this domain had been registered recently on 07-29-2020. Another red flag. We checked into the domain using @PassiveTotal from the good folks at @RiskIQ and found a number of additional clues
When we tried 2 recreate the sequence we were unable to. That happens more & more now as malware can look 4 very specific requirements to function and/or part of the network had already been dismantled. Using
@PassiveTotal
we found some #Osint details to find these screenshots
From those screenshots we deduced the hackers were using Google Sites & an embedded frame using the storageonnet(.)top domain to retrieve the word document infected with #emotet from yet another URL. Using the initial Google Sites URL allowed them to bypass spam filters #infosec
From both @PassiveTotal and @HybridAnalysis we finally pieced together that final URL called that contained the #Emotet malware was from an infected Petfoods ecommerce store supposedly in India. #infosec #osint
That's enough of the basic details and it goes without saying that you should not go to any of these links without proper protection. #infosec #emotet #osint
Oh right forgot, as of a few days ago at Virustotal only Kaspersky was identifying storageonnet(.)top as potentially malicious / problematic. The petskingdom(.)in domain more surprisingly is only flagged in a couple of places. #emotet #malware #infosec #osint
Japan, France, New Zealand Warn of a very significant sudden uptick in #Emotet Trojan attacks starting at the end of August. #infosec #malware #osint
thehackernews.com/2020/09/emotet…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.