#Emotet E5 Update - Within the last several hours, we have seen some bots on the Epoch 5 botnet begin to drop SystemBC now as a module and execute it. This is the first drop beyond Cobalt Strike that we have seen since Emotet returned. This is a significant change 1/x
For the instance of SystemBC we saw dropped, the C2 was 96.30.196[.]207:4177
45.32.132[.]182:4177
SystemBC sample here: tria.ge/220310-3dqqnac…
This did not seem to be dropped on all bots on the E5 botnet but it was at least some that were geolocated in the USA. 2/x
We have heard of other researchers also seeing the same drops of SystemBC. This activity seemed to start around 18:00-19:00UTC today. We will keep you informed if we see any more drops or anything on E4 which seems to be having problems even functioning correctly. GG Ivan. 3/3
• • •
Missing some Tweet in this thread? You can try to
force a refresh
🚨🚨WARNING 🚨🚨 We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: tria.ge/211207-t5l24sb… Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x
Also note the strange fingerprint of 0. The full config observed here H/T: @TheHack3r4chanpastebin.com/raw/KtUC5CGL What does this mean? This means the game has changed and Ivan has shortened the pipeline to exfil/Ransomware substantially. 2/x
No Trickbot or other intermediate garbage. Straight to CS and lateral movement to DCs/Critical Parts of the network. You need to pay attention to this and you need to prepare. It has started, block this C2 now! 3/x
Update on #Emotet. We are noticing now that bots are starting to spam on what we are calling the Epoch 4 botnet. There is only attachment based malspam seen so far with .docm or .xlsm(really XLSM with a lame AF Template "Excell") or password protected ZIPs(operation ZipLock). 1/x
all roads lead to same 7 URLs payloads:
/visteme.mx/shop/wp-admin/PP/
s://newsmag.danielolayinkas.com/content/nVgyRFrTE68Yd9s6/
/av-quiz.tk/wp-content/k6K/
/ranvipclub.net/pvhko/a/
s://goodtech.cetxlabs.com/content/5MfZPgP06/
/devanture.com.sg/wp-includes/XBByNUNWvIEvawb68/
2/x
s://team.stagingapps.xyz/wp-content/aPIm2GsjA/
We are seeing Red Dawn Templates for the docm files: