Where are mealybugs now!?! We is hungry and no one wants to play anymore. Where everyone at?
Nov 2, 2022 • 5 tweets • 2 min read
🚨Emotet back in Distro Mode🚨 - As of 0800 UTC E4 began spamming and as of 0930 UTC E5 began spamming again. Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS. 1/x
Cryptolaemus member @ffforward tweeted out examples earlier this morning.
Cryptolaemus members @sugimu_sec and @waga_tw were on top of the case and immediately began reporting all payload URLs. H/T to @dms1899 also for being on the case. 2/x
Dec 7, 2021 • 5 tweets • 3 min read
🚨🚨WARNING 🚨🚨 We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: tria.ge/211207-t5l24sb… Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x
Also note the strange fingerprint of 0. The full config observed here H/T: @TheHack3r4chanpastebin.com/raw/KtUC5CGL What does this mean? This means the game has changed and Ivan has shortened the pipeline to exfil/Ransomware substantially. 2/x
Nov 16, 2021 • 4 tweets • 1 min read
Update on #Emotet. We are noticing now that bots are starting to spam on what we are calling the Epoch 4 botnet. There is only attachment based malspam seen so far with .docm or .xlsm(really XLSM with a lame AF Template "Excell") or password protected ZIPs(operation ZipLock). 1/x
all roads lead to same 7 URLs payloads:
/visteme.mx/shop/wp-admin/PP/
s://newsmag.danielolayinkas.com/content/nVgyRFrTE68Yd9s6/
/av-quiz.tk/wp-content/k6K/
/ranvipclub.net/pvhko/a/
s://goodtech.cetxlabs.com/content/5MfZPgP06/
/devanture.com.sg/wp-includes/XBByNUNWvIEvawb68/
2/x