www.malwarebytes.com
Open in
urlscan Pro
2600:9000:223c:2000:16:26c7:ff80:93a1
Public Scan
Submitted URL: https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign
Effective URL: https://www.malwarebytes.com/blog/news/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign
Submission Tags: falconsandbox
Submission: On September 02 via api from US — Scanned from DE
Effective URL: https://www.malwarebytes.com/blog/news/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign
Submission Tags: falconsandbox
Submission: On September 02 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET
<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
<div class="searchbar-wrap-rightrail">
<label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
<input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
</label>
<button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="/blog/images/search.svg" alt="Magnifying glass"></span>
</button>
</div>
</form>/newsletter/
<form class="newsletter-form form-inline" action="/newsletter/">
<div class="email-input">
<label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
<input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
</label>
<input name="source" type="hidden" value="">
<input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
</div>
</form>Text Content
The official Malwarebytes logoThe official Malwarebytes logo in a blue font
Personal
Personal
* Security & Antivirus
* Malwarebytes for Windows
* Malwarebytes for Mac
* Malwarebytes for Chromebook
* Malwarebytes for Android
* Malwarebytes for iOS
* Malwarebytes AdwCleaner
* Online Privacy
* Malwarebytes Privacy VPN
* Malwarebytes Browser Guard
*
* All-in-one Protection
* Malwarebytes Premium + Privacy VPN New
* Get Started
* The ultimate guide to privacy protection New
VISIT PRIVACY HUB VISIT PRIVACY HUB
*
* Stop infections before they happen
* GET A FREE TRIAL GET A FREE TRIAL
*
* Find the right solution for you
* SEE PERSONAL PRICING SEE PERSONAL PRICING
Business
Business
* Solutions
* BY COMPANY SIZE
* Small Businesses
* single figure icon 1-99 Employees Buy Online
* Mid-size Businesses
* two figure icon 100-999 Employees
* Large Enterprise
* three figure icon 1000+ Employees
* BY INDUSTRY
* Education
* Finance
* Healthcare
* Government
* Products
* CLOUD-BASED SECURITY MANAGEMENT AND SERVICES
* Endpoint Protection
* Endpoint Protection for Servers
* Endpoint Detection & Response
* Endpoint Detection & Response for Servers
* Incident Response
* Malware Removal Service
* Nebula Platform Architecture
* Cloud Storage Scanning Service New
* CLOUD-BASED SECURITY MODULES
* DNS Filtering
* Vulnerability & Patch Management
* Remediation for CrowdStrike®
* NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
* For Teams
* Get Started
* * Find the right solution for your business
* See business pricing See business pricing
--------------------------------------------------------------------------------
* Don't know where to start?
* Help me choose a product See business products selector
--------------------------------------------------------------------------------
* See what Malwarebytes can do for you
* Get a free trial Get a free trial
--------------------------------------------------------------------------------
* Our sales team is ready to help. Call us now
* Phone icon +49 (800) 723-4800
Pricing
Partners
Partners
* Partner Icon Explore Partnerships
* Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Buy now Buy Now
* Partner Success Story
* Marek Drummond
Managing Director at Optimus Systems
"Thanks to the Malwarebytes MSP program, we have this high-quality product in
our stack. It’s a great addition, and I have confidence that customers’
systems are protected."
* See full story See full story
Resources
Resources
* Learn About Cybersecurity
* Antivirus
* Malware
* Ransomware
* Malwarebytes Labs – Blog
* Glossary
* Threat Center
* Business Resources
* Reviews
* Analyst Reports
* Case Studies
* Press & News
* Events
*
Featured Event: RSA 2021
* See Event See event
Support
Support
* Technical Support
* Personal Support
* Business Support
* Premium Services
* Forums
* Vulnerability Disclosure
* Watch Icon Training for Personal Products
* Watch Icon Training for Business Products
* Featured Content
* Privacy Logo
Activate Malwarebytes Privacy on Windows device.
* See Content See content
FREE DOWNLOAD
CONTACT US
COMPANY
COMPANY
* About Malwarebytes
* Careers
* News & Press
SIGN IN
SIGN IN
* My Account
* Cloud Console
* Partner Portal
SUBSCRIBE
News
EMOTET IS BACK: BOTNET SPRINGS BACK TO LIFE WITH NEW SPAM CAMPAIGN
Posted: September 16, 2019 by Threat Intelligence Team
After months of laying dormant, the notorious Emotet is back, with its botnet
spewing spam globally.
After a fairly long hiatus that lasted nearly four months, Emotet is back with
an active spam distribution campaign. For a few weeks, there were signs that the
botnet was settin
g its gears in motion again, as we observed command and control (C2) server
activity. But this morning, the Trojan started pumping out spam, a clear
indication it's ready to jump back into action.
The malicious emails started in the wee hours of Monday morning, with templates
spotted in German, Polish, and Italian. Our Threat Intelligence team started
seeing phishing emails sent in English as well with the subject line "Payment
Remittance Advice."
Figure 1: Our spam honeypot receiving Emotet emails
Note the personalization in the email subject lines. Borrowing a tactic from
North Korean nation-state actors, Emotet's creators are bringing back highly
sophisticated spear phishing functionality introduced in April 2019, which
includes hijacking old email threads and referencing to the user by name.
Figure 2: The phishing email masquerading as a statement
Victims are lured to open the attached document and enable the macro to
kick-start the infection process.
Figure 3: Word document employs social engineering to convince users into
running a macro.
Figure 4: Obfuscated macro code responsible for launching PowerShell
The PowerShell command triggered by the macro attempts to download Emotet from
compromised sites, often running on the WordPress content management system
(CMS).
There are alternate delivery techniques as well. For example, some instances of
the malicious document rely on a downloader script instead.
Figure 5: Script blocked upon macro execution
Once the download is successful and Emotet is installed on the endpoint, it
begins propagating by spreading laterally to other endpoints in the network and
beyond. It also steals credentials from installed applications and spams the
user's contact list. Perhaps the biggest threat, though, is that Emotet serves
as a delivery vector for more dangerous payloads, such as TrickBot and other
ransomware families.
Emotet is most notorious for collateral damage inflicted as part of a blended
attack. Dubbed the "triple threat" by many in security, Emotet partners with
TrickBot and Ryuk ransomware for a knockout combo that ensures maximum
penetration through the network so that valuable data may be stolen and sold for
profit, while the rest is encrypted in order to extort organizations into paying
the ransom to retrieve their files and systems.
Alternatively, compromised machines can lay in a dormant state until operators
decide to hand off the job to other criminal groups that will demand large sums
of money—up to US$5 million—from their victims. In the past, we've seen the
infamous Ryuk ransomware deployed in this way.
While Emotet is typically focused on infecting organizations, individual
consumers may also be at risk. Malwarebytes business customers and Malwarebytes
for Windows Premium home users are already guarded against this campaign, thanks
to our signature-less anti-exploit technology. As always, we recommend users be
cautious when opening emails with attachments, even if they appear to come from
acquaintances.
Figure 6: Malwarebytes Endpoint protection blocking the attack
PROTECTION AND REMEDIATION
Users who are not Malwarebytes customers or who use the free scanner will want
to take additional steps to protect against Emotet or clean up the infection, if
they've already been hit. Businesses and organizations that may currently be
battling an Emotet infection can contact Malwarebytes for immediate help. Or,
for more background information on how Emotet works and a list of tips for
remediation and tips, view our Emotet emergency kit.
As this campaign is not even a day old, we don't yet know the impact on
organizations and other users. We will continue to update this post as we learn
more throughout the day. In the meantime, warn your coworkers, friends, and
family to be wary of emails disguised as invoices or any other "phishy"
instances.
INDICATORS OF COMPROMISE (IOCS)
Email subject lines
Payment Remittance Advice
Numero Fattura 2019...
Malicious Word documents
eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
fb25f35c54831b3641c50c760eb94ec57481d8c8b1da98dd05ba97080d54ee6a
bee23d63404d97d2b03fbc38e4c554a55a7734d83dbd87f2bf1baf7ed2e39e3e
5d9775369ab5486b5f2d0faac423e213cee20daf5aaaaa9c8b4c3b4e66ea8224
Hacked websites hosting the Emotet binary
danangluxury[.]com/wp-content/uploads/KTgQsblu/
gcesab[.]com/wp-includes/customize/zUfJervuM/
autorepuestosdml[.]com/wp-content/CiloXIptI/
covergt[.]com/wordpress/geh7l30-xq85i1-558/
zhaoyouxiu[.]com/wp-includes/vxqo-84953w-5062/
rockstareats[.]com/wp-content/themes/NUOAajdJ/
inwil[.]com/wp-content/oyFhKHoe
inesmanila[.]com/cgi-bin/otxpnmxm-3okvb2-29756/
dateandoando[.]com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/
Emotet binaries
8f05aa95aa7b2146ee490c2305a2450e58ce1d1e3103e6f9019767e5568f233e
7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205
61e0ac40dc2680aad77a71f1e6d845a37ab12aa8cd6b638d2dbcebe9195b0f6
f5af8586f0289163951adaaf7eb9726b82b05daa3bb0cc2c0ba5970f6119c77a
6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5
Post-infection traffic (C2s)
187[.]155[.]233[.]46
83[.]29[.]180[.]97
181[.]36[.]42[.]205
200[.]21[.]90[.]6
123[.]168[.]4[.]66
151[.]80[.]142[.]33
159[.]65[.]241[.]220
109[.]104[.]79[.]48
43[.]229[.]62[.]186
72[.]47[.]248[.]48
190[.]1[.]37[.]125
46[.]29[.]183[.]211
91[.]205[.]215[.]57
178[.]79[.]163[.]131
187[.]188[.]166[.]192
181[.]188[.]149[.]134
125[.]99[.]61[.]162
77[.]245[.]101[.]134
138[.]68[.]106[.]4
187[.]242[.]204[.]142
190[.]19[.]42[.]131
213[.]120[.]104[.]180
149[.]62[.]173[.]247
181[.]48[.]174[.]242
80[.]85[.]87[.]122
183[.]82[.]97[.]25
185[.]86[.]148[.]222
90[.]69[.]208[.]50
91[.]83[.]93[.]124
183[.]87[.]87[.]73
62[.]210[.]142[.]58
186[.]83[.]133[.]253
109[.]169[.]86[.]13
179[.]62[.]18[.]56
81[.]169[.]140[.]14
187[.]144[.]227[.]2
69[.]163[.]33[.]82
88[.]250[.]223[.]190
190[.]230[.]60[.]129
37[.]59[.]1[.]74
203[.]25[.]159[.]3
79[.]143[.]182[.]254
200[.]57[.]102[.]71
217[.]199[.]175[.]216
201[.]219[.]183[.]243
196[.]6[.]112[.]70
200[.]58[.]171[.]51
5[.]77[.]13[.]70
217[.]113[.]27[.]158
46[.]249[.]204[.]99
159[.]203[.]204[.]126
170[.]247[.]122[.]37
200[.]80[.]198[.]34
62[.]75[.]143[.]100
89[.]188[.]124[.]145
143[.]0[.]245[.]169
190[.]117[.]206[.]153
77[.]122[.]183[.]203
46[.]21[.]105[.]59
181[.]39[.]134[.]122
86[.]42[.]166[.]147
23[.]92[.]22[.]225
179[.]12[.]170[.]88
182[.]76[.]6[.]2
201[.]250[.]11[.]236
86[.]98[.]25[.]30
198[.]199[.]88[.]162
178[.]62[.]37[.]188
92[.]51[.]129[.]249
92[.]222[.]125[.]16
142[.]44[.]162[.]209
92[.]222[.]216[.]44
138[.]201[.]140[.]110
64[.]13[.]225[.]150
182[.]176[.]132[.]213
37[.]157[.]194[.]134
206[.]189[.]98[.]125
45[.]123[.]3[.]54
45[.]33[.]49[.]124
178[.]79[.]161[.]166
104[.]131[.]11[.]150
173[.]212[.]203[.]26
88[.]156[.]97[.]210
190[.]145[.]67[.]134
144[.]139[.]247[.]220
159[.]65[.]25[.]128
186[.]4[.]172[.]5
87[.]106[.]136[.]232
189[.]209[.]217[.]49
149[.]202[.]153[.]252
78[.]24[.]219[.]147
125[.]99[.]106[.]226
95[.]128[.]43[.]213
47[.]41[.]213[.]2
37[.]208[.]39[.]59
185[.]94[.]252[.]13
212[.]71[.]234[.]16
87[.]106[.]139[.]101
188[.]166[.]253[.]46
175[.]100[.]138[.]82
85[.]104[.]59[.]244
62[.]75[.]187[.]192
91[.]205[.]215[.]66
136[.]243[.]177[.]26
190[.]186[.]203[.]55
162[.]243[.]125[.]212
91[.]83[.]93[.]103
217[.]160[.]182[.]191
94[.]205[.]247[.]10
211[.]63[.]71[.]72
41[.]220[.]119[.]246
104[.]236[.]246[.]93
117[.]197[.]124[.]36
75[.]127[.]14[.]170
31[.]12[.]67[.]62
169[.]239[.]182[.]217
179[.]32[.]19[.]219
177[.]246[.]193[.]139
31[.]172[.]240[.]91
152[.]169[.]236[.]172
201[.]212[.]57[.]109
222[.]214[.]218[.]192
87[.]230[.]19[.]21
46[.]105[.]131[.]87
182[.]176[.]106[.]43
SHARE THIS ARTICLE
--------------------------------------------------------------------------------
COMMENTS
--------------------------------------------------------------------------------
RELATED ARTICLES
News
APPLE RELEASES SECURITY UPDATE FOR IPHONES AND IPADS TO ADDRESS VULNERABILITY
September 1, 2022 - Apple has released a security update for iOS 12.5.6 to patch
a remotely exploitable WebKit vulnerability that allows attackers to execute
arbitrary code on unpatched devices.
CONTINUE READING 0 Comments
News
TIKTOK VULNERABILITY COULD HAVE ALLOWED HIJACKERS TO TAKE OVER ACCOUNTS
September 1, 2022 - We take a look at a TikTok exploit discovered by Microsoft
and passed on to the social media giant to have fixed.
CONTINUE READING 0 Comments
News
WHAT IS A KEYLOGGER?
September 1, 2022 - People are often confused as to where the security industry
draws the line between something that is considered a "keylogger" and something
that is not. Read on to learn what this term means, from a practical
perspective.
CONTINUE READING 0 Comments
News | Privacy
DATA BROKER SUED FOR ALLEGEDLY SELLING INDIVIDUALS' SENSITIVE LOCATION DATA
September 1, 2022 - The FTC has filed a complaint against data broker Kochava
for selling sensitive location data.
CONTINUE READING 0 Comments
News
CONTROVERSIAL KIDS' CODE AIMS TO KEEP CHILDREN SAFE ONLINE
September 1, 2022 - We take a look at a child safety bill in California which
sounds useful, but is raising some concerns related to privacy and security of
its own.
CONTINUE READING 0 Comments
--------------------------------------------------------------------------------
ABOUT THE AUTHOR
Threat Intelligence Team
Contributors
Threat Center
Podcast
Glossary
Scams
Write for Labs
Cyberprotection for every one.
twitter
facebook
linkedin
Youtube
instagram
Cybersecurity info you can't do without
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Cyberprotection for every one.
FOR PERSONAL
Windows
Mac
iOS
Android
Privacy VPN
SEE ALL
COMPANY
About Us
Contact Us
Careers
News and Press
Blog
Scholarship
Forums
FOR BUSINESS
Small Businesses
Mid-size Businesses
Large Enterprise
Endpoint Protection
Endpoint Detection & Response
MY ACCOUNT
Sign In
SOLUTIONS
Free Rootkit Scanner
Free Trojan Scanner
Free Virus Scanner
Free Spyware Scanner
Anti Ransomware Protection
SEE ALL
ADDRESS
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
LEARN
Malware
Hacking
Phishing
Ransomware
Computer Virus
Antivirus
COMPANY
About Us
Contact Us
Careers
News and Press
Blog
Scholarship
Forums
MY ACCOUNT
Sign In
ADDRESS
3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
ADDRESS
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland
twitter
facebook
linkedin
Youtube
instagram
English
Legal
Privacy
Accessibility
Vulnerability Disclosure
Terms of Service
© 2022 All Rights Reserved
Select your language
* English
* Deutsch
* Español
* Français
* Italiano
* Português (Portugal)
* Português (Brasil)
* Nederlands
* Polski
* Pусский
* 日本語
* Svenska