www.ironnet.com
Open in
urlscan Pro
2606:2c40::c73c:67fe
Public Scan
URL:
https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection
Submission: On August 09 via api from US — Scanned from DE
Submission: On August 09 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
/hs-search-results
<form action="/hs-search-results">
<input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
<button aria-label="Search"><span id="hs_cos_wrapper_module_16508916385963_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg version="1.0"
xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search1_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
</form>Text Content
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy.
If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.
Accept Decline
* Why IronNet
* * Use Cases
See how organizations benefit from IronNet
* Customer Testimonials
See how customers benefit from IronNet
* Industry Recognition
Discover what industry analysts are saying about Collective Defense and
IronNet
* For SOC Analysts
Reduce alert fatigue and build a more proactive defense
* For CISOs
Maximize current investments and strengthen your security posture
* * NBH Bank draws on IronNet behavioral analytics for advanced threat
detection
Case Study
Learn more
* Platform
* * Collective Defense Platform
Leverage NDR powered by behavioral analytics and crowdsourced attack
intelligence to secure your enterprise network
Learn more
* Training
* * A practical way to rule out false positives
Ebook
Read more
* Industries
* * Financial Sector
* Defense
* Healthcare
* Public Sector
* Energy & Utilities
* Space
* * Building a secure utility ecosystem with NDR and Collective Defense
White paper
Read more
* Company
* * About
* Leadership
* Partners
* News
* * Blog
* Careers
* Investor Relations
* * 8 Top Security Challenges
eBook
...and ways IronNet customers are solving them
Download
* Resources
* * Events
* Webinars
* Blog
* Resource library
* Trending topics
* Biden Cyber EO
* Cloud security
* Collective defense
* Cyber analytics
* Cyber defense
* Cyber risk
* Cybersecurity strategy
* Enterprise security
* Extended Detection & Response (XDR)
* MITRE ATT&CKⓇ Framework
* Network Detection and Response (NDR)
* Network security
* Ransomware
* Secure your supply chain
* Security operations center (SOC)
* Threat intelligence in cybersecurity
* Biden Cyber EO
* Cloud security
* Collective defense
* Cyber analytics
* Cyber defense
* Cyber risk
* Cybersecurity strategy
* Enterprise security
* Extended Detection & Response (XDR)
* MITRE ATT&CKⓇ Framework
* Network Detection and Response (NDR)
* Network security
* Ransomware
* Secure your supply chain
* Security operations center (SOC)
* Threat intelligence in cybersecurity
* IronNet Threat Intelligence Hub
* * Biden Cyber EO
* Cloud security
* Collective defense
* Cyber analytics
* Cyber defense
* Cyber risk
* Cybersecurity strategy
* Enterprise security
* Extended Detection & Response (XDR)
* MITRE ATT&CKⓇ Framework
* Network Detection and Response (NDR)
* Network security
* Ransomware
* Secure your supply chain
* Security operations center (SOC)
* Threat intelligence in cybersecurity
* * IronNet's May Threat Intelligence Brief 2022
THREAT INTEL BRIEFS
At IronNet, we look to behavioral analytics to detect unknown threats on
enterprise networks
Read more
* Request Demo
Select LanguageArabicChinese (Simplified)EnglishFrenchGermanJapaneseSpanish
Powered by Google Übersetzer
* Why IronNet
* * Use Cases
See how organizations benefit from IronNet
* Customer Testimonials
See how customers benefit from IronNet
* Industry Recognition
Discover what industry analysts are saying about Collective Defense and
IronNet
* For SOC Analysts
Reduce alert fatigue and build a more proactive defense
* For CISOs
Maximize current investments and strengthen your security posture
* * NBH Bank draws on IronNet behavioral analytics for advanced threat
detection
Case Study
Learn more
* Platform
* * Collective Defense Platform
Leverage NDR powered by behavioral analytics and crowdsourced attack
intelligence to secure your enterprise network
Learn more
* Training
* * A practical way to rule out false positives
Ebook
Read more
* Industries
* * Financial Sector
* Defense
* Healthcare
* Public Sector
* Energy & Utilities
* Space
* * Building a secure utility ecosystem with NDR and Collective Defense
White paper
Read more
* Company
* * About
* Leadership
* Partners
* News
* * Blog
* Careers
* Investor Relations
* * 8 Top Security Challenges
eBook
...and ways IronNet customers are solving them
Download
* Resources
* * Events
* Webinars
* Blog
* Resource library
* Trending topics
* Biden Cyber EO
* Cloud security
* Collective defense
* Cyber analytics
* Cyber defense
* Cyber risk
* Cybersecurity strategy
* Enterprise security
* Extended Detection & Response (XDR)
* MITRE ATT&CKⓇ Framework
* Network Detection and Response (NDR)
* Network security
* Ransomware
* Secure your supply chain
* Security operations center (SOC)
* Threat intelligence in cybersecurity
* Biden Cyber EO
* Cloud security
* Collective defense
* Cyber analytics
* Cyber defense
* Cyber risk
* Cybersecurity strategy
* Enterprise security
* Extended Detection & Response (XDR)
* MITRE ATT&CKⓇ Framework
* Network Detection and Response (NDR)
* Network security
* Ransomware
* Secure your supply chain
* Security operations center (SOC)
* Threat intelligence in cybersecurity
* IronNet Threat Intelligence Hub
* * Biden Cyber EO
* Cloud security
* Collective defense
* Cyber analytics
* Cyber defense
* Cyber risk
* Cybersecurity strategy
* Enterprise security
* Extended Detection & Response (XDR)
* MITRE ATT&CKⓇ Framework
* Network Detection and Response (NDR)
* Network security
* Ransomware
* Secure your supply chain
* Security operations center (SOC)
* Threat intelligence in cybersecurity
* * IronNet's May Threat Intelligence Brief 2022
THREAT INTEL BRIEFS
At IronNet, we look to behavioral analytics to detect unknown threats on
enterprise networks
Read more
* Request Demo
Select LanguageArabicChinese (Simplified)EnglishFrenchGermanJapaneseSpanish
YES
Back to IronNet Blog
Threat Research
DETECTING A MUMMY SPIDER CAMPAIGN AND EMOTET INFECTION
By IronNet Threat Research with lead contributions by Blake Cahen
*
*
* Share
May 11, 2022
Key findings:
* At the start of the Eid Al-Fitr (Islamic holiday) weekend in early May 2022,
IronNet Threat Research detected a thread hijacking attack carrying Emotet
malware against an organization located in the Asia Pacific region.
* This cyber attack is likely part of a new campaign by the MUMMY SPIDER threat
group, designed to test a new bypass for Microsoft disabling macros by
default for use in future large-scale campaigns.
* This finding supports recent open-source reporting that MUMMY SPIDER has
begun to conduct more targeted operations, and it is likely the threat actors
will continue to use their access to enterprise emails to conduct further
phishing attacks.
IronNet’s Network Detection and Response (NDR) platform, in combination with our
cybersecurity experts, detected an Emotet infection in the network of a customer
located in the Asia Pacific region at the start of the Eid Al-Fitr (Islamic
holiday) weekend in early May 2022. We were able to detect the aftermath of a
successful phishing attack against an employee at the company, which resulted in
an infection of a host in the client enterprise by Emotet malware. While we are
still working with our partner to assist in triage and remediation, we wanted to
share our findings to increase the communities ability to collectively defend
against these types of attacks. We posit that this attack is part of a new
campaign by the MUMMY SPIDER threat group, designed to test updated techniques,
tactics, and procedures (TTP) for future campaigns.
This article discusses the threat group behind the attack and breaks down the
post-compromise activity that occurred within the client enterprise. This attack
bypassed the client enterprise’s anti-virus protection and security products;
however, IronNet’s behavioral analytics were able to detect the post-compromise
activity and quickly alert the customer to the infection.
MUMMY SPIDER RETURNS
MUMMY SPIDER (also known as TA54) is a threat group that utilizes various
malicious spam (malspam) email campaigns to deploy Emotet malware. First
detected in 2014, Emotet is a modular, polymorphic trojan that is capable of
evading signature-based detection and spreading throughout a victim network to
compromise additional systems. Emotet often serves as a first–or second–stage
malware that can drop and download further payloads, which could ultimately lead
to data theft, remote control of systems, financial losses, and operational
disruptions. An international law enforcement effort succeeded in taking down
the Emotet botnet in 2021, but it has since resurfaced with a new focus on
targeted attacks rather than the previous “spray and pray” tactics it was once
known for. We cannot claim with absolute certainty that the group is linked to
Russia; however, on April 20th 2022, a joint alert issued by cybersecurity
agencies from Australia, Canada, New Zealand, the U.S., and the U.K. mentioned
the MUMMY SPIDER threat group when warning organizations of the threat of
Russian cyber attacks on critical infrastructure.
Unlike most threat groups, MUMMY SPIDER operates atypically; they will hibernate
for months at a time and conduct operations in short bursts over a several month
period. Additionally, recent reports attributed to this group have coincided
with holiday seasons. Historically, when the group resumed operations, they
utilized new variants of Emotet in an attempt to bypass security efforts. In the
case of the compromise detailed in this article, we believe that the MUMMY
SPIDER threat group may have been testing a new bypass for Microsoft disabling
macros by default. This capability involves using OneDrive URLs or XLL files
instead of traditional macro-enabled documents. ProofPoint believes that the
reason for the lower-than-normal target volume is because MUMMY SPIDER is
testing the success of this new technique before adopting it on a larger scale.
BEHAVIORAL DETECTION AND INCIDENT ANALYSIS
On April 29th, 2022, at 0100UTC, an enterprise user received a phishing email
with a zip file attached. The archive contained an XLL file that the victim
accidentally executed on the host computer. This triggered a series of requests
to multiple external domains, which hosted the new Emotet malware. While a
majority of these outbound requests were blocked by enterprise security
products, an outbound session succeeded to gla[.]ge:80/old/PuVaff/ at 0151UTC
and a DLL (Emotet) was downloaded. The sample was not flagged as malicious by
VirusTotal at the time of detection. IronNet observed the host making a large
volume of outbound requests to various remote servers in an attempt to establish
command and control (C2) communications. Similar to the domain requests, a
majority of these attempts were blocked, but a small number were successful.
IronDefense was able to generate alerts based on the anomalous nature of the
domains, two instances of C2 beaconing activity, and numerous
threat-intelligence-based alerts.
After reporting this activity to the customer, we were informed that the attack
occurred on the Friday before a major holiday weekend; this suggests a potential
attack of opportunity, which corroborates with the new TTP that MUMMY SPIDER is
assumed to be operating under. IronNet was able to alert the customer shortly
after their workday ended Friday, enabling isolation of the infected host and
mitigation during the long weekend. There is no evidence of lateral movement
attempts from the infected host, supporting the assessment that this was
isolated and thus part of MUMMY SPIDER’s new test campaign model.
THREAD HIJACKING
After initial triage, IronNet’s threat hunters and intel analysts requested a
copy of the phishing email used and were able to categorize this as a thread
hijacking attack. Thread Hijacking is a process in which a threat actor
compromises and injects themselves into an email thread in an effort to increase
legitimacy and trust. In this instance, the actors leveraged an email chain that
involved updating a spreadsheet of delivery information, providing a legitimate
use case for the phishing target to open the attached file. While the sender's
address was not from a legitimate enterprise domain, the email was able to avoid
suspicion from the user.
When we categorized this as a thread hijacking attack, we uncovered additional
concerns that we began to investigate. Palo Alto released an article in 2020
detailing this type of attack, which indicates the post-infection goal is
exfiltrating host data via C2. This discovery suggests the enterprise user was
likely targeted, evidenced by the email being sent specifically to the user. We
were able to use this information to inform the customer that there were likely
additional infections of one or more personnel from the original email chain,
making them aware of additional thread hijacking attacks that would be likely
using emails from the victim user.
IronNet conducted a review of indicators of compromise (IOC) associated with
recent MUMMY SPIDER campaigns and identified external scanning attempts against
several enterprise customers. While most of these appeared to be generic
scanning, one instance involved a large volume of scanning against customer
Simple Mail Transfer Protocol (SMTP) servers. We conclude this was likely an
attempt to identify more malspam targets. IronNet has since deployed Threat
Intelligence Rules (TIR) and propagated the incident alerts throughout the
IronDome, enabling other IronNet customers to have increased detection
capability and reduced response time through collective defense.
CONCLUSION
Recent reporting indicates that MUMMY SPIDER and other actors that use Emotet
have begun to conduct more targeted operations, increasing the likelihood of
spear-phishing against enterprise employees. While preventing all enterprise
users from being the victim of a phishing attack would be ideal, it is
statistically unlikely. Awareness training is recommended and effective, but
having additional layers of security in the event of compromise is critical.
This incident highlights the importance of behavioral detections as threat
actors work to evade traditional security tools and signature-based detections.
IronNet’s ability to detect the behavioral aspects of this attack prevented the
threat group from having extended access to the customer’s enterprise over a
long weekend and potentially causing further damage.
IOCS
URLs:
* gakudou[.]com:80/photo06/hEu/
* giasotti[.]com:80/js/Khc6mb0zx4KoWX/
* plresende[.]com:80/pcinfor/cq/
* thomasmanton[.]com:80/wp-includes/owZnpWmH4D8j/
* gla[.]ge:80/old/PuVaff/
* gccon[.]in/UploadedFiles/UYtJNrT2llxy1/
Extract from C2 Config via Tria.ge
* 176.31.73.90:443
* 45.76.159.214:8080
* 138.197.147.101:443
* 104.168.154.79:8080
* 149.56.131.28:8080
* 5.9.116.246:8080
* 77.81.247.144:8080
* 172.104.251.154:8080
* 50.30.40.196:8080
* 173.212.193.249:8080
* 51.91.76.89:8080
* 197.242.150.244:8080
* 103.75.201.2:443
* 51.254.140.238:7080
* 79.137.35.198:8080
* 72.15.201.15:8080
* 27.54.89.58:8080
* 189.126.111.200:7080
* 196.218.30.83:443
* 82.165.152.127:8080
* 164.68.99.3:8080
* 183.111.227.137:8080
* 167.172.253.162:8080
* 153.126.146.25:7080
* 129.232.188.93:443
* 151.106.112.196:8080
* 188.44.20.25:443
* 167.99.115.35:8080
* 134.122.66.193:8080
* 185.4.135.165:8080
* 212.24.98.99:8080
* 51.91.7.5:8080
* 146.59.226.45:443
* 131.100.24.231:80
* 212.237.17.99:8080
* 201.94.166.162:443
* 45.176.232.124:443
* 159.65.88.10:8080
* 160.16.142.56:8080
* 216.158.226.206:443
* 203.114.109.124:443
* 103.43.46.182:443
* 46.55.222.11:443
* 209.126.98.206:8080
* 91.207.28.33:8080
* 1.234.2.232:8080
* 45.118.115.99:8080
* 206.189.28.199:8080
* 94.23.45.86:4143
* 158.69.222.101:443
* 103.70.28.102:8080
* 101.50.0.91:8080
* 58.227.42.236:80
* 119.193.124.41:7080
* 107.182.225.142:8080
* 185.157.82.211:8080
* 45.235.8.30:8080
* 103.132.242.26:8080
* 1.234.21.73:7080
* 110.232.117.186:8080
* 209.97.163.214:443
* 185.8.212.130:7080
* 209.250.246.206:443
Tria.ge:
* https://tria.ge/220428-23e5saffg3/behavioral1#report
IRONNET ANALYTICS MAPPED TO MITRE TTPS
MITRE ATT&CK
IronNet Analytic
Tactic
Technique
Consistent Beaconing HTTP/TLS
Command and Control
Application Layer Protocol
Domain Analysis HTTP/TLS
Command and Control
Application Layer Protocol
ABOUT IRONNET
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet, Inc. (NYSE: IRNT) is a
global cybersecurity leader that is transforming how organizations secure their
networks by delivering the first-ever Collective Defense platform operating at
scale. Employing a number of former NSA cybersecurity operators with offensive
and defensive cyber experience, IronNet integrates deep tradecraft knowledge
into its industry-leading products to solve the most challenging cyber problems
facing the world today.
Back to IronNet Blog
Talk to an expert
* Why Ironnet
* Use Cases
* Recognition
* For SOC Analysts
* For CISOs
* Platform
* IronDefense
* IronDome
* Industries
* Enterprise
* Defense
* Healthcare
* Government
* Energy & Utilities
* Services
* Governance and Maturity Services
* Cybersecurity Readiness Services
* Incident Response Services
* Enterprise Security Program Review
* Training
* Company
* About
* Leadership
* Certifications
* Partners
* News
* Blog
* Careers
* Customer Support
* Knowledge base
* Learn
* Events
* Webinars
* Resource Library
* Contact Us
© 2022 IronNet, Inc. All Rights Reserved. | Privacy Statement | Terms of Use |
Sitemap
Login
Talk to an expert
* Why Ironnet
* Use Cases
* Recognition
* For SOC Analysts
* For CISOs
* Industries
* Enterprise
* Defense
* Healthcare
* Government
* Energy & Utilities
* Company
* About
* Leadership
* Certifications
* Partners
* News
* Blog
* Careers
* Login
* Contact Us
* Customer Support
* Platform
* IronDefense
* IronDome
* Services
* Governance and Maturity Services
* Cybersecurity Readiness Services
* Incident Response Services
* Enterprise Security Program Review
* Training
* Learn
* Events
* Webinars
* Resource Library
© 2022 IronNet, Inc. All Rights Reserved. | Privacy Statement | Terms of Use |
Sitemap
ORIGINALTEXT
Bessere Übersetzung vorschlagen
--------------------------------------------------------------------------------