{"id":16375,"date":"2019-09-23T12:17:24","date_gmt":"2019-09-23T20:17:24","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/09\/23\/news-10116\/"},"modified":"2019-09-23T12:17:24","modified_gmt":"2019-09-23T20:17:24","slug":"news-10116","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/09\/23\/news-10116\/","title":{"rendered":"Emotet malspam campaign uses Snowden’s new book as lure"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Mon, 23 Sep 2019 18:40:44 +0000<\/strong><\/p>\n

Exactly one week ago, Emotet, one of the most dangerous threats to organizations in the last year, resumed its malicious spam campaigns<\/a> after several months of inactivity. Based on our telemetry, we can see that the botnet started becoming chatty with its command and control servers (C2), about a week or so before the spam came through.<\/p>\n

\n
\"\"<\/a>
Figure 1: Communications with Emotet C2s over 90 days<\/figcaption><\/figure>\n<\/div>\n

To kick off its spam campaign last week, Emotet resumed spear phishing tactics it adopted in late spring 2019, hijacking old email threads with personalized subject lines and appearing as old invoices.<\/p>\n

This week, Emotet is trying a different tactic, incorporating the news about NSA whistleblower Edward Snowden’s new book Permanent Record<\/a><\/em> as a lure. The memoir, which is already on Amazon’s bestseller list, has been the subject of intense debates. In addition, the US government is also suing Snowden<\/a> for violating non-disclosure agreements and publishing without prior approval.<\/p>\n

Criminals are known to capitalize on newsworthy events for scams and other social engineering<\/a> purposes. In this particular case, Emotet authors are supposedly offering Snowden’s memoir as a Word attachment. We collected emails from our spam honeypot in English, Italian, Spanish, German and French<\/a> claiming to contain a copy of Snowden’s book in Word form.<\/p>\n

\n
\"Snowden's\"<\/a><\/figure>\n<\/div>\n

Upon opening the document, a fake message that “Word hasn’t been activated” is displayed to victims who are prompted to enable the content with a yellow security warning. Once they do, nothing appears to happen. However, what users don’t see is the malicious macro code that will execute once they click on the button.<\/p>\n

\"\"<\/a>
Figure 3: Fake document containing macro code<\/figcaption><\/figure>\n

The macro triggers a PowerShell command that will retrieve the Emotet malware binary from a compromised WordPress site. After infection, the machine will attempt to reach out to one of Emotet’s many C2s:<\/p>\n

\n
\"\"<\/a>
Figure 4: Network traffic upon infection<\/figcaption><\/figure>\n<\/div>\n

As each new week rolls in, the threat actors behind Emotet are always punctual with delivering their spam messages, thanks to their large botnet. And once they’ve spammed and infiltrated an endpoint, their work is far from over. As we’ve said before<\/a>, Emotet is a double or even triple threat if it is not quarantined right away.<\/p>\n

Follow up payloads, such as TrickBot<\/a> and Ryuk ransomware<\/a> are those that can truly cripple any business that is not prepared.<\/p>\n

Malwarebytes business users<\/a> and Premium home users are already protected against this threat.<\/p>\n

Indicators of Compromise (IOCs)<\/h3>\n

Malicious Word document<\/strong><\/p>\n

5ab7a5cf290ebf52647771f893a2fa322a9b1891e5a5e54811c500dd290c8477<\/p>\n

Emotet payload<\/strong><\/p>\n

757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975<\/p>\n

Network traffic<\/strong><\/p>\n

Emotet: www.cia.com[.]py\/wp-content\/uploads\/2019\/09\/XNFerERN\/   Emotet C2: 62.75.171.248:7080\/chunk\/window\/ringin\/   Emotet C2: 133.130.73[.]156 Emotet C2: 178.32.255[.]133<\/code><\/pre>\n
<\/p>\n
The post Emotet malspam campaign uses Snowden’s new book as lure<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: Threat Intelligence Team| Date: Mon, 23 Sep 2019 18:40:44 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Emotet starts a new week of malicious spam by promising a copy of Edward Snowden’s new book.  <\/p>\n
Categories: <\/p>\n