As already reported, malicious spam (malspam) pushing Emotet is back approximately 3 and 1/2 months after it disappeared. Today's diary reviews infection traffic from Tuesday, 2019-09-17.
After May 2019, I stopped finding any new examples of malspam pushing Emotet. As early as 2019-06-09, someone reported the command and control (C2) infrastructure for Emotet had gone silent. The C2 infrastructure was active again as early as 2019-08-22, which led to several reports that Emotet was back. However, no malspam was reported until Monday 2019-09-16. Since then, Emotet activity levels are back to what we saw before the 3 and 1/2 month break.
A new Emotet malspam example
Recent examples of Emotet malspam I found all use German language message text. Like before, this malspam uses attached Word documents, or it uses links to download Word documents. These Word documents have malicious macros designed to infect a vulnerable Windows host with Emotet.
Traffic for this Emotet infection was typical for what we saw before the 3 and 1/2 month break. Emotet acts as a distributor for other malware, and in this case I saw Trickbot traffic after the initial Emotet infection.
Forensics on the infected Windows host
I saw the same type of artifacts on my infected Windows host that I'd seen in recent Emotet and/or Trickbot infections. See the images below for details.
Indicators of Compromise (IoCs)
URLs caused by the Word macro to retrieve an Emotet EXE:
Post-infection traffic caused by Emotet:
Post-infection traffic caused by Trickbot:
Files from the infected Windows host:
Pcap and malware from this infection can be found here.
Sep 18th 2019
|Thread locked Subscribe||
Sep 18th 2019
3 years ago