Introduction So far in 2018, I've seen a great deal of malicious spam (malspam) pushing Emotet malware. It's probably the most common malspam threat I've seen so far in 2018. Within the past week, the some good posts about Emotet have been published:
You can also find indicators about Emotet by searching Twitter for #Emotet. Assuming you can wade through the re-posts on the above articles, you'll find a community that tweets indicators about Emotet like URLs for the initial Word document, file hashes for the malware, etc. Emotet infection from Monday 2018-07-23
On Monday 2018-07-23, I generated some Emotet infection traffic in my home lab, and I saw plenty of indicators. The following is malware retrieved from my infected Windows host:
The following are domains, IP addresses, and URLs from the infection traffic. Initial infection traffic:
Emotet post-infection traffic:
Attempted TCP connections from Emotet infection, but no response from the server:
Zeus Panda Banker traffic:
Final words As usual, properly-administered and up-to-date Windows hosts are not likely to get infected. System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections. A pcap of the infection traffic for today's diary can be found here. --- |
Brad 436 Posts ISC Handler Jul 24th 2018 |
Thread locked Subscribe |
Jul 24th 2018 3 years ago |
You can add Check Point to that list, too: https://research.checkpoint.com/emotet-tricky-trojan-git-clones/
|
Catalin Cimpanu 3 Posts |
Quote |
Jul 24th 2018 3 years ago |
An easier way, then going through Twitter to get all recent Emotet payload url:
https://urlhaus.abuse.ch/browse/tag/emotet Most of the guys on Twitter have an API to this tool. Cheers PO3T |
PO3T 1 Posts |
Quote |
Jul 27th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!