-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2023-03-07-IOCs-for-Emotet-activity.txt
100 lines (75 loc) · 4.4 KB
/
2023-03-07-IOCs-for-Emotet-activity.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
2023-03-07 (TUESDAY) - EMOTET INFECTION WITH SPAMBOT ACTIVITY
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1633238684278591489
NOTES:
- Emotet has not sent any new spam since sometime in November 2022, about 3 & 1/2 to 4 months ago.
- On Tuesday 2023-03-07 starting at approximately 1200 UTC, Emotet's epoch 4 botnet resumed spamming.
-- Reference: https://twitter.com/Cryptolaemus1/status/1633099154623803394
- Emotet emails so far have zip attachments containing inflated Word documents (500+ MB) with macros for Emotet.
- The Word macros retrieve zip archives which contain inflated 64-bit DLL files (500+ MB) for Emotet.
- Aside from the inflated Word docs and inflated DLL files, the infection patterns are similar to Emotet before its haitus.
INFECTION CHAIN:
- Email --> zip attachment --> 500+ MB Word doc --> enable macros --> download zip --> 500+ MB DLL from zip --> Emotet C2
EXAMPLES OF ZIP ATTACHMENTS FOR EMOTET MALSPAM:
- 4d9a6dfca804989d40eeca9bb2d90ef33f3980eb07ca89bbba06d0ef4b37634b - 661,401 bytes - Electronic form 03.07.2023.zip
- 4bc2d14585c197ad3aa5836b3f7d9d784d7afe79856e0ddf850fc3c676b6ecb1 - 670,543 bytes - Form Dt 03.07.2023 [info removed].zip
- 3b4fad0f7faeaa5d64daa9188a67b0de49f8909321e969c086204414652795ff - 648,160 bytes - INVOICE0000006407.zip
- afbc2421cd177bf8ca5e42f8b51c0330f1a7bec7b3214483ce653c691dbbb235 - 642,054 bytes - PO000206886.zip
INFLATED WORD DOCS EXTRACTED FROM THE ABOVE ZIP ARCHIVES:
- a0fe232fc8549e095d56da4467af9a01b4c766ae07178fce89bd486afa2846ad - 573,794,304 bytes - 36417 (Electric).doc
- 2e116e6a43dcc2ee55df34664a7d5bfae36918f3a8ce5af97be6cb99e3a4de5b - 551,774,208 bytes - Electronic form 03.07.2023.doc
- be670a75e6f3406b6143221503e7183eecdae30e1b2be864b3f668692d0acca1 - 561,211,392 bytes - Form Dt 03.07.2023.doc
- 745a064f8faeb470661c5277e7de8a282eb784d55dea0f8530e502732be8ee46 - 538,142,720 bytes - INVOICE 0000006407, US.doc
URLS GENERATED BY MACROS FROM THE ABOVE WORD DOCS:
- hxxps://midcoastsupplies[.]com[.]au/configNQS/Es2oE4GEH7fbZ/?[six digits]
- hxxps://esentai-gourmet[.]kz/404/EDt0f/?[six digits]
- hxxps://www.snaptikt[.]com/wp-includes/aM4Cz6wp2K4sfQ/?[six digits]
- hxxp://mtp.evotek[.]vn/wp-content/L/?[six digits]
- hxxp://www.189dom[.]com/xue80/C0aJr5tfI5Pvi8m/?[six digits]
- hxxp://139.219.4[.]166/wp-includes/XXrRaJtiutdHn7N13/?[six digits]
- hxxps://diasgallery[.]com/about/R/?[six digits]
- NOTE: So far, same URLs from every Word doc, but the six digits after the ? are variable.
FILES FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: 4dd92c67830fbfe62fdfd431b426092ca041387c9e1598ea7e7fd18c7ef821cf
- File size: 891,292 bytes
- File location: hxxp://mtp.evotek[.]vn/wp-content/L/?160244
- File location: [same directory as the Word document]/160244.zip
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File description: Zip archive retreived by Word macro
- SHA256 hash: 5400be12ec93d6936c2393bce3a285865e0b5f9280f2c0ce80b1827d07e84620
- File size: 547,028,493 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- Initial file location: [same directory as the Word document]/160244/BWJ3Dpilxzevuv4T.dll
- Persistent location: C:\Users\[username]\AppData\Local\[random alphanumeric characters]\[random alphanumeric characters].dll
- File description: 64-bit DLL for Emotet extracted from the above zip archive
- Run method: regsvr32.exe /s [filename]
TRAFFIC FROM AN INFECTED WINDOWS HOST:
TRAFFIC GENERATED BY WORD MACRO TO RETRIEVE THE ZIP-ED DLL:
- 203.26.41[.]132 port 443 - midcoastsupplies.com.au - HTTPS traffic
- 101.99.3[.]20 port 80 - mtp.evotek.vn - GET /wp-content/L/?160244
EMOTET C2 TRAFFIC:
- 45.55.44[.]204 port 7080
- 54.37.136[.]187 port 443
- 66.228.32[.]31 port 7080
- 91.121.146[.]47 port 8080
- 91.207.181[.]106 port 443
- 103.159.224[.]46 port 8080
- 128.199.24[.]148 port 8080
- 165.22.211[.]113 port 8080
- 165.227.166[.]238 port 8080
- 167.172.248[.]70 port 8080
- 178.128.23[.]9 port 7080
- 178.128.31[.]80 port 443
- 178.128.82[.]218 port 443
- 182.162.143[.]56 port 443
- 190.90.233[.]69 port 443
- 213.32.75[.]32 port 8080
SPAMBOT ACTIVITY:
- Various IP addresses over various ports - mostly encrypted SMTP traffic
CERTIFICATE ISSUER DATA FOR EMOTET HTTPS C2 TRAFFIC:
- id-at-countryName=GB
- id-at-stateOrProvinceName=London
- id-at-localityName=London
- id-at-organizationaName=Global Security
- id-at-organizationalUnitName=IT Department
- id-at-commonName=example.com