According to Luca Ebach, a security researcher, the infamous TrickBot malware is being used as an entry point to distribute what appears to be a new version of Emotet on systems previously infected by the former. The most recent variant is in the form of a DLL file, and the first occurrence of the deployment was discovered on November 14.
The notorious Emotet malware is preparing a sort of comeback nearly 10 months after its command-and-control infrastructure was destroyed in late January 2021 by a coordinated law enforcement operation.
The Emotet banking trojan has been active since at least 2014, and the botnet is run by a threat actor known as TA542. The infamous banking trojan was also used to distribute other malicious code, such as the Trickbot and QBot trojans, as well as ransomware like Conti, ProLock, Ryuk, and Egregor.
Cofense Labs warned that “If Emotet is truly returning ‘online,’ as it appears, they will most likely bring with them a bag of new tricks to throw at us.”
As of this writing, malware tracking research project Abuse.ch’s Feodo Tracker shows nine Emotet command-and-control servers that are currently online, implying that the operators are attempting to restart the botnet.
Samples of the new Emotet loader are available here. Network administrators are strongly advised to block all relevant IP addresses to prevent devices from being co-opted into the newly active Emotet botnet.
Abuse.ch tweeted as a post ,”The Emotet botnet’s botnet command-and-control (C2) infrastructure has grown from 9 active C2 servers to 14 active C2 servers in less than 24 hours. “It appears that Emotet is ramping up its activity.”
The rise in Emotet activity has been accompanied by an increase in malspam campaigns with some infection chains dropping the loader directly using macro-enabled Word and Excel documents attached to stolen email threads rather than relying on TrickBot.
Kevin Beaumont, a security researcher tweeted about it. .“[Emotet] has returned and been retooled. The code and infrastructure have been updated and it is now more secure. It must be someone or people who have access to the original source code”.
Indicator Of Compromise
URLs:
hxxp://141.94.176.124/Loader_90563_1.dll
Hashes:
c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 – Loader_90563_1.dll
Server List:
81.0.236.93:443
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
45.76.176.10:8080
188.93.125.116:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
String List:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
POST
%s\rundll32.exe “%s”,Control_RunDLL
Control_RunDLL
%s\%s
%s\%s
%s\%s%x
%s%s.exe
%s\%s
SHA256
HASH
AES
Microsoft Primitive Provider
ObjectLength
KeyDataBlob
%s\rundll32.exe “%s\%s”,%s
Content-Type: multipart/form-data; boundary=%s
RNG
%s%s.dll
%s\rundll32.exe “%s”,Control_RunDLL
%s%s.dll
%s\regsvr32.exe -s “%s”
%s\%s
%s%s.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s\rundll32.exe “%s\%s”,%s
ECCPUBLICBLOB
ECDH_P256
Microsoft Primitive Provider
ECCPUBLICBLOB
Cookie: %s=%s
%s\rundll32.exe “%s\%s”,%s
%s:Zone.Identifier
%u.%u.%u.%u
%s\%s
%s\*
%s\%s
WinSta0\Default
%s\rundll32.exe “%s”,Control_RunDLL %s
%s%s.dll
ECCPUBLICBLOB
ECDSA_P256
Microsoft Primitive Provider
%s\%s
SHA256
Microsoft Primitive Provider
ObjectLength
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 