Posted on Leave a comment

The Notorious Emotet Botnet Returns With TrickBot Malware.

According to Luca Ebach, a security researcher, the infamous TrickBot malware is being used as an entry point to distribute what appears to be a new version of Emotet on systems previously infected by the former. The most recent variant is in the form of a DLL file, and the first occurrence of the deployment was discovered on November 14.

The notorious Emotet malware is preparing a sort of comeback nearly 10 months after its command-and-control infrastructure was destroyed in late January 2021 by a coordinated law enforcement operation.

The Emotet banking trojan has been active since at least 2014, and the botnet is run by a threat actor known as TA542. The infamous banking trojan was also used to distribute other malicious code, such as the Trickbot and QBot trojans, as well as ransomware like Conti, ProLock, Ryuk, and Egregor.

Cofense Labs warned that “If Emotet is truly returning ‘online,’ as it appears, they will most likely bring with them a bag of new tricks to throw at us.”

As of this writing, malware tracking research project Abuse.ch’s Feodo Tracker shows nine Emotet command-and-control servers that are currently online, implying that the operators are attempting to restart the botnet.

Samples of the new Emotet loader are available here. Network administrators are strongly advised to block all relevant IP addresses to prevent devices from being co-opted into the newly active Emotet botnet.

Abuse.ch tweeted as a post ,”The Emotet botnet’s botnet command-and-control (C2) infrastructure has grown from 9 active C2 servers to 14 active C2 servers in less than 24 hours. “It appears that Emotet is ramping up its activity.”

The rise in Emotet activity has been accompanied by an increase in malspam campaigns with some infection chains dropping the loader directly using macro-enabled Word and Excel documents attached to stolen email threads rather than relying on TrickBot.

Kevin Beaumont, a security researcher tweeted about it. .“[Emotet] has returned and been retooled. The code and infrastructure have been updated and it is now more secure. It must be someone or people who have access to the original source code”.

Indicator Of Compromise

URLs:

hxxp://141.94.176.124/Loader_90563_1.dll

 

Hashes:

c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 – Loader_90563_1.dll

 

Server List:

81.0.236.93:443

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

45.76.176.10:8080

188.93.125.116:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

138.185.72.26:8080

51.68.175.8:8080

210.57.217.132:8080

 

String List:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

POST

%s\rundll32.exe “%s”,Control_RunDLL

Control_RunDLL

%s\%s

%s\%s

%s\%s%x

%s%s.exe

%s\%s

SHA256

HASH

AES

Microsoft Primitive Provider

ObjectLength

KeyDataBlob

%s\rundll32.exe “%s\%s”,%s

Content-Type: multipart/form-data; boundary=%s

 

RNG

%s%s.dll

%s\rundll32.exe “%s”,Control_RunDLL

%s%s.dll

%s\regsvr32.exe -s “%s”

%s\%s

%s%s.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%s\rundll32.exe “%s\%s”,%s

ECCPUBLICBLOB

ECDH_P256

Microsoft Primitive Provider

ECCPUBLICBLOB

Cookie: %s=%s

 

%s\rundll32.exe “%s\%s”,%s

%s:Zone.Identifier

%u.%u.%u.%u

%s\%s

%s\*

%s\%s

WinSta0\Default

%s\rundll32.exe “%s”,Control_RunDLL %s

%s%s.dll

ECCPUBLICBLOB

ECDSA_P256

Microsoft Primitive Provider

%s\%s

SHA256

Microsoft Primitive Provider

ObjectLength

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply