Looks like Boris is having a no good very bad day. Couldn't happen to a nicer person. We wish Boris well in his new occupation becoming a solder to fight for the motherland! Good luck out there in the trenches! Greets to LEA and all partners! ❤️Great work!
🚨🚨WARNING 🚨🚨 We have confirmed that
#Emotet
is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x
Update on
#Emotet
. We are noticing now that bots are starting to spam on what we are calling the Epoch 4 botnet. There is only attachment based malspam seen so far with .docm or .xlsm(really XLSM with a lame AF Template "Excell") or password protected ZIPs(operation ZipLock). 1/x
🚨Emotet back in Distro Mode🚨 - As of 0800 UTC E4 began spamming and as of 0930 UTC E5 began spamming again. Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS. 1/x
with current
#emotet
DOC, you can use the
#CyberChef
'Register' function to dynamically select the Replace value from the base64-encoded PowerShell commands, and use it as a variable in your own Replace function to get the final URLs
BREAKING:
#Emotet
malspam links can since yesterday link to an Universal App installer hosted on
@azure
imposing as an Adobe Update that drops E4 payload. This is the same initial attack vector as
#BazarLoader
used a few weeks ago, even using the same
@SectigoHQ
cert.
#Emotet
E5 Update - Within the last several hours, we have seen some bots on the Epoch 5 botnet begin to drop SystemBC now as a module and execute it. This is the first drop beyond Cobalt Strike that we have seen since Emotet returned. This is a significant change 1/x
Today is the day the
#Emotet
version left on computers worldwide will uninstall itself. Thus ends the period to have IR find the Emotet dlls left over from old infections before the takedown. We are watching for Ivan's next moves with the rest of his buddies in RU. Keep fighting!
🚨Emotet Awakens🚨 As of 1200UTC Ivan finally got E4 to send spam. We are seeing Red Dawn templates that are very large coming in at over 500MB. Currently seeing a decent flow of spam. Septet of payload URLs and ugly macros. Sample: 1/3
We have verified distribution of
#Dridex
22203 on Windows via
#Log4j
#Log4Shell
. Class > MSHTA > VBS > rundll32.
Class:
Payload URLs:
DLL sample:
HTA > DLL run:
This is our 3rd anniversary of Cryptolaemus1. Thanks for all the follows and sharing of intel these past 3 years! To celebrate, Ivan has released a new version of Emotet because he feels left out and wants to be part of the party. More details coming soon. As always watch URLHaus
🚨🚨 Emotet important CS update 🚨🚨
Emotet has been observed executing multiple beacons in less than 2 hours on Epoch4 and Epoch5 bots.
Currently, we've seen 5 different beacons distributed, however that number could grow.
See the thread below for more details:
🚨
#Emotet
Update🚨 - Looks like Ivan laid an egg for easter and has been busy. As of about 14:00UTC today 2022/04/18 - Emotet on Epoch 4 has switched over to using 64-bit loaders and stealer modules. Previously everything was 32-bit except for occasional loader shenanigans. 1/x
#Emotet
E5 Update. 🚨 We are observing CS Beacons being dropped as of the last few minutes with the following C2 s://koltary[.]com/jquery-3.3.1.min.js. Watermark is one again "0". Looks like someone finally sobered up and decided to do something with the new botnet. 1/x
Hello Ivan, is that you? *sounds of vodka bottles falling over* - We have reason to believe that
#Emotet
is coming back for distribution (SPAM) in short order. E4/E5 woke up yesterday. Now is the time to prepare and be vigilant as Ivan may have new lures/tricks/methods to share.
#Emotet
🚨Update 🚨 At approximately 1400UTC E4 has started to drop
#Qakbot
botnet ID azd which is a first since Emotet has come back. So far only E4 has been seen dropping Qakbot but it would not surprise me if we saw additional drops on E5. Several bots have received this 1/x
#emotet
Update - As of the last few hours Ivan is running some tests on E4 to try to bypass detection by appending a VBS at the end of an LNK file in a zip. The LNK when launched will find a string in itself and then copy the remainder from that string after to a VBS file. 1/x
🔥 Heads up, we see extreme volumes of
#Emotet
spam from both E4 and E5. Both direct attached sheets, and password protected zips, both using localized lures in several languages.
#TA577
- NTLM Harvesting 👇
Sharing associated IOC's to hunt for outbound SMB connections related to these campaigns over the last few days.
Sample 👇
IOC's
🚨 On February 26th and 27th Telekom Security and Bayern-CERT observed threat actor
#TA577
phishing campaigns. This time the actor is not spreading malware, but apparently uses NTLMv2 handshakes to steal user credentials/hashes. 🧵1/7
@abuse_ch
We think it is a good time to thank you
@abuse_ch
for all you have done for the community and the fight against malware. Without tools like Feodotracker and URLHaus and MalwareBazaar, the fight against something like Emotet would have been much more difficult!!! We salute you!
#Emotet
Update - 11/23/21 - At about 5am EST or 10am UTC, Emotet started spamming on E5 again. We are seeing password protected Zips and reply chains so far. Yesterday Ivan wasnt spamming but he is back today. Heads up out there! Watch URLHaus for more IoCs and stay safe!
We have been seeing the TR Distro actor (we call them ChaserLdr) utilize compromised Exchange servers vulnerable to Proxylogon/ProxyShell to send malspam for about 1 week with artifacts indicating access going back to earlyOCT. 1/x
Looking for that Emotet dropper? Not sure what file triggered it? Take a look at this reg key to find documents the user has 'trusted' and whether they ran macros.
\Software\Microsoft\Office\[version]\Word\Security\Trusted Documents\TrustRecords
FF FF FF 7F = Macro Enabled
Another Update on
#Emotet
E4 distro - We are now seeing URL based lures for the document downloads. Here is your example of this: At this time the deployment is limited but it will likely be mixed in the spam jobs and may become the majority. Be alert!1/x
#Emotet
2021-11-30 Ivan is again using links to landing pages that leads to a Universal App installer on
@azure
(in addition to attached xlsm). However they forgot to get a new cert, so it won't work 🤷🤣
We have been following this situation since the module first showed up on Monday at 0745UTC on E4. As of today at 1330UTC, the module is now being deployed to bots on the E5 botnet as well. This looks to be a new development for Emotet and maybe soon a reawakening. Stay tuned.
#Emotet
’s operators were busy updating their systeminfo module, with changes that enable malware operators to improve the targeting of specific victims and distinguish tracking bots from real users.
#ESETresearch
1/7
- Great Article on the Guardians from Japan which we always thought of as our partners in the fight against Emotet/Ivan in Japan! :) Very happy to see them honored this way and sorry to anyone we did not mention in our tweet there. Stronger Together!💪
#Emotet
Update - Looks like Ivan has changed things again and
@Max_Mal_
caught them. Now the LNKs are calling Powershell.exe directly in the normal location for a typical Windows install under system32. No more appended VBS appended to the end of the file. 1/x
#emotet
ramping up the complexity today
instead of a textual password in the email body, password-protected ZIP have a password as an embedded image
this one seen in multiple different emails, but expect others
This is very important to note and a good catch by
@BleepinComputer
to explain why Emotet/Ivan may not have decided to abandon the macro vector just yet. Placing files into these locations automatically bypasses protections put into place for updated versions of Office.
Emotet asks targets to copy the spreadsheet to these folders as they are 'trusted' by Microsoft Office.
When a file is launched from these folders it bypasses the Microsoft Office Protected View security feature, allowing macros to automatically execute without warning.
We have been doing this officially on Twitter for 2 years. I always consider the start of Nov to be the start of Cryptolaemus. Looks like Ivan is celebrating by taking an extended break time. No malspam/spam modules seen. C2 updates will be posted going forward. Stay tuned & TY!
New
#Emotet
Doc template seen on E4. We are calling this one the "TubeLoader" since it has references to it in the macro. It works very similar to TA551 HTA loading methods in the macro. Samples:
🚨
#Emotet
Update🚨 As of approximately 18:45UTC - Ivan laid another egg for us with the 64 bit upgrade of Epoch 5 now. Up until this time, E5 was not active and just sleeping. After this time all existing infections of E5 downloaded a loader update that was 64 bit. 1/x