The Second Wave of Emotet

In the national segment of the Internet the second wave of Emotet Trojan infection has been identified. We have previously written in the news about Emotet: Bankers Attack and Bankers Attack. Part 2.

The Emotet Trojan which offers the transfer service, including to other families of malicious software, has been increasing the risks of communication in cyberspace for years. In July 2020 malware activity was noted again, and it is more aimed at carrying malicious software than in the form of a banking Trojan.

The Emotet malware, as a rule, spreads through documents attached to emails and uses correspondence found on already compromised accounts. Emails can be sent:

• on behalf of a business partner (including significant global companies);

• on behalf of a familiar person;

• in the form of spam mailing containing a short message with an attachment or download link which looks like ordinary accounting reports, delivery notifications or various financial documents;

• on behalf of anti-virus programs with an attachment such as the latest signatures.

In this situation employees are usually the weakest link in the information security chain. Therefore, it is very important to teach them how to recognize phishing e-mails which may contain various malware. Opening of the received attachments can lead to the implementation of various types of cyber fraud including infection of the entire organization’s network.

Trojan is most often attached as Office documents, the configurations of which contain tools to perform various functions. Some highly specialized modules are designed to compromise e-mail, while others focus on stealing authentication data stored in the browser, some allow to conduct DDoS attacks, while others can spread ransomware.

The following are the signs of the spread and infection of the Emotet Trojan identified by CERT.BY:

Sender addresses:

  • manzimonate@oaks.co.za
  • yaghoutian@atateb-novin.ir
  • acoste@inespre.gob.do
  • info@primegeoconsult.ae
  • payment.mohali@magnusfm.in

Links found in sent emails:

  • http[:]//hesa.co.id/244344-5afaxlSlRW-module/lm/ovgx1y8cydht-1915/
  • http[:]//arkestate.al/obasr/docs/lHVxBMgs/
  • http[:]//wto.formstack.com/forms/pef_blr171

Hash of sent Office files:

  • 927cebea7040f6ee979e6e51c547842f
  • fcab4279db965fdf4e4d2972c86ffc48
  • 940344fdf74e8759cd926719cf6aeb53
  • 227d2bc3bb0b0099d285356b5db3d344
  • 45b005eaaa59891233f645da38480a67
  • 8580c9ce647bfee3853d85619bbd72b3
  • 85cbd6790bedf2dacfa7ea3e73262581
  • 85cbd6790bedf2dacfa7ea3e73262581
  • 8e04616afb5d7ff3877dd7b12e980b86
  • 4f0233fce715c44700ad1e0b66db0a9e
  • a40327370c902ee1c0d1eabc3311d0ac
  • 8580c9ce647bfee3853d85619bbd72b3

Contacting the command centers:

  • http[:]//104.131.11.150:443
  • http[:]//109.116.214.124:443
  • http[:]//153.163.83.106
  • http[:]//162.249.220.190
  • http[:]//174.102.48.180
  • http[:]//174.137.65.18
  • http[:]//181.230.116.163
  • http[:]//185.94.252.104:443
  • http[:]//189.212.199.126:443
  • http[:]//190.160.53.126
  • http[:]//190.55.181.54:443
  • http[:]//24.233.112.152
  • http[:]//24.43.99.75
  • http[:]//37.70.8.161
  • http[:]//64.183.73.122
  • http[:]//68.44.137.144:443
  • http[:]//70.121.172.89
  • http[:]//74.120.55.163
  • http[:]//85.152.162.105
  • http[:]//89.186.91.200:443
  • http[:]//97.82.79.83

Additional information on signs of spread and infection is available at::
https://pastebin.com/PDFdAyue

To avoid the infection, you should be very careful when receiving a letter with an attachment even from a person you know. If you have the slightest doubt about the content or attachment of an e-mail we recommend you to contact the sender by phone or by an alternative channel and clarify the necessary details of the message, otherwise you need to contact the organization’s information security service.