Emotet is Back on the Main Stage Thanks to Trickbot

After we reported that the Emotet infrastructure was taken down by law enforcement here, security researcher Luca Ebach found that another malware botnet called Trickbot is helping Emotet to rebuild their botnet by installing the Emotet trojan on systems previously infected with Trickbot. .

Cryptolaemus group also reported at https://twitter.com/Cryptolaemus1/status/1460403592658145283 that they’ve seen bots starting to send emails with .docm, .xlsm and .zip attachments. Emotet has facilitated ransomware attacks in the past therefore we might encounter a surge of ransomware infections in the near future.

The following Emotet C2 servers should be monitored and blocked:

  • http[:]//81.0.236.93:443
  • http[:]//94.177.248.64:443
  • http[:]//66.42.55.5:7080
  • http[:]//103.8.26.103:8080
  • http[:]//185.184.25.237:8080
  • http[:]//45.76.176.10:8080
  • http[:]//188.93.125.116:8080
  • http[:]//103.8.26.102:8080
  • http[:]//178.79.147.66:8080
  • http[:]//58.227.42.236:80
  • http[:]//45.118.135.203:7080
  • http[:]//103.75.201.2:443
  • http[:]//195.154.133.20:443
  • http[:]//45.142.114.231:8080
  • http[:]//212.237.5.209:443
  • http[:]//207.38.84.195:8080
  • http[:]//104.251.214.46:8080
  • http[:]//138.185.72.26:8080
  • http[:]//51.68.175.8:8080
  • http[:]//210.57.217.132:8080

The picture below presents the network traffic from a host infected with Emotet, displayed in Wireshark:

Other indicators of compromise (SHA256 hashes):

  • 7c5690577a49105db766faa999354e0e4128e902dd4b5337741e00e1305ced24
  • bd9b8fe173935ad51f14abc16ed6a5bf6ee92ec4f45fd2ae1154dd2f727fb245
  • f7a4da96129e9c9708a005ee28e4a46af092275af36e3afd63ff201633c70285
  • d95125b9b82df0734b6bc27c426d42dea895c642f2f6516132c80f896be6cf32
  • 88b225f9e803e2509cc2b83c57ccd6ca8b6660448a75b125e02f0ac32f6aadb9
  • 1abd14d498605654e20feb59b5927aa835e5c021cada80e8614e9438ac323601
  • 0b132c7214b87082ed1fc2427ba078c3b97cbbf217ca258e21638cab28824bfa
  • 373398e4ae50ecb20840e6f8a458501437cfa8f7b75ad8a62a84d5c0d14d3e59
  • 29de2e527f736d4be12b272fd8b246c96290c7379b6bc2d62c7c86ebf7f33cd4
  • 632447a94c590b3733e2e6ed135a516428b0bd1e57a7d254d5357b52668b41f1
  • 69efec4196d8a903de785ed404300b0bf9fce67b87746c0f3fc44a2bb9a638fc
  • 9c345ee65032ec38e1a29bf6b645cde468e3ded2e87b0c9c4a93c517d465e70d
  • b95a6218777e110578fa017ac14b33bf968ca9c57af7e99bd5843b78813f46e0

 

References

https://cyber.wtf/2021/11/15/guess-whos-back/

https://twitter.com/Cryptolaemus1/status/1460403592658145283

https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-15%20Emotet%20IOCs

https://isc.sans.edu/forums/diary/Emotet+Returns/28044/