After Period of Inactivity, Emotet Trojan Returns to Target Users Globally

A new spam campaign delivering the “Emotet” trojan was observed targeting users worldwide. This campaign was identified after observing a massive amount of malicious documents delivering Emotet that used domains from compromised WordPress sites. Until now, the Emotet trojan operators have been relatively quiet in the last few months, with the last campaign having been observed on February 7, 2020. The Emotet infection chain starts by sending out spam emails that contain malicious Microsoft Word or Excel documents. The email contains a reply-chain template that uses lures, such as purporting to be from shipping or payment partners, to entice victims into opening the malicious attachment. Once the victim opens the malicious attachment with macros enabled, a PowerShell command will be executed to deliver the Emotet executable. After establishing persistence, Emotet will deploy the Trickbot trojan to steal the victim’s passwords, cookies, SSH keys, and spread throughout the infected network. To help mitigate the spread and successful deployment of the Emotet trojan on victim devices, it is recommended that users check the URL of the website before clicking a link sent via email, enable two-factor authentication (2FA), be vigilant of attachments from untrusted sources, disable macros, and keep their operating systems up-to-date. The following indicators of compromise have been identified with Emotet campaigns:

*Hashes*

d51073eef56acf21e741c827b161c3925d9b45f701a9598ced41893c723ace23

4fdff0ebd50d37a32eb5c3a1b2009cb9764e679d8ee95ca7551815b7e8406206

454d3f0170a0aa750253d4bf697f9fa21b8d93c8ca6625c935b30e4b18835374

bb5602ea74258ccad36d28f6a5315d07fbeb442a02d0c91b39ca6ba0a0fe71a2

6d86e68c160b25d25765a4f1a2f8f1f032b2d5cb0d1f39d1d504eeaa69492de0

18fab1420a6a968e88909793b3d87af2e8e1e968bf7279d981276a2aa8aa678e

f04388ca778ec86e83bf41aa6bfa1b163f42e916d0fbab7e50eaadc8b47caa50

d5213404d4cc40494af138f8051b01ec3f1856b72de3e24f75aca8c024783e89

7814f49b3d58b0633ea0a2cb44def98673aad07bd99744ec415534606a9ef314

5d2c6110f2ea87a6b7fe9256affbac0eebdeee18081d59e05df4b4a17417492b

1368a26328c15b6d204aef2b7d493738c83fced23f6b49fd8575944b94bcfbf4

*IP Addresses*

109.117.53[.]230

212.51.142[.]238

190.160.53[.]126

178.210.171[.]15

*Domains*

rviradeals[.]com

ssuse[.]com

fivestarcleanerstx[.]com

skenglish[.]com

thesuperservice[.]com

tri-comma[.]com

packersmoversmohali[.]com

shubhinfoways[.]com

bhandaraexpress[.]com

crm.shaayanpharma[.]com

test2.cxyw[.]net

ramukakaonline[.]com

tyres2c[.]com

topgameus[.]com

cpads[.]net

sustainableandorganicgarments[.]com

staging.icuskin[.]com

e2e-solution[.]com

elseelektrikci[.]com

zazabajouk[.]com