Introduction On Monday 2019-12-16, I tested some Emotet samples. I normally get Trickbot as the follow-up malware, which I've already documented from Monday. But every once in a while, I'll see spambot traffic instead of (or in addition to) Trickbot. When I tested another Emotet sample later that day, I saw spambot traffic. Today's diary reviews information from that infection. The email On Monday afternoon (Unite States Central time), I saw an Emotet malspam message that made it to my inbox.
Why is the sender named Billy Idol? Because that was a name in the address book from one of my Emotet-infected Windows hosts a few months back. I generally make up names as I spin up vulnerable hosts in my lab. At some point, I vaguely remember using "Billy Idol" as a name when I'd set up a fake email account and generated some items for the inbox of a lab host. That doesn't mean "Billy Idol" was infected. It just means an Emotet-infected host had an email in the inbox (or sent items) with an address using that name as an alias. The email had an attached Word document, which I tested in my lab.
The infected Window host My infected host had a Windows executable for Emotet made persistent through the Windows registry as shown below. This is normal behavior for Emotet.
Infection traffic The traffic patterns were typical for Emotet. However, if an Emotet-infected Windows client turns into a spambot, it will generate SMTP and encrypted SMTP traffic. The spambot traffic is mostly encrypted SMTP--in fact, most often all of it is encrypted. But sometimes you might find unencrypted SMTP when reviewing the traffic in Wireshark as shown below. You can also use Wireshark to export emails found in unencrypted SMTP traffic from the pcap.
Indicators of Compromise (IoCs) Malware from an infected Windows host: SHA256 hash: b82542fa69e2a8936972242c0d2d5049235b6b0d24030073a886937f1f179680
SHA256 hash: 8bfb28788bd813e2ec3e7dc0cce9c95bda8d5df89a65b911c539e0a6aebcfc05
Traffic caused by Word macro to retrieve an Emotet EXE file:
Emotet post-infection HTTP traffic:
Spambot traffic:
Final words A malspam example, a pcap of the infection traffic, and the associated malware can be found here. -- |
Brad 386 Posts ISC Handler Dec 18th 2019 |
Thread locked Subscribe |
Dec 18th 2019 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!