Recently, following the release of the public website “HaveIBeenEmotet.com” to allow companies to search for their domain name and find out if they’ve been targeted, Emotet has paused their spamming campaigns, presumably to retool. For the past week, there’s been no spam seen from Emotet, and module distribution has been few and far between. Additionally, the IP buffers have been much more static, with the first change since the 5th seen today (October 13th, 2020).
In this downtime, Binary Defense recommends visiting paste.cryptolaemus.com and blocking the list of current Command and Control (C2) servers. Additionally, Binary Defense recommends the use of a 24/7 SOC monitoring solution, like Binary Defense’s own Security Operations Task Force to prepare for Emotet’s return. Constant auditing of newly installed tasks, services, and run keys, is an effective way of ensuring that if Emotet manages to install, it will be detected and won’t stay on the system for long.