Sensitive data is being stolen from unsuspecting victims and it starts with a phishing email. That email has a Microsoft Word document attached which contain malicious macros which enable the download of the malware. “Once a user opens the email message and opens the attachment or clicks the link, malware is downloaded to the system using either code embedded in the attachment or directly from the website in the case of URL-based emails,” claimed researchers. Another new wrinkle included using HTTP 301 redirects, but the reason is not known at this time. Emotet then connects itself to C2 servers that use special ports 20, 80, 443, 7080, 8443, and 50000. The malware will make sure its victim’s IP address is on a blacklist or if they use a spam list service such as Spamhaus, SpamCop, and SORBS.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased