“A statement from the German Federal Criminal Police Office about their participation in Operation Ladybird said prosecutors seized 17 servers in Germany that acted as Emotet controllers.”
update: Emotet trying to spread by WIFI since 2018
on the heise security conference last year was said: Virus Scanners since around 10 years are not sufficient anymore.
(heise a computer focused news outlet itself was infected on Mai 2019 with emotet trojan probably via word.doc (src))
today that statement has become reality.
neither ClamAV nor Antivir were able to spot the virus or virus-loader in the word.doc attachment.
The “System” collects mails of hacked systems to send out pretty authentic SPAM Mails with Attachment Word.doc or File.pdf macro virus attachments.
(that’s what one is conviced… why are macros even allowed to be embedded in those formats? ? (M$, ADOBE WHAT WERE YOU THINKING?)
it was (phone call) confirmed that a dental practice has been virus infected which started sending mails with those auto generated spam word.doc via multiple servers.
with all this fancy AI + BigData = auto generating and mass mailing (emotet) very authentic
how emotet works:
Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.
- NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
- Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
- WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
- Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
- Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).
Return-path: <firstname.lastname@example.org> Envelope-to: email@example.com Delivery-date: Fri, 25 Oct 2019 13:00:21 +0200 Received: from mail.maxnetonlinebd.com ([220.127.116.11] helo=smtp.banglalionmail.com) whois: 18.104.22.168 address: Aqua Tower(Level-5),43 Mohakhali C/A,Dhaka-1212 by www314.your-server.de with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim) (envelope-from <firstname.lastname@example.org>) id 1iNxKK-0002kM-UN for email@example.com; Fri, 25 Oct 2019 13:00:21 +0200 Received: from [22.214.171.124] (static.126.96.36.199.ibercom.com [188.8.131.52]) by smtp.banglalionmail.com (Postfix) with ESMTPSA id A3A4F1B40AA6 for <firstname.lastname@example.org>; Fri, 25 Oct 2019 17:00:01 +0600 (BDT) Date: Fri, 25 Oct 2019 13:01:02 +0100 From: =?UTF-8?B?WmFobmtsaW5payBHw7xuemJ1cmcgS0ZP?= <email@example.com> To: <firstname.lastname@example.org> Subject: =?UTF-8?B?RG9rdW1lbnQgcGVyIE1haWwgdm9uIFphaG5rbGluaWsgR8O8bnpidXJnIEtGTw==?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_16315_3727703759.23889407221704219670" X-Virus-Scanned: Clear (ClamAV 0.101.4/25613/Fri Oct 25 11:00:25 2019) X-Spam-Score: -1.8 (-) Delivered-To: email@example.com ------=_Part_16315_3727703759.23889407221704219670 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Return-path: <firstname.lastname@example.org> Envelope-to: email@example.com Delivery-date: Thu, 24 Oct 2019 10:32:47 +0200 Received: from lion.totocom.de ([184.108.40.206]) whois 220.127.116.11 address: Schlittermann -- Internet & Unix Support address: D-01099 Dresden by www314.your-server.de with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim) (envelope-from <firstname.lastname@example.org>) id 1iNYY2-0005tE-Iq for email@example.com; Thu, 24 Oct 2019 10:32:47 +0200 Received: from 109.red-81-32-27.dynamicip.rima-tde.net ([18.104.22.168]) by lion.totocom.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim) (envelope-from <firstname.lastname@example.org>) id 1iNYXy-0003Z9-I0 for email@example.com; Thu, 24 Oct 2019 10:32:43 +0200 Date: Thu, 24 Oct 2019 10:32:41 +0100 From: =?UTF-8?B?WmFobmtsaW5payBHw7xuemJ1cmcgQWJyZWNobnVuZw==?= <firstname.lastname@example.org> To: <email@example.com> Subject: unsere Antwort MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_1914_1426462523.13408587673991828238" X-Virus-Scanned: Clear (ClamAV 0.101.4/25611/Wed Oct 23 10:58:37 2019) X-Spam-Score: -0.1 (/) Delivered-To: firstname.lastname@example.org ------=_Part_1914_1426462523.13408587673991828238 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =0DAnbei erhalten Sie Ihre angeforderte Informationen f=C3=BCr Ihre Unterla= gen. =0DFreue mich von Ihnen zu h=C3=B6ren auf gute Zusammenarbeit. =0DViele Gr=C3=BC=C3=9Fe Ihr Zahnklinik Abrechnung Team =0DTelefon: 0800 XXX (kostenfrei)=0DMail:abrechnung@dr-XXX= de ------=_Part_1914_1426462523.13408587673991828238 Content-Type: application/msword; name="INF 2019_10_ 24_20.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="INF 2019_10_ 24_20.doc" 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAADAAAAEgAAAAAAAAAA EAAAFAAAAAIAAAD+////AAAAABEAAABuAAAA/gAAA
pwd encrypted.zip: VirusInfectedMail
More RansomeWare News:
On Oct. 21, a Johnson City employee showed a ransom note left by the ransomware attackers to city IT Director Lisa Sagona. The message asked city officials to contact an email in exchange for payment instructions. Toward that end, the note claimed that the ransomware had encrypted the city government’s backups to dissuade the municipality from attempting to recover its data by any means other than paying for a decryption key.
California’s San Bernardino City Unified School District (SBCUSD) has discovered that cybercriminals recently used ransomware to lock access to district files. The ransomware attack was launched against SBCUSD’s computer servers, and these servers are currently inaccessible.