Twitter | Search | |
MalwareTech Apr 10
It's midnight and I'm currently looking at Emotet again. Seems they've decided to start spewing stolen emails everywhere.
Reply Retweet Like
MalwareTech
Last October Emotet began stealing the content of victim's emails. This week it appears Emotet is using the stolen emails to fake replies to existing email chains with malware on a massive scale.
Reply Retweet Like More
Danny Aga Apr 10
Replying to @MalwareTechBlog
When you say fake replies to existing email chains, do you mean that the org the data was stolen from is still one of the parties on the chain? Are they properly spoofing them if not? Any redacted screenshots/examples to share?
Reply Retweet Like
Niquapod Apr 10
I wish I was a graphics person so I could make a picture of Imhotep from The Mummy, but an emo version.
Reply Retweet Like
Giulio Montagner Apr 10
Replying to @MalwareTechBlog
Last week I got a reply from an email I sent to a store in Italy 2 years ago with a malware attached (usual word doc macro). Mail was localized in my language. Could it be related?
Reply Retweet Like
MalwareTech Apr 10
Replying to @Giu1io
Could be
Reply Retweet Like
Les Ferguson Apr 11
Yeah, see this type of thing a lot. Email comes from a "trusted" party, as a reply to a chain. Sometimes it makes kinda since and the chain is only a couple of days old. Others it is over a year old and about some random off topic conversation.
Reply Retweet Like
MalwareTech Apr 11
Replying to @MalwareTechBlog
Example: If person1@domain1.com sent an email to person2@domain2.com, then Person2 was infected by Emotet, Person1 might receive the following reply email.
Reply Retweet Like
Thomas Apr 11
Replying to @MalwareTechBlog
Honestly, I wouldn't be surprised if Emotet started autodeleting emails containing the words "infected" or "Emoted" to avoid the person from learning their computer is, indeed, infected
Reply Retweet Like
Thomas Apr 11
Replying to @MalwareTechBlog
Emotet*
Reply Retweet Like
G4laad Apr 11
Replying to @MalwareTechBlog
Hey do you have hash or iocs so I could find emotet on a system? Thank you!
Reply Retweet Like
Mohamed Akram Apr 11
Replying to @MalwareTechBlog
It seems browsers/clients can detect this kind of link easily. Maybe they should warn/prevent clicks to it.
Reply Retweet Like
ExecuteMalware Apr 11
Replying to @MalwareTechBlog
The threat actors don't seem to be doing as convincing of a job with their "fake email threads" as the threat actors. Not yet, anyway.
Reply Retweet Like
MalwareTech Apr 11
Replying to @MalwareTechBlog
If you want to read more about the email stealer:
Reply Retweet Like
Van Tiveman Esq. DCFC Apr 11
Replying to @MalwareTechBlog
email ?
Reply Retweet Like
Matthew Mesa Apr 11
Those two groups seem to share a bit. Similar macros, similar tactics, and similar 3rd party payloads. We also saw the "Ursnif" style reply campaigns used to distribute Emotet about a year ago
Reply Retweet Like
ExecuteMalware Apr 11
At one point last fall, was using an identical macro as . Even though was only downloading from a single URL they still left in the "split('@')" command.
Reply Retweet Like
Kaustubh Welankar Apr 11
Replying to @MalwareTechBlog
Does that happen even for web-based email, or just native clients?
Reply Retweet Like
\_(ʘ_ʘ)_/ Apr 11
And not only the macro, also the templates and they change the methods in similar times... "AutoClose" Template Check the article from
Reply Retweet Like
mov eax, Apr 12
Does the threat actor have their entire process as automated like the recent campaigns? Or are they more manual, thus more successful? I have notices in several campaigns, the payload is customized to the victim and/or email thread.
Reply Retweet Like