Threat Advisory Update: Emotet Botnet Shows Signs of Life & COVID-19 Phishing Campaigns Target Healthcare

April 22, 2020

The Emotet botnet has begun to show signs of life after months of inactivity. The E2 portion has started deploying credential and email stealing modules. It is believed that this could be a preparation step for a new spam campaign. During the downtime, the operators behind Emotet have redesigned it and some of the modules it uses.

New features include improvements to its anti-malware evasion and a hashbusting implementation which makes it more dangerous compared to previous versions. Hashbusting ensures that the malware will have a different hash on each system it infects, rendering hash-based detections useless. Additional features include:

  • Reworked malware code to incorporate the use of a state machine to obfuscate the control flow
  • Branches of code being flattened into nested loops, which enables the code blocks to be in any order and operationally execute in order by the state machine

The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following steps as best practices to defend against Emotet:

  • Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  • Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  • Implement Group Policy Object and firewall rules.
  • Implement an antivirus program and a formalized patch management process.
  • Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
  • Adhere to the principal of least privilege.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
  • Segment and segregate networks and functions. 

In addition to CISA’s recommendations, Herjavec Group also advises:

  • Follow best practices to limit opportunities for credential loss or lateral movement
  • Incorporate consistent user security awareness training
  • Establish processes for reporting suspicious emails
  • Isolate suspicious systems until they can be remediated
  • Develop playbooks and orchestration to automate phishing detection, containment, and detonation where possible
COVID-19 Phishing Emails Target Healthcare Providers

The FBI has released a flash report outlining phishing campaigns targeting healthcare providers in March 2020. The emails leveraged COVID-19 themed subject lines and content to distribute malicious attachments, such as Microsoft Word documents, 7-Zip compressed files, Microsoft Visual Basic Script, Java, and Microsoft Executables.

The exact details of the attachments are not known at this time, but it likely that they are used as an initial intrusion vector to gain system access for further exploitation, and/or exfiltration.

Indicators of Compromise (IoCs) for the COVID-19 phishing emails include:

Email SenderEmail SubjectAttachmentHash (scroll left)
srmanager@combytellc.comPURCHASE ORDER PVTDoc35 Covid Business Form.docbabc60d43781c5f7e415e2354cf32a6a24badc96b971a3617714e5dd2d4a14de
srmanager@combytellc.comReturned mail: see transcript for detailsCovid-19_UPDATE_PDF.7zde85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44
srmanager@combytellc.comCOVID-19 UPDATE !!Covid-19_UPDATE_PDF.7zde85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44
admin@pahostage.xyzInformation about COVID-19 in the United Statescovid50_form.vbsd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
help@pahofinity.xyzCoronavirus (COVID-19)covid27_form.vbsd231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
monique@bonnienkim.usBusiness Contingency alert -COVID 19COVID-19 Circular.jareacc253fd7eb477afe56b8e76de0f873259d124ca63a9af1e444bfd575d9aaae Update on COVID-19Todays Update on COVID-19.exe7fd2e950fab147ba39fff59bf4dcac9ad63bbcdfbd9aadc9f3bb6511e313fc9c
erecruit@who.intWorld Health Organization/ Let’s fight Corona Virus togetherCOVID-19 WHO RECOMENDED V.exed150feb631d6e9050b7fb76db57504e6dcc2715fe03e45db095f50d56a9495a5

Herjavec Group's Threat Management & Incident Response team is available for further support and consultation. If you need Incident Response support or Security Expertise, please connect with us.

Herjavec Group continues to track COVID-19 related cyberattacks. We have a complete resource center tracking COVID-19 related threats, malware types, as well as a summary of IOCs and domains specific to COVID-19. Review it here.

For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn