On 2020-02-18 at 10:03 +0100, Benoit Panizzon via mailop wrote: > Hi List > > Lately, our customers are getting an increased amount of phishing > emails, or emails containing malware with legit looking From: headers > from either banks, or even from our own customer support.
Hello Benoît I'm sure those are Emotet. Which means that, although the emails with the attached malware (or linking to it) are using a spoofed From header, the spoofed user is actually infected. I have seen postmasters get tricked by this, thinking those are "just spoofed mails", so let me briefly recap the list on the workings of Emotet: Bob (b...@example.com) gets infected with Emotet (e.g. he ran the wrong attachment) The malware steals email addresses and also existing mails from the Inbox, sending them to the C&C. Expect to see second stage mechanism such as trickbot installed in the compromised machine for further mischief (which could then later lead to a Ryuk infection, or otherwise being sold to someone else). Then, the contacts from Bob will start receiving spoofed emails with malware, such as: > Return-path: johndoe123...@compromised.edu.ko > From: Bob <johndoe123...@compromised.edu.ko> Initially they included the original email in the From field, such as From: "Bob <b...@example.com>" <johndoe123...@compromised.edu.ko> but seemingly that was too easy to spot for mail filters, so Emotet authors have now dropped that bit. The stolen emails may be used to lure those contacts even more. They receive an email with a From: saying "Bob", but also in reply to one of their mails (Re: <subject>, plus including their message below), with a few lines added leading to the malicious file. They also have campaigns sent as completely new mails. They have used some very good hooks suited to the season (Chrismas parties, tax returns, Greta Thumberg demonstrations, the coronavirus...). The infection method they use are generally the typical Office document begging you to disable protected mode so that it can execute their malicious macro and run some evil powershell. Those are delivered in two ways: as direct attachments and as a url link that directly trigger a download of the document from a compromised web page (such as vulnerable wordpress sites). The IOC of the samples are very dynamic, see https://paste.cryptolaemus.com/ Kind regards _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop