{"id":10866,"date":"2019-08-23T16:10:42","date_gmt":"2019-08-23T14:10:42","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=10866"},"modified":"2020-11-16T00:17:35","modified_gmt":"2020-11-15T23:17:35","slug":"cert-bund-warns-emotet-is-back-cc-server-online-again","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/08\/23\/cert-bund-warns-emotet-is-back-cc-server-online-again\/","title":{"rendered":"CERT-Bund warns: Emotet is back, C&amp;C servers online again"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/08\/23\/cert-bund-emotet-ist-zurck-cc-server-wieder-aktiv\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]The cyber criminals behind the Emotet-Ransomware have re-activated their C&amp;C servers and there will probably be new campaigns with successful infections soon.&nbsp; <\/p>\n<p><!--more--><\/p>\n<h2>German CERT-Bund warns against Emotet<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg01.met.vgwort.de\/na\/5ab733e343694c869a15849077d914dd\" width=\"1\" height=\"1\">During the last weeks this summer it was quiet coverring Emotet Trojan\/Ransomware infections. The last news I remember mind were the Emotet infection at German publisher heise in May 2019 and a warning from German BSI in April this year. On early June 2019 the Emotet C&amp;C server went offline. Maybe the cyber criminals just went on 'summer vacation'. But that's over now.&nbsp; <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"de\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Emotet?src=hash&amp;ref_src=twsrc%5Etfw\">#Emotet<\/a> ist zur\u00fcck! Seit einigen Stunden ist die Anfang Juni abgeschaltete C&amp;C-Infrastruktur von Emotet wieder online und liefert Module an noch infizierte Clients aus. Wer den Zugriff aus seinem Netz auf die zuletzt bekannten C&amp;C-Server noch nicht blockiert hat, &#8230;<\/p>\n<p>\u2014 CERT-Bund (@certbund) <a href=\"https:\/\/twitter.com\/certbund\/status\/1164803474497761286?ref_src=twsrc%5Etfw\">23. August 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preserve929a942db9b84957b3a645b59f34aaf7\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>German CERT-Bund warns in the tweet above about the Emotet trojan. They say, the Emotet infrastructure, that went offline in June 2019 is back online. The Command and Control servers (C&amp;C servers) has been back online and has started delivering malware modules to infected clients.<\/p>\n<p>For admins in companies, this means blocking access to the relevant C&amp;C servers. A list of the IP addresses to be blocked can be found on <a href=\"https:\/\/paste.cryptolaemus.com\/emotet\/2019\/06\/21\/emotet-malware-IoCs_06-21-19.html\" target=\"_blank\" rel=\"noopener noreferrer\">this website<\/a>. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"und\" dir=\"ltr\"><a href=\"https:\/\/t.co\/THZewKmxN7\">https:\/\/t.co\/THZewKmxN7<\/a><\/p>\n<p>\u2014 Jake (@JCyberSec_) <a href=\"https:\/\/twitter.com\/JCyberSec_\/status\/1164902867217604609?ref_src=twsrc%5Etfw\">August 23, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>  <\/p>\n<p>Addenum: The tweet above and <a href=\"https:\/\/web.archive.org\/web\/20200514053709\/https:\/\/cybernationalsecurity.com\/emotet-botnet-is-back-across-the-world\/\" target=\"_blank\" rel=\"noopener noreferrer\">this blog post<\/a> also shares this knowledge.<\/p>\n<h2>What is Emotet?<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg06.met.vgwort.de\/na\/3137d22d087542d3b6836543b0ed902d\" width=\"1\" height=\"1\">The Emotet Trojan is nothing new, Symantec published <a href=\"https:\/\/www.symantec.com\/blogs\/threat-intelligence\/evolution-emotet-trojan-distributor\" target=\"_blank\" rel=\"noopener noreferrer\">an article about this malware<\/a> in summer 2018. The group behind the Trojan has been active since at least 2014 and had focused on bank customers so far. Some time ago, however, there was a strategy change by attacking infrastructure and companies in Europe and infecting them with Ransomware.&nbsp;&nbsp; <\/p>\n<p>The German Lower Saxony State Criminal Police Office (LKA) has warned during the last months several times, that the malware \"Emotet\" is spreading massively via e-mail attachments. The Emotet Trojan reads the address books and evaluates the victims' e-mail communication. In this way, the malware can send itself to other e-mail addresses of potential victims. These then victims receive an e-mail from a supposedly known sender.&nbsp;&nbsp; <\/p>\n<p>The texts of the mail vary, but tries to trick the recipient to open the attachment. The attachment is mostly a Word .doc file with macro code. If macro locks are set, the malware tries to convince the victim to open the attachment and enable macro execution.  <\/p>\n<p>The most critical component is the Emotet component, which enables vertical movement in enterprise networks. This represents a special challenge for companies. Network propagation also means that victims can be infected without ever clicking on a malicious link or downloading a malicious attachment. <\/p>\n<p>Once on a computer, Emotet downloads and executes a spreader module. The module contains a password list that it uses to attempt to gain access to other computers on the same network, writes Symantec. Microsoft has published (deleted) about this malware here, with Windows Defender detecting some variants. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]The cyber criminals behind the Emotet-Ransomware have re-activated their C&amp;C servers and there will probably be new campaigns with successful infections soon.&nbsp;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[243,69,194],"class_list":["post-10866","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-ransomware","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/10866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=10866"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/10866\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=10866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=10866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=10866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}