Before a short lull in mid-February, Emotet was in the midst of a rise in activity that has been apparent since late 2019 — in terms of both spam and infecting potential victims via SMiShing attacks.
In cases observed by IBM X-Force researchers, SMS messages sent from what would appear to be local U.S. numbers are being delivered to mobile phones impersonating well-known banks and alerting users about a locked account.
Figure 1: SMiShing spam leading to Emotet infection zone (Source: IBM X-Force)
Those who tap to access the link from the message are redirected from the first hop to a second domain: shabon[.]co. This is a known domain that distributes Emotet as of February 2020.
Visually, the potential victim sees a customized phishing page that mimics the bank’s mobile banking page with a domain that was registered on the same day by those distributing Emotet. The domain features the bank’s name with a different top-level domain (TLD) and is likely designed to grab the victim’s credentials as a first step and then have them download a document file loaded with malicious macros. Our researchers found the file on the distributing domain and looked into some obfuscated malicious PowerShell scripts that led us to additional Emotet-serving domains.
Figure 2: Deobfuscated malicious PowerShell script reveals four additional Emotet-serving URLs (Source: IBM X-Force)
A Possible Connection to TrickBot?
Having located two additional URLs that serve Emotet infections, X-Force researchers examined two bina ..
Support the originator by clicking the read the rest link below.
