dfwci.com

Computer Service / Network Integration / Performance Tuning

Home » Increased Number of Emotet Command and Control IP Addresses Identified

Increased Number of Emotet Command and Control IP Addresses Identified

Today’s security alert

Upon receiving the FBI’s latest alert, I thought I’d pass it along.
Increased Number of Emotet Command and Control IP Addresses Identified Summary In early June 2019, Emotet, an advanced modular banking Trojan, attempted to communicate with 214 command and control (C2) IPaddresses for initial instructions, indicating cyber actors recently made modifications or updates to Emotet malware or infrastructure.Immediately following, the Emotet malware ceased communication with the previously known C2 IP addresses. The FBI is providing the following attached internet protocol (IP) addresses to assist receiving organizations’ computer network defense. System administrators should immediately block these IP addresses to prevent Emotet from exploiting their systems.
 
Technical Details
 
The Emotet banking Trojan primarily functions as a downloader or “dropper” of other banking Trojans and is distributed via phishing campaigns. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled document included in the malspam, originating from the Emotet spam module. Malspam is amethod for delivering emails in bulk which contain infecteddocuments or links that redirect users to websites which contain exploit kits. Once downloaded, Emotet establishes persistence, attempts to propagate within the local network through incorporated spreader modules that leverage Server Message Block (SMB), and steals web browser credentials and Outlook contacts. Then, Emotet downloads a secondary payload, usually another banking Trojan or ransomware.
Scroll to the bottom to continue reading.
Click here for the PDF
flash_emotet_command

We host over a dozen of our own domains and several client websites / email servers.  Keeping them spam-free and secure it almost a full time job.  If we host your website or email you can be sure we are doing everything we can to make sure you don’t get email SPAM or contact form SPAM.  It’s like playing Whack-a-Mole sometimes but we take a broad stroke approach by blocking vast areas of certain countries and using a surgical precision approach to US-based attacks.

Here is the list of IP addresses we’ve blocked on our servers as of today:

Emotet post-infection traffic:

• 24.40.239.62 port 80 – 24.40.239.62 – GET /whoami.php
• 24.40.239.62 port 80 – 24.40.239.62 – POST /
• 46.105.131.69 port 8080 – 46.105.131.69:8080 – GET /
• 47.201.208.154 port 443 – 47.201.208.154:443 – GET /
• 70.183.113.54 port 8443 – 70.183.113.54:8443 – GET /
• 71.8.1.188 port 80 – 71.8.1.188 – GET /
• 71.71.3.84 port 80 – 71.71.3.84 – GET /
• 71.165.252.144 port 990 – 71.165.252.144:990 – GET /
• 71.177.184.128 port 990 – 71.177.184.128:990 – GET /
• 71.244.60.231 port 4143 – 71.244.60.231:4143 – GET /
• 73.27.38.128 port 80 – 73.27.38.128 – GET /
• 73.178.169.180 port 80 – 73.178.169.180 – GET /
• 79.78.160.225 port 80 – 79.78.160.225 – GET /
• 96.95.159.237 port 80 – 96.95.159.237 – GET /
• 96.95.159.237 port 8080 – 96.95.159.237:8080 – GET /
• 108.170.54.171 port 8080 – 108.170.54.171:8080 – GET /
• 118.244.214.210 port 443 – 118.244.214.210:443 – GET /
• 129.89.95.110 port 80 – 129.89.95.110 – GET /
• 129.89.95.241 port 80 – 129.89.95.241 – GET /
• 149.62.173.247 port 8080 – 149.62.173.247:8080 – GET /
• 186.85.246.153 port 8080 – 186.85.246.153:8080 – GET /
• 190.147.41.94 port 443 – 190.147.41.94:443 – GET /
• 199.120.92.245 port 80 – 199.120.92.245 – GET /
• 216.21.168.27 port 443 – 216.21.168.27:443 – GET /

Attempted TCP connections from Emotet infection, but no response from the server:

• 12.238.114.130 port 80
• 27.50.89.209 port 8080
• 46.105.131.87 port 80
• 47.150.11.161 port 7080
• 50.92.101.60 port 465
• 71.214.17.130 port 443
• 73.183.145.218 port 8443
• 78.47.182.42 port 8080
• 80.11.163.139 port 8080
• 108.246.196.73 port 80
• 118.190.60.27 port 20
• 146.185.170.222 port 8080
• 157.7.164.23 port 8080
• 192.42.116.41 port 443
• 194.88.246.242 port 443
• 194.150.118.8 port 443
• 199.119.78.9 port 443
• 199.119.78.38 port 443
• 222.214.218.192 port 4143

Zeus Panda Banker traffic:

• 185.216.35.22 port 443 – thevisitorsfilm.top – SSL/TLS traffic


Here is a full reproduction of the FBI alert on this topic.

Name of author

Name: Wizard

Short Bio: The Computer Wizard (TCW). TCW was founded by Warren P. Harris in 1994 to service and repair computers in the San Francisco Bay Area. Relocating the business to Plano, Texas in 1999, TCW continued to flourish when an unfortunate loss of data for a wedding Mr. Harris photographed, caused him to research data recovery options. Realizing he would have to either pay someone to recover the photos or find out how to do it himself, the rest, as they say "is history". Approached by a friend who was a Private Investigator in 2006, Mr. Harris studied for his Investigator's license and began honing his skills in Computer Forensics. The company was renamed DFW Computer Integration in 2015.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.