{"id":1465,"date":"2020-09-23T10:04:02","date_gmt":"2020-09-23T08:04:02","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1465"},"modified":"2026-06-08T23:17:14","modified_gmt":"2026-06-08T23:17:14","slug":"emotet-trojan-23-september-2020","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/emotet-trojan-23-september-2020\/","title":{"rendered":"Emotet Trojan \u2014 23 September 2020"},"content":{"rendered":"\n<p>Emotet malware campaign identified on 23 September 2020. Three distinct compromise vectors were identified across targeted endpoints:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>E-mail with malicious Word document attachment<\/li><li>E-mail with password-protected ZIP archive containing malicious Word document<\/li><li>E-mail with URL directing to malicious Word document download<\/li><\/ol>\n\n\n\n<p style=\"text-align: justify\">All Word documents contained malicious macros engineered to download and execute the Emotet trojan payload.<\/p>\n<p>Technical details follow:<\/p>\n\n\n\n<figure class=\"wp-block-gallery columns-3 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\"><ul class=\"blocks-gallery-grid\"><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/3.png\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/3.png\" alt=\"\" data-id=\"1467\" data-full-url=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/3.png\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1467\" class=\"wp-image-1467\" loading=\"lazy\" \/><\/a><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/2-1.png\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/2-1-1024x464.png\" alt=\"\" data-id=\"1468\" data-full-url=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/2-1.png\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1468\" class=\"wp-image-1468\" loading=\"lazy\" \/><\/a><\/figure><\/li><li class=\"blocks-gallery-item\"><figure><a href=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/1.png\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/1-1024x334.png\" alt=\"\" data-id=\"1469\" data-full-url=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/09\/1.png\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1469\" class=\"wp-image-1469\" loading=\"lazy\" \/><\/a><\/figure><\/li><\/ul><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Partial Indicators of Compromise:<\/h3>\n\n\n\n<p>The following command-and-control (C2) infrastructure was observed facilitating post-exploitation communication (T1071 \u2014 Application Layer Protocol) and data exfiltration (TA0010). Correlation with <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> feeds confirms active operational use across multiple geographic regions:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"\"><tbody><tr><td>C2:\n  76.168.54.203:80<\/td><td>C2:\n  174.113.69.136:80<\/td><td>C2:\n  98.13.75.196:80<\/td><\/tr><tr><td>C2:\n  51.38.124.206:80<\/td><td>C2:\n  178.250.54.208:8080<\/td><td>C2: 185.178.10.77:80<\/td><\/tr><tr><td>C2:\n  38.88.126.202:8080<\/td><td>C2: 190.2.31.172:80<\/td><td>C2:\n  181.129.96.162:8080<\/td><\/tr><tr><td>C2:\n  54.37.42.48:8080<\/td><td>C2: 45.16.226.117:443<\/td><td>C2: 67.247.242.247:80<\/td><\/tr><tr><td>C2:\n  5.196.35.138:7080<\/td><td>C2: 50.121.220.50:80<\/td><td>C2: 170.81.48.2:80<\/td><\/tr><tr><td>C2:\n  177.129.17.170:443<\/td><td>C2:\n  217.13.106.14:8080<\/td><td>C2: 199.203.62.165:80<\/td><\/tr><tr><td>C2:\n  87.106.46.107:8080<\/td><td>C2:\n  217.199.160.224:7080<\/td><td>C2:\n  204.225.249.100:7080<\/td><\/tr><tr><td>C2:\n  68.183.190.199:8080<\/td><td>C2: 80.11.164.185:80<\/td><td>C2:\n  77.106.157.34:8080<\/td><\/tr><tr><td>C2:\n  185.183.16.47:80<\/td><td>C2:\n  172.104.169.32:8080<\/td><td>C2:\n  68.183.170.114:8080<\/td><\/tr><tr><td>C2:\n  186.103.141.250:443<\/td><td>C2:\n  77.90.136.129:8080<\/td><td>C2: 45.46.37.97:80<\/td><\/tr><tr><td>C2:\n  64.201.88.132:80<\/td><td>C2: 123.51.47.18:80<\/td><td>C2:\n  70.32.115.157:8080<\/td><\/tr><tr><td>C2:\n  70.32.84.74:8080<\/td><td>C2: 82.230.1.24:80<\/td><td>C2: 190.163.31.26:80<\/td><\/tr><tr><td>C2:\n  68.69.155.181:80<\/td><td>C2: 74.58.215.226:80<\/td><td>C2:\n  94.176.234.118:443<\/td><\/tr><tr><td>C2:\n  82.76.111.249:443<\/td><td>C2: 185.94.252.27:443<\/td><td>C2: 95.9.180.128:80<\/td><\/tr><tr><td>C2:\n  111.67.12.221:8080<\/td><td>C2: 181.30.61.163:443<\/td><td>C2:\n  104.131.103.37:8080<\/td><\/tr><tr><td>C2:\n  60.93.23.51:80<\/td><td>C2:\n  111.67.77.202:8080<\/td><td>C2: 35.143.99.174:80<\/td><\/tr><tr><td>C2:\n  104.131.41.185:8080<\/td><td>C2: 96.227.52.8:443<\/td><td>C2: 91.105.94.200:80<\/td><\/tr><tr><td>C2:\n  92.24.50.153:80<\/td><td>C2: 2.36.95.106:80<\/td><td>C2:\n  190.6.193.152:8080<\/td><\/tr><tr><td>C2:\n  191.182.6.118:80<\/td><td>C2: 78.249.119.122:80<\/td><td>C2: 155.186.0.121:80<\/td><\/tr><tr><td>C2:\n  61.197.92.216:80<\/td><td>C2:\n  209.236.123.42:8080<\/td><td>C2: 219.92.13.25:80<\/td><\/tr><tr><td>C2:\n  213.197.182.158:8080<\/td><td>C2:\n  185.215.227.107:443<\/td><td>C2: 12.162.84.2:8080<\/td><\/tr><tr><td>C2:\n  137.74.106.111:7080<\/td><td>C2: 188.135.15.49:80<\/td><td>C2: 220.109.145.69:80<\/td><\/tr><tr><td>C2:\n  138.97.60.141:7080<\/td><td>C2: 83.169.21.32:7080<\/td><td>C2: 177.74.228.34:80<\/td><\/tr><tr><td>C2:\n  187.162.248.237:80<\/td><td>C2: 96.245.123.149:80<\/td><td>C2: 77.238.212.227:80<\/td><\/tr><tr><td>C2:\n  110.142.219.51:80<\/td><td>C2: 216.47.196.104:80<\/td><td>C2:\n  61.92.159.208:8080<\/td><\/tr><tr><td>C2:\n  51.159.23.217:443<\/td><td>C2: 50.28.51.143:8080<\/td><td>C2:\n  186.70.127.199:8090<\/td><\/tr><tr><td>C2:\n  192.241.143.52:8080<\/td><td>C2:\n  5.189.178.202:8080<\/td><td>C2: 45.33.77.42:8080<\/td><\/tr><tr><td>C2:\n  190.24.243.186:80<\/td><td>C2: 74.136.144.133:80<\/td><td>C2: 152.169.22.67:80<\/td><\/tr><tr><td>C2:\n  51.255.165.160:8080<\/td><td>C2: 72.47.248.48:7080<\/td><td>C2:\n  192.241.146.84:8080<\/td><\/tr><tr><td>C2:\n  212.71.237.140:8080<\/td><td>C2:\n  190.190.148.27:8080<\/td><td>C2: 185.94.252.12:80<\/td><\/tr><tr><td>C2:\n  190.115.18.139:8080<\/td><td>C2: 189.2.177.210:443<\/td><td>C2: 177.73.0.98:443<\/td><\/tr><tr><td>C2:\n  65.36.62.20:80<\/td><td><\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Macro-based delivery mechanisms (T1566.001 \u2014 Phishing: Spearphishing Attachment) remain a persistent attack vector for trojan distribution. Organizations must enforce application whitelisting, disable macro execution by default, and maintain network-level detection signatures for known C2 endpoints to mitigate this threat class.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Emotet malspam wave of 23 September 2020: three distinct delivery patterns, document macro chain, payload deployment and host-level indicators.<\/p>\n","protected":false},"author":1,"featured_media":1466,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3354,125,185,3353,211,3352,362],"class_list":["post-1465","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-banking-trojan-loader","tag-emotet","tag-ioc","tag-macro-documents","tag-malspam","tag-september-2020","tag-trojan"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1465"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1465\/revisions"}],"predecessor-version":[{"id":9926,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1465\/revisions\/9926"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}