[clamav-users] Anyone have a good script for encrypted zip Emotet files?

eric-list at truenet.com eric-list at truenet.com
Wed Sep 23 13:13:54 UTC 2020 

Ged,

> Hi Eric,
>
> > On Tue, 22 Sep 2020, Eric Tykwinski wrote:
> >
> >> I started writing my own, but of course I'm not catching them all.
> >
> > If you could let me have some samples (complete messages) I could take 
> > a look to see what I can do with my milter.  If you agree I'd let you 
> > have a private mail address to which you'd send an encrypted archive, 
> > and we'd exchange the password by some other means.
>
> I see from the logs that you replied privately to my list address.
> That won't normally work I'm afraid.  My list address only accepts list
mail, but I've whitelisted you now (from _your_ list address to _my_ list
address) so if you try again you might > have more luck.  But no promises,
there are other defences you might still trip over. :)

> Are these Emotet mails all coming from Microsoft servers?  According to
our logs, for quite some time we've been rejecting steadily increasing
amounts of cr at p from AS8075 but > > recently it's been staggering.  Mostly
just a few different original mail pieces sent from all over the place.
> At a guess, thousands of script kiddies are exploiting Windows domains
which have not yet been patched for the ZeroLogon vulnerability.  Some of
them don't seem to speak 
> English terribly well.  That may be a clue to stopping the bulk of them -
look at subject lines.

Actually no, the first I saw was from a compromised account on our server
that hit our thresholds to alert us, and they seemed to be mainly generated
from compromised sites, PHPMailer in the headers and a lot of VPS providers.
The incoming messages seemed to be other compromised accounts and were
replies to older emails that I'm assuming the customer got hit before, which
makes me think Emotet. I wish the server had better logs, but this one is a
SmarterMail windows server sending to ClamAV over the network, so it's
manually parsing logs in python/perl to track things down.

> It would be interesting to know when the NSA first knew about this one.

Good luck on that...
I'll try and send a few samples again to you.


Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

More information about the clamav-users mailing list