Mummy Spider (TA542, Emotet) recently resumed its malicious activity after a year-long hiatus using Emotet, the infamous information theft malware.[1] As part of this return, Emotet malware was observed to be delivered via the TrickBot malware organized by the Wizard Spider (TrickBot, UNC1878) group.[2]
Emotet and Trickbot are a dangerous family that has undergone numerous changes and upgrades over the years, with Emotet in 2014 and TrickBot first discovered in 2016.[3] Despite the fact that international law enforcement took down Emotet’s infrastructure as of January 2021, the longevity of this malware family shows the ruthless nature of the threat actors behind it.
To help the community, especially as the online shopping season approaches, Anomali Threat Research has provided two threat actor-focused dashboards for Anomali ThreatStream customers: Mummy Spider and Wizard Spider. The dashboard is pre-configured to give users instant access and visibility into all known Mummy Spider and Wizard Spider Indicators of Compromise (IOCs) available through both commercial and open source threat feeds managed by ThreatStream.
With ThreatStream, Anomali Match, and Anomali Lens, customers can instantly detect any IOC in their environment and quickly access a threat bulletin with machine-readable IOCs. This allows analysts to quickly operate threat intelligence across their security infrastructure and inform all stakeholders whether they are impacted or not.
Anomali recently added thematic dashboards responding to significant global events as part of its continuous product improvement that further automates and accelerates essential tasks performed by threat intelligence and security operations analysts. In addition to Mummy Spider and Wizard Spider, ThreatStream customers now have access to several dashboards announced as part of the November quarterly product release.
Customers can integrate Mummy Spider and Wizard Spider dashboards and more in the “+ Add Dashboard” tab of the ThreatStream console.
.png)
Americas
[1] “#Emotet has nearly doubled its botnet C2 infrastructure in the last 24 hours, from 8 active C2s yesterday to 14 active C2s today…” abuse.ch, accessed Nov. 22, 2021, 16 Nov 2021 Post days, https://twitter. com/abuse_ch/status/1460649241454563341; “Another update to the #Emotet E4 distribution – now we’re looking at a URL-based lure for document download…” Cryptolaemus, accessed November 22, 2021, posted November 17, 2021, https://twitter. com/Cryptolaemus1/status/1460870766518484993.
[2] Luca Ebach, “Guess who’s back”, cyber.wtf, accessed November 22, 2021, published November 15, 2021, https://cyber.wtf/2021/11/15/guess-whos-back/ ; “The Emotet is back. Here’s what we know.” Intel471 Blog, accessed November 22, posted November 16, 2021, https://intel471.com/blog/emotet-is-back-2021.
[3] Alina Georgiana Petcu, “Years of Emotet Malware: A History of Notorious Cyber Threats”, Heimdal Security Blog, accessed November 22, 2021, published April 29, 2021, https://heimdalsecurity.com/blog/emotet- malware -history/; Hugh Aver, “New Tricks for the Trickbot Trojan, Kaspersky Blog, accessed November 22, 2021, published October 19, 2021, https://www.kaspersky.com/blog/trickbot-new-tricks/42622/ #:~: text=exactly %20five%20years%20ago%2C%20in,credentials%20for%20online%20banking%20services.
Learn more about sharing threat intelligence.