Just one engine to detect this emotet malware laden blogsite...

Viruses and worms
1

Re: https://urlhaus.abuse.ch/url/544840/
For the moment only detected by Spamhaus: https://www.virustotal.com/gui/url/1f6aa13c5a5cc9f3a4c3aa234a4c967f40a0f2324c877f9fc41abb987f2279f9/detection

Wrong Word Press setting, User Enumeration
The first two user ID’s were tested to determine if user enumeration is possible.

Username Name
ID: 1 admin Manzoor The Trainer
ID: 2 not found
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

2 vulnerable jQuery libraries detected: https://retire.insecurity.today/#!/scan/dd781fbdb5bb4a5b479b47d8522a9721b65c8e942ac302d49116b25758ebf210

F-grade here: https://observatory.mozilla.org/analyze/blog.manzoorthetrainer.com

Sucuri detecs the malware: https://sitecheck.sucuri.net/results/blog.manzoorthetrainer.com
Site has been hacked to send spam…read:
https://success.trendmicro.com/solution/1118391-malware-awareness-emotet-resurgence

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

2

Just a website infested in a similar way with emotet: https://urlhaus.abuse.ch/url/545677/

Already been blacklisted here: https://sitecheck.sucuri.net/results/qutiche.cn/wp-admin/Pages/HqElwOtyTD2GJ2G/
as categorized by: Forcepoint ThreatSeeker under compromised websites
sophos asmalware repository, spyware and malware

10 engines to flag: https://www.virustotal.com/gui/url/ee8600033831a287ea58aa4d1e6c5e3943584321a89c619ce4413ed3c285c434/detection

WP issues: WordPress Version 5.4.2 ; Version does not appear to be lates

Strange results: DShield CLEAN
AlienVault OTX CLEAN
Cisco Talos CLEAN
abuse.ch (Feodo) CLEAN
URLhaus CLEAN
Spamhaus (Drop / eDrop) CLEAN

Externally Linked Host Hosting / Company Netblock Country
-cn.wordpress.org SINGLEHOP-LLC

Alibaba abuse: https://www.shodan.io/host/39.106.129.233

On IP source: hxtp://39.106.129.233/ = blocked by HTTPS Everywhere…no interesting sites there according to VT:
https://www.virustotal.com/gui/ip-address/39.106.129.233/relations

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

3

In this URL scan the malware was completely missed:

1. URL: htxp://qutiche.cn/wp-admin/Pages/HqElwOtyTD2GJ2G/ Server response code and content type: 200, application/msword Elapsed time: 2531.52ms Dr.Web not recommended websites database: Clean Size: 205075 MD5: fab7cf5e8315d0198b8f3ca906d4d713 Scan time: 47.48ms Scan result: clean Full Dr.Web scan report: *

2020-09-17 17:58:01

(Source is the free Dr Web online check - check URL in the browser)

polonus