Emotet Phishing Botnet

Overview

Severity level: High – Compromise may result in theft of sensitive emails and deployment of additional malware including ransomware.

Emotet is a modular malware that is primarily used as a downloader for other malware variants, including TrickBot, IcedID, Qakbot, Cobalt Strike, and, in some cases, ransomware variants, such as Ryuk. Emotet first emerged in June 2014 and has been primarily, but not exclusively, used to target the banking sector. Some of the identified Emotet modules have the following capabilities: scraping email addresses and data from Outlook, brute forcing user accounts with a hardcoded list of passwords, using PowerShell to retrieve the malicious payload and download additional resources, such as Mimikatz, stealing credentials from password stores and web browsers and hooking network APIs to monitor network traffic.

Emotet typically spreads via phishing and email attachments or links, often masquerading as legitimate documents. Emotet has relied upon users clicking on a malicious link or attachment delivered through spearphishing. Upon infection, Emotet can harvest sensitive data such as usernames, passwords, and other credentials. Emotet is also known for its ability to self-propagate, allowing it to identify and spread to other systems on the same target network or to other networks without instruction from its operators.

It was recently discovered that the Emotet malware variant is now being distributed via Microsoft OneNote email attachments, an applied infection vector that has the objective of bypassing Microsoft security defences. The botnet malware variant has been notorious for its previous distribution methods via Microsoft Word and Microsoft Excel attachments containing malicious macros. As noted in March 2023, The Emotet threat actor took an unexpected break from malicious activity for four months, between 13th July and 2nd November 2022. A second hiatus was then observed to have occurred throughout the 3-month period leading up to March 2023. However, the most recent wave of attacks did not provide the desired outcome as Microsoft defence solutions now automatically block detected macros in Microsoft Word and Excel documents that have been downloaded. As such, the threat actor group have now switched tactics to deploying the malware via Microsoft OneNote files. The files are distributed in reply-chain emails that masquerade as generics guides, invoices, and job references.

Emotet operates as a botnet, with each infected device spamming vast amounts of emails, paired with malicious attachments. Once opened, macros within these attachments download the Emotet Dynamic Link Library (DLL) and load it to the system’s memory. Following successful exploitation, the malware will scan for all held emails and exfiltrate them for use in future attacks.

Previous ransomwares connected with the deployment of Emotet include Hive, Ryuk, Quantum and BlackCat.