Emotet botnet returns after four-month absence

Target Industry

Indiscriminate targeting.

Overview

Severity level: High – Compromise may result in theft of sensitive emails and deployment of additional malware including ransomware.

After abruptly ceasing activity in July 2022, Emotet malware has once again begun spamming mailboxes across the globe in a large-scale phishing campaign. Emotet operates as a botnet, with each infected device spamming vast amounts of emails paired with malicious Word and Excel attachments. Once opened, macros within these attachments download the Emotet Dynamic Link Library (DLL) and load it to the system’s memory.

Once a system has been successfully exploited, the malware will scan for all held emails and exfiltrate them for use in future attacks. Furthermore, Emotet can drop additional payloads such as a Cobalt Strike beacon or TrickBot, which provides an access point for further exploitation, including ransomware attacks.

Previous ransomwares connected with the deployment of Emotet include Hive, Ryuk, Quantum and BlackCat.

Impact

Emotet uses a ‘spray and prey’ tactic, meaning that all companies and businesses are potential targets. These emails are sophisticated and specifically designed to deceive their victims, making them harder to detect by untrained staff.

If undetected and denied access by an Endpoint Detection and Response (EDR) solution, Emotet will almost certainly harvest all emails held on the affected system/account, some potentially containing business and customer data. Additional compromise via malware such as Cobalt Strike and Hive is a realistic possibility, thus immediate defensive action is recommended to prevent data encryption, and loss upon initial Emotet detection.

Vulnerability Detection

A comprehensive EDR solution such as Microsoft Defender can provide additional protection against ransomware threats such as Emotet. EDRs can alert system users of potential breaches and stop further progress before the malware can do significant damage.

Once infected, the Emotet malware DLL is downloaded as randomly named folders, located under the filepath: User\AppData\Local\ “Emotet”.

Emotet macros then launch the installed DLL by a legitimate regsvr32.exe command. The above filepath will be present in the regsvr32.exe command line section.

To maintain persistance on an infected system, Emotet will create a key under the following filepath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Similarly to the DLL, this key will have a random name made up of a sequence of muddled letters.

Affected Products

WindowsOS

Containment, Mitigations & Remediations

It is recommended that employees receive training on how to spot signs of phishing emails. The main method of initial compromise is phishing, so some in-house training will go a long way to reducing the effectiveness of future campaigns.

As stated above, a main method of reducing the threat of Emotet is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of ransomware compromise and halt them if detected.

Indicators of Compromise

Emotet associated hashes:

8c960c48df52fd6aab7d06567b6b09c1bdad0b8c84b1e7fe1e70eefa3b91869c
01502e0e8165dac098fcaca0f6133c1e32cb507efe21febf00b9eff3780fed83
04e286373b68a5fbf4e8ceee65d4d2da037d1435041845e034eda05703ae4676
0addb28bbbdf8aafa680d0774c424158a1071681b5206ffd150faea7ca9d9322
0c05263069e4e51c4cfa5038d5b3c99d8ce811eda3908c7ee43c90f35e906d44
0df671c049353750011c8f2f0d710e5dd1d494b798aafe79f57b448aeec9df1f
14677b1d0f14aa9dda095744ddc26f92e85535df3262b82d831ec4d1c164fe6a
1b1ba94a50d59c15221873f1320b1dbc1c0c2b0abde22ddc7b71911ea48b47f3
2473827ad71dff5b54a964f3588869b723b5b48ba099233de50289c720dca5a0
24fa26fd45a59de69c0a22155d540734fa6391d2806e1121e4d53be9c316b1cd
299cd9f0f8b84c51bab99d6c3d421aa69d0908037864694d189b35a9d6ab1c5a
3b7cff603e2ba2ee602d41f5c4a6560a7b393eb1ff462b68ea9aa2eec4d754af
3da0f50719dd9f125dc38a632e7e9768e2ec29427c1f7e1a1403edeefb137843
40075591464b4138028e5728f10196c5d300463b161ff8b424f56e330c72589e

Emotet associated IPs:

103.85.95.4
159.89.202.34
188.225.32.231
202.134.4.210
210.57.209.142

Threat Landscape

The spam distribution of phishing emails is particularly dangerous as it is tricky to provide early warning alerts of which sectors and companies are likely to be targeted, as no specific targeting exists.

Threat Group

The Emotet criminal gang took an unexpected break from malicious activity for four months between 13th July and 2nd November 2022. While there is no direct reporting on why this break occurred, there is a realistic possibility the break was due to them meeting predetermined aims, and now new goals have been set. The group likely receives additional financial benefits from the distribution of third-party ransomware, and this may have been a factor in the group’s return.

Mitre Methodologies

T1087.003 – Account Discovery: Email Account
T1560 – Archived Collection Data
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1110.001 – Brute Force: Password Guessing
T1059 – Command and Scripting Interpreter
T1543.003 – Create or Modify System Process: Windows Service
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
T1114.001 – Email Collection: Local Email Collection
T1573.002 – Encrypted Channel: Asymmetric Cryptography
T1041 – Exfiltration Over C2 Channel
T1210 – Exploitation of Remote Services
T1040 – Network Sniffing
T1571 – Non-Standard Port
T1027 – Obfuscated Files or Information
T1003.001 – OS Credential Dumping: LSASS Memory
T1566.001 – Phishing: Spearphishing Attachment
T1566.002 – Phishing: Spearphishing Link
T1057 – Process Discovery
T1055.001 – Process Injection: Dynamic-link Library Injection
T1021.002 – Remote Services: SMB/Windows Admin Shares
T1053.005 – Scheduled Task/Job: Scheduled Task
T1552.001 – Unsecured Credentials: Credentials In Files
T1204.001 – User Execution: Malicious Link
T1204.002 – User Execution: Malicious File
T1078.003 – Valid Accounts: Local Accounts
T1047 – Windows Management Instrumentation

Further Information

Kroll – Emotet analysis