Get in Touch
Severity level: High – Compromise may result in theft of sensitive emails and deployment of additional malware including ransomware.
After abruptly ceasing activity in July 2022, Emotet malware has once again begun spamming mailboxes across the globe in a large-scale phishing campaign. Emotet operates as a botnet, with each infected device spamming vast amounts of emails paired with malicious Word and Excel attachments. Once opened, macros within these attachments download the Emotet Dynamic Link Library (DLL) and load it to the system’s memory.
Once a system has been successfully exploited, the malware will scan for all held emails and exfiltrate them for use in future attacks. Furthermore, Emotet can drop additional payloads such as a Cobalt Strike beacon or TrickBot, which provides an access point for further exploitation, including ransomware attacks.
Emotet uses a ‘spray and prey’ tactic, meaning that all companies and businesses are potential targets. These emails are sophisticated and specifically designed to deceive their victims, making them harder to detect by untrained staff.
If undetected and denied access by an Endpoint Detection and Response (EDR) solution, Emotet will almost certainly harvest all emails held on the affected system/account, some potentially containing business and customer data. Additional compromise via malware such as Cobalt Strike and Hive is a realistic possibility, thus immediate defensive action is recommended to prevent data encryption, and loss upon initial Emotet detection.
A comprehensive EDR solution such as Microsoft Defender can provide additional protection against ransomware threats such as Emotet. EDRs can alert system users of potential breaches and stop further progress before the malware can do significant damage.
Once infected, the Emotet malware DLL is downloaded as randomly named folders, located under the filepath: User\AppData\Local\ “Emotet”.
Emotet macros then launch the installed DLL by a legitimate regsvr32.exe command. The above filepath will be present in the regsvr32.exe command line section.
To maintain persistance on an infected system, Emotet will create a key under the following filepath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Similarly to the DLL, this key will have a random name made up of a sequence of muddled letters.
Containment, Mitigations & Remediations
It is recommended that employees receive training on how to spot signs of phishing emails. The main method of initial compromise is phishing, so some in-house training will go a long way to reducing the effectiveness of future campaigns.
As stated above, a main method of reducing the threat of Emotet is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of ransomware compromise and halt them if detected.
Indicators of Compromise
Emotet associated hashes:
Emotet associated IPs:
The spam distribution of phishing emails is particularly dangerous as it is tricky to provide early warning alerts of which sectors and companies are likely to be targeted, as no specific targeting exists.
The Emotet criminal gang took an unexpected break from malicious activity for four months between 13th July and 2nd November 2022. While there is no direct reporting on why this break occurred, there is a realistic possibility the break was due to them meeting predetermined aims, and now new goals have been set. The group likely receives additional financial benefits from the distribution of third-party ransomware, and this may have been a factor in the group’s return.
T1087.003 – Account Discovery: Email Account
T1560 – Archived Collection Data
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1110.001 – Brute Force: Password Guessing
T1059 – Command and Scripting Interpreter
T1543.003 – Create or Modify System Process: Windows Service
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
T1114.001 – Email Collection: Local Email Collection
T1573.002 – Encrypted Channel: Asymmetric Cryptography
T1041 – Exfiltration Over C2 Channel
T1210 – Exploitation of Remote Services
T1040 – Network Sniffing
T1571 – Non-Standard Port
T1027 – Obfuscated Files or Information
T1003.001 – OS Credential Dumping: LSASS Memory
T1566.001 – Phishing: Spearphishing Attachment
T1566.002 – Phishing: Spearphishing Link
T1057 – Process Discovery
T1055.001 – Process Injection: Dynamic-link Library Injection
T1021.002 – Remote Services: SMB/Windows Admin Shares
T1053.005 – Scheduled Task/Job: Scheduled Task
T1552.001 – Unsecured Credentials: Credentials In Files
T1204.001 – User Execution: Malicious Link
T1204.002 – User Execution: Malicious File
T1078.003 – Valid Accounts: Local Accounts
T1047 – Windows Management Instrumentation
Kroll – Emotet analysis