Emotet malware returns following three-month hiatus

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: High – Compromise by Emotet may result in theft of sensitive emails and deployment of additional malware, including ransomware.

Emotet malware has emerged as spamming mailboxes in a large-scale phishing campaign, following a three-month hiatus. The malware was last reported to have been active in November 2022, in a campaign that lasted two weeks. The current campaign involves the deployment of phishing emails masquerading as invoices, with attached ZIP archives containing inflated Word documents that are 526MB in size. The emails in the current campaign are padded with unused data to increase the file size, a defence evasion technique which makes the files more difficult for antivirus solutions to scan and detect as malicious.

It should be noted that the current method employed by Emotet may result in the current campaign being less successful than those seen previously following recent changes implemented by Microsoft. In July 2022, Microsoft disabled macros by default in Microsoft Office documents downloaded from the internet. Due to this modification, users who open Emotet documents will receive a message stating that the macros are disabled as the source of the file is not trusted.

Impact

Emotet employs a ‘spray and prey’ tactic, resulting in all organisation types becoming potential victims. The phishing emails associated with the malware are highly sophisticated and specifically designed to deceive the intended targets.

Upon successful exploitation, Emotet will almost certainly harvest all emails held on the target system. Additional compromise via malware, such as Cobalt Strike and Hive ransomware, is a realistic possibility. Immediate defensive action is therefore recommended to prevent data encryption, and loss upon initial Emotet detection.

Vulnerability Detection

A comprehensive EDR solution, such as Microsoft Defender, can provide additional protection against malware threats such as Emotet. EDRs can alert system users of potential breaches and prevent further attack progress prior to the malware applying significant damage.

Upon infection, the Emotet malware DLL is downloaded as randomly named folders, located under the filepath: User\AppData\Local\ “Emotet”. Emotet macros then launch the installed DLL by a legitimate ‘regsvr32.exe’ command. The previously mentioned file path will be present in the regsvr32.exe command line section.

To maintain persistence on an infected system, Emotet will create a key under the following file path:

– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Similarly to the DLL, this key will have a random name made up of a sequence of muddled characters.

Affected Products

– Windows OS

Containment, Mitigations & Remediations

It is recommended that employees receive training on how to detect markers of phishing emails. The attack vector of initial compromise is that of phishing and therefore in-house training will be a robust method of reducing the effectiveness of future campaigns.

As stated above, a primary method of reducing the threat of Emotet is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of malware compromise and prevent them if detected.

Moreover, CISA and MS-ISAC recommend that network defenders apply the following best practices to strengthen the security posture of their organisation’s systems against Emotet exploitation:

– Block email attachments commonly associated with malware (e.g.,.dll and .exe)
– Block email attachments that cannot be scanned by antivirus software (e.g., .zip files)
– Implement Group Policy Object and firewall rules
– Implement an antivirus program and a formalised patch management process
– Implement filters at the email gateway and block suspicious IP addresses at the firewall
– Adhere to the principle of least privilege
– Implement a Domain-Based Message Authentication, Reporting & Conformance validation system
– Segment and segregate networks and functions
– Limit unnecessary lateral communications
– Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication
– Enforce the multi-factor authentication requirement
– Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known
– Enable a firewall on agency workstations, configured to deny unsolicited connection requests
– Disable unnecessary services on agency workstations and servers
– Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header)
– Monitor users’ web browsing habits; restrict access to suspicious or risky sites
– Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs)
– Scan all software downloaded from the internet prior to executing
– Maintain situational awareness of the latest threats and implement appropriate access control lists.

Indicators of Compromise

Emotet associated file hashes (SHA-256):

– 35ac91edc35106c81fae5e6571f3247e03bd2e0cb62babae03bece5bd305bceb
– 0853f8b8bf0ba0f87fecb27e8e402e6c7b7fa56bbaf8810c7ff4607351e733ee
– 152870419a11ac79a6b864c7206f3170c4c9702b64fbfb88eca2a712aee973ed
– 16a30d27db5ff8f147cdf95ecdb0be21d6ee44ef4ccd609f3ac2fcf3ba71a287
– 17a8032270b9091dc93192760e6eb111045449ce0e81c7e35e13e3da8b1ed7aa
– 2cc3396b614c4c58537944cb51dcfc8b46def10dc3ba4b345db2e875ef433344
– 416de3ee367821b985b61d270d95b722acc223ef63bfd12362c853e64a82c888
– 452bd4d87d5380bfaa4f66fe3cab035548d5565b853c0e29733baa3a58cd330a
– 49b0eb1060327996e779198b4415fc5f5c1e4c82884cc7a98adf3c6807ecbf09
– 5345d5694dca1b75b2fc6b8e0a9691ea835273dfa1b1228509a153582a77ccfb
– 75e12e652b92ce0b03b30e21e306d754f04b436c861fe411c1c130fa034156d1
– baefa89c591aa88fd3be3f22b5a06ba75a526f37848832e19722462172af0577
– d266dec08da234320879f2d2d210ddc4cc626973130b3d9066a6c50c5f191f0f
– d2ca58c087c1cdb343cf2dd78467e2418a54813ccaefda71940a43915b051bc5
– d6e6f3b8415b46233ea02e97e2d7dcc27aa819340a68532d9b116bb036f0c376
– e3f144e6a914585fc86d96ddee6819e3b11f2103cda0f1cd7553c9034d5dcf16
– e9cef155457280e79bf9e7a04529bfeb7e9972b6c42eb2aab8eba56839546556
– f97b77abc8d3585e6b542011cec52154bb9177011729c74ac293d6eeb78c53f8
– fc43d2f333c8ba98e1da6a28187bdd3465989a8e306f8d3bd4ca03864aa61c0e
– fd50db3848da30ba0200c81d29a5beee64be5c4481127b17a50ffa2b47381822

Emotet associated IP addresses:

– 103.75.201[.]2
– 104.168.155[.]143
– 159.89.202[.]34
– 164.90.222[.]65
– 186.250.48[.]5
– 188.44.20[.]25
– 202.29.239[.]162
– 206.189.28[.]199
– 45.235.8[.]30
– 116.125.120[.]88
– 103.224.241[.]74
– 213.239.212[.]5
– 182.162.143[.]56

Threat Landscape

The spam distribution of Emotet phishing emails is particularly dangerous as it is difficult to provide early warning alerts of which organisations and industry sectors are likely to be targeted, as no specific targeting profiles exist.

Due to the previously mentioned changes implemented by Microsoft, it is possible that Emotet threat actors will pivot to alternative attachment types if the current campaign does not proceed as intended.

Threat Group

The Emotet criminal gang took an unexpected break from malicious activity for four months, between 13th July and 2nd November 2022. A second hiatus was then observed for a three-month period leading up to March 2023.

While there is currently no direct reporting on why these suspended operations have occurred, there is a realistic possibility that the absences have been due to the threat actor group meeting predetermined aims and now outlining further objectives. It is likely that the Emotet group receives additional financial benefits from the distribution of third-party ransomware, a factor which may be linked to the group’s return. The fact that a second term of suspended operations has been documented means that this is a significant behavioural trend that could continue.

Mitre Methodologies

Initial Access:

T1566.001 – Phishing: Spearphishing Attachment
T1566.002 – Phishing: Spearphishing Link
T1078.003 – Valid Accounts: Local Accounts

Execution:

T1059 – Command and Scripting Interpreter
T1053.005 – Scheduled Task/Job: Scheduled Task
T1204.001 – User Execution: Malicious Link
T1204.002 – User Execution: Malicious File
T1047– Windows Management Instrumentation

Persistence:

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1543.003 – Create or Modify System Process: Windows Service
T1053.005 – Scheduled Task/Job: Scheduled Task
T1078.003 – Valid Accounts: Local Accounts

Privilege Escalation:

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1543.003 – Create or Modify System Process: Windows Service
T1055.001 – Process Injection: Dynamic-link Library Injection
T1053.005 – Scheduled Task/Job: Scheduled Task
T1078.003 – Valid Accounts: Local Accounts

Defence Evasion:

T1055.001 – Process Injection: Dynamic-link Library Injection
T1078.003– Valid Accounts: Local Accounts
T1027) – Obfuscated Files or Information

Credential Access:

T1110.001 – Brute Force: Password Guessing
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
T1040– Network Sniffing
T1003.001 – OS Credential Dumping: LSASS Memory
T1552.001– Unsecured Credentials: Credentials in Files

Discovery:

T1040 – Network Sniffing
T1087.003 – Account Discovery: Email Account
T1057 – Process Discovery

Lateral Movement:

T1210– Exploitation of Remote Services
T1021.002  – Remote Services: SMB/Windows Admin Shares

Collection:

T1560– Archived Collection Data
T1114.001 – Email Collection: Local Email Collection

Command and Control:

T1573.002 – Encrypted Channel: Asymmetric Cryptography
T1571 – Non-Standard Port

Exfiltration:

T1041 – Exfiltration Over C2 Channel

Further Information

Bleeping Computer Article
Cofense Report
CISA Emotet Advisory