Nina Kovacs — Exploit Research Analyst
Key Takeaways
- Emotet employs innovative evasion techniques and utilizes multiple payloads throughout its infection lifecycle.
- Initial access often leverages phishing emails, suggesting the need for enhanced email filtering solutions.
- Indicators of compromise (IOCs) include specific file hashes and C2 servers associated with the malware’s latest variants.
Executive Summary
During our investigation of the recent Emotet malware campaign, we observed a sophisticated attack vector that highlights the evolving landscape of malware distribution. Emotet, known for its modularity and versatility, has not only resurfaced in recent months but has also adopted new tactics that complicate detection and response efforts. In this analysis, we delve into the various phases of the attack chain, illustrating how Emotet establishes a foothold within target environments and achieves its objectives.
Initial Access
The initial access vector for this Emotet campaign predominantly revolves around phishing emails, which were meticulously crafted to evade detection. Our analysis revealed that the actors utilized enticing lures and malicious attachments, primarily in the form of Microsoft Word documents. Each document contained embedded macros that, when enabled by unsuspecting users, executed malicious scripts. The specific command invoked was cmd.exe /c start mshta.exe, leading to the download of additional payloads from remote servers.
Execution & Persistence
Once the initial payload was executed, we found that Emotet used a method known as Process Injection (T1055), whereby it injected malicious code into legitimate processes. This technique not only helps evade detection but also facilitates the malware’s persistence on the compromised system. The sample we examined registered itself in the Windows Task Scheduler with the task name Microsoft Edge Update, scheduled to execute every hour, enhancing its chances of re-infection should it be removed. Furthermore, Emotet creates a registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\, allowing it to persist across reboots.
Command and Control
The command and control (C2) infrastructure of the examined Emotet variant displayed significant resilience. Our observations identified that the malware frequently cycled through various domains for C2 communication, making it difficult to establish a single point of blocking. The C2 servers communicated using HTTP and HTTPS for encrypted traffic, and during our investigation, we detected connections to domains such as example-c2.com and payload-delivery.com. Notably, the beaconing behavior occurred at regular intervals, revealing the actor’s intention to maintain consistent communications without raising immediate suspicion.
Lateral Movement & Discovery
As part of its wider attack strategy, Emotet facilitates lateral movement using techniques such as Windows Admin Shares (T1077) and Windows Remote Management (T1021). We discovered evidence of attempts to access shares on other machines in the network using stolen credentials gathered during the initial infection phase. Additionally, the implant queried the net localgroup Administrators command, evidently seeking to elevate privileges further and expand its access throughout the compromised environment. This phase demonstrated the urgent need for proactive monitoring of user access and anomalous behavior within networks.
Impact & Objectives
The primary objective of the Emotet malware in this campaign appears twofold: first, to facilitate a secondary payload delivery from other malware families such as Ransomware and Banking Trojans, and second, to gather intelligence on the infected networks. Our findings indicated that after establishing lateral movement, the actors initiated a data exfiltration process targeting sensitive documents, potentially leading to severe reputational damage and economic loss for the victims. Notably, the sheer adaptability of Emotet allows it to serve as a distribution mechanism for future attacks, positioning it as a significant threat within the cyber threat landscape.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Emotet uses HTTP/S for communications to evade detection.
- T1055 – Process Injection: The malware injects code into legitimate processes to maintain an active presence.
- T1077 – Windows Admin Shares: Lateral movement through administrative shares on the network.
Detection Opportunities
- Monitor for unusual registry keys under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\. - Implement email filtering to identify and block known malicious attachments and links commonly used in phishing campaigns.
- Analyze network traffic for unusual outbound connections, particularly to newly registered or suspicious domains.
Analyst Notes
The resurgence of Emotet underscores the necessity for ongoing vigilance and adherence to best practices in both prevention and incident response. Recognizing the tell-tale signs of initial access, coupled with the capacity to analyze and dissect C2 communications, can significantly enhance detection efficacy within an organization. Considering Emotet’s adaptability and its association with other malware families, an integrated threat intelligence approach will prove invaluable in anticipating subsequent waves of attacks.
Source: Original Report