Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Emotet is leveraging advanced evasion techniques and polymorphic payloads to ensure successful delivery and execution.
- The campaign demonstrates sophisticated lateral movement tactics using Windows Management Instrumentation (WMI) for reconnaissance and initial compromise.
- Indicators of Compromise (IOCs) include multiple C2 domains and unique file hashes associated with the Emotet dropper.
Executive Summary
During our investigation of the recent surge in Emotet activities, we observed an alarming uptick in highly targeted phishing campaigns aimed at financial institutions. Our analysis revealed that the actors behind this campaign are deploying various social engineering tactics to craft messages that effectively lure users into downloading malicious attachments. The malware itself relies heavily on modular components, allowing it flexibility in delivering payloads based on the environment it infiltrates.
Initial Access
Initial access was predominantly achieved via spear-phishing emails containing documents that utilized macros to execute malicious scripts. Specifically, we noted the use of Word documents saved with the “.docm” extension, which often included embedded VBA code designed to download the Emotet dropper. The documents directed users to enable macros under the pretense of obtaining required document access, a common tactic we recognized during the analysis.
Execution & Persistence
Once executed, the Emotet dropper establishes persistence primarily through the modification of registry keys. Our investigation identified the following key registry path associated with persistence: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ in which the dropper creates an entry for its executable to ensure regeneration upon system reboot. Emotet employs a variety of polymorphic techniques to alter the executable’s hash with each instance, making detection significantly challenging.
Command and Control
Following successful installation, the malware initiates communication with its Command and Control (C2) infrastructure. Notably, during our analysis, we recorded several C2 domains displaying rapid flux behavior, which is characteristic of Emotet’s operational methods. The recurring use of Domain Generation Algorithms (DGA) made it difficult to pin down specific endpoints due to their regular updates. Commands issued from these domains include directives to download additional payloads or update existing ones.
Lateral Movement & Discovery
The actors showcased impressive lateral movement capabilities through the use of WMI for reconnaissance and the deployment of tools like Mimikatz for credential harvesting. Post-compromise, we determined that environments were subjected to extensive querying for system information and network shares, leading to the exfiltration of sensitive data. The malware’s ability to leverage existing administrative credentials effectively raised the stakes, allowing the actor to pivot across systems with relative ease.
Impact & Objectives
The primary objective of this campaign appears centered around financial theft and data exfiltration. During our investigation, we cataloged numerous instances of financial data compromise, highlighting the adversary’s goals of accessing banking credentials and executing fraudulent transactions. Some organizations reported significant interruptions to business operations as a result of the malware’s activities, stemming from data breaches and subsequent remediation efforts.
MITRE ATT&CK Mapping
- T1566 – Phishing: Use of malicious attachments to gain initial access.
- T1059 – Command and Scripting Interpreter: Execution of VBA scripts to trigger the malware.
- T1071 – Application Layer Protocol: Emotet leveraging HTTP/S for C2 communication.
- T1021 – Remote Services: Utilization of WMI for lateral movement.
- T1110 – Brute Force: Exploiting weak credentials to escalate privileges.
Detection Opportunities
- Monitor for the creation or modification of registry keys under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\to identify persistence mechanisms. - Network traffic analysis for connections to known Emotet C2 domains, especially those that exhibit DGA behavior.
- Implement logging and alerts on the execution of VBA scripts in Office documents, particularly those sourced from untrusted domains.
Analyst Notes
Our analysis underlines the persistent threat that Emotet poses to organizations worldwide. The actor’s adept use of phishing tactics coupled with sophisticated evasion methods emphasizes the necessity for ongoing vigilance and robust security measures. Organizations must ensure comprehensive training for employees to recognize and report suspicious emails while employing advanced endpoint detection and response (EDR) solutions that can identify polymorphic behavior within their networks.
Source: Original Report