Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Emotet continues to leverage living-off-the-land tactics, utilizing existing software like PowerShell for execution.
- The actor demonstrates advanced obfuscation techniques to evade detection, including encrypted payloads and multi-stage delivery mechanisms.
- Command and control (C2) communication patterns indicate a shift towards decentralized infrastructure, utilizing both HTTP and HTTPS protocols for beaconing.
Executive Summary
During our investigation into a recent Emotet campaign, we observed a sophisticated execution strategy that involved initial access through phishing emails containing malicious attachments. Our analysis revealed that the malware not only executes its primary payload but also incorporates capabilities for lateral movement, data exfiltration, and enhanced persistence. This post will delve into the step-by-step tactics, techniques, and procedures (TTPs) observed in this attack chain.
Initial Access
The patient analysis began with our identification of multiple phishing emails targeting employees of various organizations. Each email contained a malicious attachment, typically a Microsoft Word document or Excel spreadsheet, designed to trick users into enabling macros. Upon opening the document and enabling macros, the user unknowingly executed a PowerShell script embedded within, which initiated further downloads of the Emotet malware. The initial beaconing occurred within seconds, demonstrating the actor’s intentional rapid escalation.
Execution & Persistence
After the initial access, the sample we examined utilized PowerShell for both execution and persistence. The malware employed the New-Object -ComObject WScript.Shell command to write malicious scripts to the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup directory, ensuring that the payload would execute on system boot. Furthermore, our analysis uncovered that Emotet can modify the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key to ensure persistence across reboots. This combination of techniques effectively creates a robust foothold in the victim system.
Command and Control
The observed behavior during our investigation indicated a dual-layered C2 infrastructure. Initially, the dropped payload communicated with a hardcoded list of domains, resulting in rapid domain generation patterns that shifted frequently to avoid detection. The URLs utilized both HTTP and HTTPS protocols, showcasing an evolved C2 strategy that assists the actor in blending in with normal web traffic. During the beaconing phase, not only were HTTP requests made, but these requests were also encoded and encrypted, complicating pattern recognition and signature-based detection methods.
Lateral Movement & Discovery
Once the implant was established, the actor employed standard Windows administrative tools to facilitate lateral movement within the network. Specifically, we noted the execution of Windows Management Instrumentation (WMI) commands, such as WMIC.exe, to discover other hosts and further distribute the malware. This enabled the actor to maintain a level of access that allowed them to deploy additional payloads silently. The use of legitimate administrative tools for lateral movement aligns with the living-off-the-land TTPs, making detection more challenging for security teams.
Impact & Objectives
Throughout our investigation, it became clear that the ultimate objectives behind this Emotet campaign were twofold: initial data exfiltration and the delivery of secondary payloads. Emotet is often a precursor to ransomware, and our findings corroborated this as we observed network traffic indicating data being compressed and exfiltrated to external locations. The malign actor’s effective use of encryption helped to shield the details of the stolen data, raising critical concerns for organizations affected by the attack.
MITRE ATT&CK Mapping
- T1193 – Phishing: Malicious attachments in emails target users to gain initial access.
- T1059.001 – PowerShell: Execution of PowerShell commands to facilitate malware execution.
- T1047 – Windows Management Instrumentation: Used for lateral movement within the network.
- T1071.001 – Application Layer Protocol: Utilizing HTTP/HTTPS for C2 communication.
Detection Opportunities
- Monitor for anomalous PowerShell command executions, especially those involving encoded scripts or unusual execution patterns.
- Implement email filtering solutions to flag or block emails with known malicious attachments based on threat intelligence.
- Review modifications of the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runregistry key for unauthorized entries.
Analyst Notes
This investigation highlights the continuing evolution of Emotet and its persistent threat to enterprises. The combination of living-off-the-land tactics, sophisticated C2 mechanisms, and advanced obfuscation techniques make it essential for organizations to adopt a multi-layered defense-in-depth strategy. Without proper monitoring and early detection of indicators of compromise (IOCs), organizations remain vulnerable to such advanced threats.
Source: Original Report