Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Attackers leveraged phishing emails to distribute Emotet, allowing initial access to target networks.
- Post-infection, TrickBot was used to establish persistence and lateral movement across the environment.
- The threat actor’s ultimate objective appeared to be data exfiltration and potential ransomware deployment.
Executive Summary
During our analysis of a recent cybersecurity incident, we observed a sophisticated attack chain characterized by the combination of two prominent malware families: Emotet and TrickBot. This attack initiated through carefully crafted phishing emails targeting employees within a financial institution. The embedded macros in the Office documents served as a dropper for Emotet, which subsequently facilitated the deployment of TrickBot. This investigation highlights the techniques used for initial access, execution, persistence, command and control (C2), lateral movement, and the ultimate objectives of the threat actors involved.
Initial Access
Our investigation revealed that the initial access vector was a phishing campaign aimed at credential harvesting. The attackers sent emails that appeared to originate from trusted vendors, containing malicious attachments featuring Office documents. The payload, encoded using macros, was executed when the target users enabled content within their Office applications. The macros made HTTP requests to download Emotet binaries from a command and control server, executing the malware silently.
Execution & Persistence
Once Emotet was installed, it began establishing persistence. We noted that the malware dropped its executable under the path C:\Users\Public\Documents\ms.exe. This executable was added to the Windows Task Scheduler, ensuring it would run at startup. Concurrently, TrickBot was deployed as a secondary payload, which further solidified the attacker’s foothold. This involved creating registry keys at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, ensuring persistence through system reboots.
Command and Control
Diving deeper into the command and control mechanisms, our analysis indicated that the malware frequently beaconed to the C2 infrastructure, employing various domains to evade detection. The attackers utilized fast-flux techniques, frequently changing the IP addresses associated with the domains to maintain connectivity. We identified a series of domains such as exfiltrade[.]com, which served as beacons for the malware and facilitated remote commands and updates. Moreover, the use of encrypted communication channels added another layer, preventing easy detection and interception of data.
Lateral Movement & Discovery
After establishing an initial foothold, the actor utilized Lateral Movement techniques outlined in the MITRE ATT&CK framework. We observed that SMB/Windows Admin Shares were targeted to propagate across the network. The Remote Procedure Call (RPC) was exploited to execute commands on remote machines, effectively installing TrickBot on additional workstations. Additionally, we found the actor leveraging stolen credentials obtained through Credential Dumping. This enabled them to traverse the network stealthily, expanding their control over multiple machines.
Impact & Objectives
The ultimate objectives of the attackers became clearer as we uncovered evidence of data collection and potential exfiltration. Specific types of data targeted included financial records, personally identifiable information (PII), and passwords. Moreover, we theorized that the attackers were laying the groundwork for ransomware deployment, given the infrastructure associated with TrickBot, which has been used for such attacks in the past. While we didn’t find conclusive evidence of ransomware being deployed during this campaign, the configuration of the malware hinted at future disruptive operations.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Malware communicates through standard web protocols to exfiltrate data.
- T1059.001 – Command and Scripting Interpreter: PowerShell: Uses PowerShell scripts to execute malicious commands.
- T1075 – Pass the Hash: Credential dumping used to gain access to additional systems.
Detection Opportunities
- Monitoring outbound network traffic for suspicious domain lookups commonly associated with known C2 domains.
- Implementing SIEM rules to detect anomalous task scheduler job creations, particularly referencing paths such as
C:\Users\Public\Documents\ms.exe. - Utilizing endpoint detection tools to flag any unusual use of SMB/WinRM or PowerShell execution patterns that deviate from operational baselines.
Analyst Notes
This incident underscores the continuous evolution of phishing tactics combined with robust malware capabilities. The use of Emotet and TrickBot together demonstrates a layered approach that not only gains initial access but also establishes long-term persistence with the potential for significant damage. Organizations should review and enhance their email security protocols, implement user awareness training, and continuously monitor for the indicators of compromise associated with these threats. Regular updates to endpoint security tools are crucial to counteract these sophisticated attack methodologies.
Source: Original Report