Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- Emotet continues to evolve, leveraging complex delivery mechanisms and modular payload architecture.
- The malware exhibits sophisticated Command and Control (C2) capabilities to maintain persistence and evade detection.
- Timely incident response is critical as Emotet targets organizations through phishing campaigns and subsequent lateral movement strategies.
Executive Summary
During our investigation of the latest Emotet campaign, we observed distinct shifts in the malware’s delivery and operational tactics compared to previous iterations. This campaign highlights the persistent threat posed by Emotet, utilizing a mix of social engineering tactics and modular design for its payloads. Our analysis revealed a robust infrastructure standing behind these campaigns, focusing heavily on evasion techniques and lateral movement strategies to achieve its objectives.
Initial Access
Initial access in this campaign was predominantly achieved through well-crafted phishing emails, which contained malicious attachments. We identified several instances in which the emails employed social engineering techniques, including impersonating trusted sources. Upon execution of the malicious document, VBA macros initiated a series of commands that downloaded the central payload from a remote server. The phishing emails typically utilized themes relevant to current events that drew the attention of potential victims, effectively tricking users into enabling macros.
Execution & Persistence
The sample we examined utilized a payload based on a modular architecture to execute the dropper, which then fetched additional components from its C2 servers. Specifically, the dropper writes the binary to the Windows temporary directory, commonly C:\Users\, and executes it from there. We noted registry keys being modified to ensure persistence on the infected system as it creates new values under HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. The entries had names like update and system, which pointed to the main executable, facilitating its startup every time the user logs into the system.
Command and Control
For its C2 communications, Emotet has shown ingenuity in employing multiple layers of indirection. During our analysis, we observed that the malware utilized domain generation algorithms (DGAs) to regularly change its command and control endpoints. The sample we investigated communicated with domains that had recently been registered, indicating a dynamic approach to evade detection and take down efforts. Communication typically occurred over HTTPS, making it challenging for traditional security infrastructures to inspect the traffic. Specific URLs were frequently noted, which might be leveraged for additional payload deliveries or exfiltration of data.
Lateral Movement & Discovery
After establishing a foothold on the target workstation, Emotet executed lateral movement techniques to deploy its payload across the network. We observed the use of T1077 – Windows Admin Shares to access other devices on the network. Utilizing Windows Management Instrumentation (WMI) and tools such as PowerShell for remote commands, the actor was able to spread rapidly. The malware also gathered information about the network environment, executing reconnaissance commands like net view and ipconfig, to locate other potential targets.
Impact & Objectives
Ultimately, the goal of the Emotet campaign we analyzed appeared to be the deployment of more significant payloads, such as ransomware or credential-stealing malware, on the compromised hosts. The actor aimed to establish a stronghold in the victim’s environment, facilitating further gains through either data exfiltration or disruption of services. The flexibility of the Emotet infrastructure allows it to act as a delivery mechanism for other types of malware, increasing the potential impact on compromised organizations significantly.
MITRE ATT&CK Mapping
- T1566 – phishing: Emotet primarily gains initial access through phishing emails containing malicious attachments.
- T1059.001 – PowerShell: The implant uses PowerShell for command execution during installation and lateral movement.
- T1071.001 – Application Layer Protocol: Web Protocols: C2 communication occurs over HTTPS.
Detection Opportunities
- Monitor for unusual registry modifications under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. - Implement detection rules to identify the execution of VBA macros from email attachments.
- Track known malicious hashes and URLs associated with Emotet campaigns in your SIEM.
Analyst Notes
The resurgence of Emotet emphasizes the need for continuous vigilance in organizational defenses. Regular training on identifying phishing attempts and monitoring for anomalous network behavior are essential to mitigate these threats. As the tactics evolve, so too must our detection and response capabilities to keep pace with the ever-changing landscape of cyber threats.
Source: Original Report