While the return of malicious threat actors (sometimes with new names) is common, the return of Emotet malware only 10 months after a takedown has cybersecurity operations on alert.
In 2014, the Mealybug group’s Emotet malware began its malicious journey as a banking trojan. Often weaponized with worm capabilities, it was first uncovered by threat analyst Joie Savio. Since then, we’ve witnessed it learn new tricks and morph into many things on its malicious journey to becoming part of the gang’s Malware-as-a-Service crimeware ring selling its services to cybercrime gangs such as Ryuk.
Over time, this botnet earned its reputation as being a very dangerous threat to multiple industries, and now a resurgent Emotet version is spreading again.
Emotet Malware’s Resurgence
In early 2021, activity from Emotet dropped off after Eurojust, Europol, and international partners executed a takedown of the malware, arresting several Ukrainian nationals responsible for its supporting infrastructure.
A late 2021 report from security researcher Luca Ebach describes how Emotet is leveraging the infamous TrickBot malware as an entry point to spread a newer version of itself on previously-infected systems.
It has since spread across 179 nations infecting roughly 130,000 systems. While this is nothing compared to its previous record of infections, it is a testament to its disturbing resilience.
Since November, analysts and threat hunting teams have been busy tracking Emotet’s new tricks and movement. This resurgence comes with many new TTPs that all organizations should be prepared against.
Methods of Infection
The pretext that Emotet most recently leverages is an IRS-branded phishing campaign. The emails masquerade as the IRS, sending the recipient their 2021 Tax Return, W-9s, or other tax documents that are usually needed during the tax season.
Historically, Emotet has been known to imitate familiar brands such as PayPal and DHL to appear authentic to recipients. Using the IRS brand during tax season is merely another well-timed opportunity for the malware group.
Generally, the Emotet malware is spread using attached Word or Excel documents containing malicious macros. If the recipient opens them, they will be tricked into enabling the macros that will download the Emotet malware onto the computer. While Emotet mainly uses Excel spreadsheets attached to its email campaigns, it has also been observed leveraging password-protected zip archives.
While Emotet has employed cloud storage links in the past, the use of OneDrive URLs is a new addition. The URLs link to hosted zipped Microsoft Excel Add-in (XLL) files which, when unzipped, can execute the same as macros to infect the target. The difference is that many organizations disable VBA macros by default. Microsoft even recently announced it would make this the default behavior of Office apps.
In a version of the infection that uses macros, Emotet will display a fake Microsoft 365 prompt stating “THIS DOCUMENT IS PROTECTED,” and instructs target users on how to enable macros.
By using malspam the Emotet malware propagates, leveraging several classic methods such as malicious scripts, phishing links, or macro-enabled files.
In December 2021, an Emotet phishing campaign including links to install a fake Adobe Windows app was observed by analysts. Then, after a brief holiday, the threat actor returned to attachment-based phishing campaigns.
Emotet Malware’s Target Victims
Since its resurgence in November, the malware ranks 7th on the Infosec Institute’s malware list.
Emotet threat actors are targeting education, communication, government, healthcare, financial, and most recently, automotive sectors. Basically, everyone.
Security firms are issuing alerts that several auto manufacturers are infected with Emotet, which is often used as an infection vector to drop ransomware.
What’s New About Emotet Malware?
When Emotet botnet infrastructure was taken down in January 2021, its main operation was delivering dangerous malware such as Trickbot, Ryuk ransomware, and others.
Since its return, there are new upgrades in the mix. For example, it uses Elliptic curve cryptography which improves the control flow flattening method of detection avoidance. It uses Windows application installer packages that imitate legitimate software. As one of its new payloads in current campaigns it installs Cobalt Strike Beacons.
Emotet malware now uses an evolved execution chain where recent changes include a switch from the .exe file of the Emotet binary to a .dll file. The .dll is loaded using the Rundll32 process and has added fake error messages that weaponize Microsoft Office documents.
Elliptic Curve Cryptography (ECC) replaces the RSA encryption Emotet used for validation and network traffic protection.
After a connection with a C2 server has been established, the new Emotet version installs a process list module. Its enhanced info-gathering capabilities now allow for better target system profiling. Previously, Emotet was limited in which information it gathered and could only send back a list of running processes.
MITRE ATT&CK Emotet Mapping
MITRE ATT&CK is recognized as a globally accessible knowledge base of adversary tactics and techniques based on real-world observations by threat hunters and cybersecurity analysts. Cybersecurity analysts and threat hunters rely on the ATT&CK framework to map out APTs and malicious threats to improve detection in their systems.
Current ATT&CK mapping for Emotet malware includes the following tactics and techniques:
| Tactic | Technique |
| T1010 | Application Window Discovery |
| T1012 | Query Registry |
| T1018 | Remote System Discovery |
| T1055 | Process Injection |
| T1036 | Masquerading |
| T1057 | Process Discovery |
| T1082 | System Information Discovery |
| T1083 | File and Directory Discovery |
| T1518 | Security Software Discovery |
| T1547 | LSASS Driver |
| T1218 | Rundll32 |
| T1562 | Disable or Modify Tools |
| T1564 | Hidden Files and Directories |
Indicators of Compromise (IOCs)
IOCs for the Emotet malware as of February 2022:
| IOC | Notes |
| c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 | Reference sample |
| http://23.246.204.126:443 http://149.56.163.161:8080 http://212.237.5.209:443 http://159.89.230.105:443 http://178.63.25.185:443 http://104.251.214.46:8080 http://195.154.133.20:443 http://217.182.143.207:443 http://103.75.201.4:443 http://162.243.175.63:443 http://173.212.193.249:8080 http://138.185.72.26:8080 http://107.182.225.142:8080 http://45.118.115.99:8080 http://46.55.222.11:443 http://212.237.56.116:7080 http://178.79.147.66:8080 http://160.16.102.168:80 http://212.237.17.99:8080 http://51.38.71.0:443 http://207.38.84.195:8080 http://212.24.98.99:8080 http://110.232.117.186:8080 http://159.8.59.82:8080 http://131.100.24.231:80 http://58.227.42.236:80 http://164.68.99.3:8080 http://103.75.201.2:443 http://41.76.108.46:8080 http://162.214.50.39:7080 http://50.116.54.215:443 http://203.114.109.124:443 http://45.142.114.231:8080 http://192.254.71.210:443 http://185.157.82.211:8080 http://45.118.135.203:7080 http://129.232.188.93:443 http://45.176.232.124:443 http://79.172.212.216:8080 http://158.69.222.101:443 http://144.76.186.49:8080 http://200.17.134.35:7080 http://176.104.106.96:8080 http://81.0.236.90:443 http://216.158.226.206:443 | Configured C2s [Source: Github] |
| —–BEGIN PUBLIC KEY—– MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q== —–END PUBLIC KEY—– —–BEGIN PUBLIC KEY—– MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg== —–END PUBLIC KEY—– | ECDH & ECDSA Key |
| —–BEGIN PUBLIC KEY—– MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg== —–END PUBLIC KEY—– —–BEGIN PUBLIC KEY—– MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA== —–END PUBLIC KEY—– | ECDH & ECDSA Key |
| 015a96c0567c86af8c15b3fe4e19098ae9d0ea583e6bc0bb71c344fc993a26cf | Spam Attachment |
| https://evgeniys[.]ru/sap-logs/D6/ http://crownadvertising[.]ca/wp-includes/OxiAACCoic/ https://cars-taxonomy.mywebartist[.]eu/-/BPCahsAFjwF/ http://immoinvest.com[.]br/blog_old/wp-admin/luoT/ https://yoho[.]love/wp-content/e4laFBDXIvYT6O/ https://www.168801[.]xyz/wp-content/6J3CV4meLxvZP/ https://www.pasionportufuturo[.]pe/wp-content/XUBS/ | Malicious URLs used in spam campaign, embedded inside “.docm” or “.xlsm” files |
| 24a0d4ab862f7adfb3a59d81b3096229 2ea9293ff4ef17d5d2bc8528ca4cb37b 450803fe0d4f4393a26f33a33e07211d 4c025e6e88af450fa1cd3c6bf16a3567 99bcf92960b2a51843296d60eaf643b8 b4ed654f710c8eb94f4d3be0c237289d d6602d41a0f75503c9e4123b09da6fc0 ea64dbb2e0d26fafb0b367c3a8c2703f | Emotet Payload File Hashes |
| http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/ http://sbcopylive.com.br/rjuz/w/ https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/ https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/ https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/ http://bruckevn.site/3yztzzvh/nmY4wZfbYL/ https://pardiskood.com/wp-content/NR/ https://daujimaharajmandir.org/wp-includes/63De/ https://datasits.com/wp-includes/Zkj4QO/ https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/ https://atmedic.cl/sistemas/3ZbsUAU/ https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/ | Emotet payload download URLs |
| anugerahmasinternasional.co.id anwaralbasateen.com atmedic.cl bruckevn.site datasits.com daujimaharajmandir.org laforetlanguages.com merlin.ua pardiskood.com parkinsons.co.in sbcopylive.com.br trasix.com | Emotet payload download URLs |
| admin@unitanker.co.za ctannous@samextg.com info@carrozzeriabonfanti.net iqbal@foresight.com.my kkyasima.eg@kkyasima.jp kurtulus@kaledenetim.com.tr moksud@fourhgroup.com shivam@geeken.co.in tenken@tenryu-kensetsu.jp william@starplastics.com.my | Observed Senders |
| 2b8055ca8b0f93226b13f15ca83adf41 c21dc4862bb7ea6ae402460196879906 e20a84c502004bfdaf94c6e356595907 | XLS maldoc files hashes |
| C:\Windows\system32\cmd.exe /c “”C:\Sandbox\analyst\DefaultBox\user\all\jledshf.bat” “ “C:\Windows\System32\cmd.exe” /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd | Captured by CMDWatcher after enabling macros |
| jledshf.bat (found in C:\Users\all\) e869dd1a602a7f0cbbefb7a018cd1253 (found in C:\Users\all\) wetidjks.vbs dd3db5e3dfe696a3de4220f803efe671 | Embedded dropped files |
Renewed Vigilance for Emotet
Emotet is currently very active since its resurgence and changes its tactics and techniques rapidly to avoid detection. Be aware that the new strain has new multiple stages, different file types, changed deployment methods, and obfuscated scripts that all are used before Emotet even gets to its final payload.
Organizations seeking to build a robust defense for the new Emotet should be aware of its revised techniques and update any detections previously put in place.