{"id":2436,"date":"2024-09-25T18:14:12","date_gmt":"2024-09-25T18:14:12","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2436"},"modified":"2025-07-29T03:43:47","modified_gmt":"2025-07-29T03:43:47","slug":"emotet-the-terror-returns","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/emotet-the-terror-returns\/","title":{"rendered":"Emotet: The Terror Returns"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Picture1.webp\" alt=\"\"\/><\/figure>\n<\/div>\n\n\n<p>After staying dormant since February 2020, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Emotet\" target=\"_blank\" rel=\"noopener\">Emotet<\/a> is back with full vengeance with significant surge in the variant\u2019s malware campaign during September 2020 and first week of Oct 2020. This has led <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-280a\" target=\"_blank\" rel=\"noopener\"><strong>US CERT CISA<\/strong> to release an official warning<\/a> about the Emotet Botnet\u2019s return.<\/p>\n\n\n\n<p>In this latest malspam campaign we analysed, the emails have a financial theme and come as a reply to a previous transaction by using fake payment remittance notices, invoice attachments or payment details. We also noticed that this time around it uses PowerShell macros in which users are tricked into opening an attached document to enable macros and trigger a PowerShell command which attempts to download Emotet from compromised sites.<\/p>\n\n\n\n<p>Furthermore, Emotet is now targeting legitimate websites that have WordPress themes by using the arbitrary file upload vulnerability in which file mime type is not checked by the server or code while attacker uploads backdoor script and the uploaded folder on given websites is directly accessible.<\/p>\n\n\n\n<p>Based on LMNTRIX Threat Intelligence, following regions have been observed to be the major targets when analysing the phishing campaigns associated with Emotet.<\/p>\n\n\n<div class=\"wp-block-image wp-image-1615 size-large\">\n<figure class=\"aligncenter size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"497\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/emotet-global-map-1024x497-1.webp\" alt=\"\" class=\"wp-image-2443\"\/><figcaption class=\"wp-element-caption\"><em><span style=\"font-size: 16px;\"><strong>Fig 1:<\/strong> Emotet Malware campaign targeting&nbsp; countries across the globe<\/span><\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p>Recently, this malware now provides Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers to infect them with other malware such as Trickbot Trojan and Ryuk Ransomware.<\/p>\n\n\n<div class=\"wp-block-image wp-image-1611 size-large\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"1024\" height=\"561\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/EMOTET-e1602472930495-1024x561-1.webp\" alt=\"\" class=\"wp-image-2442\"\/><figcaption class=\"wp-element-caption\"><em><strong>Fig 2:<\/strong> Emotet in Action<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p>The <a href=\"https:\/\/lmntrix.com\/cdc\/\">LMNTRIX Cyber Defence Center<\/a> has detected below samples across different client networks and has successfully helped them mitigate the threat using Active Defence protections. A few of these samples are explained below:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sample- 1<\/strong><\/h3>\n\n\n\n<p>Md5:&nbsp; 9d221f86f2f325f5e2625cd21de3d335<\/p>\n\n\n\n<p>Filename:&nbsp; REP_RGMWSRXWSM4Z9TO.doc<\/p>\n\n\n\n<p>Location:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"300\" height=\"20\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/emotet-sample-1-300x20-1.webp\" alt=\"\" class=\"wp-image-2444\" srcset=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/emotet-sample-1-300x20-1.webp 300w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/emotet-sample-1-300x20-1-280x20.webp 280w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/figure>\n\n\n\n<p><br>The malicious Word file contained VB Macro code, which is executed on file open, automatically. The macro code performed multiple suspicious actions upon execution \u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Executes another obfuscated Powershell command<\/li>\n\n\n\n<li>Drop emotet malware to C:\\Users\\&lt;username&gt;\\zwL6MUI\\oVCdBxs\\ folder path (MD5: 2151719197adfd4ed1e97422f5dd1c32)<\/li>\n\n\n\n<li>Emotet copies itself to C:\\users\\&lt;username&gt;\\AppData\\Local\\&lt;random&gt; folder path<\/li>\n\n\n\n<li>Connects to Command and Control<\/li>\n\n\n\n<li>Adds Autorun key in Registry to maintain Persistence<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Sample -2<\/strong><\/h3>\n\n\n\n<p>Md5: f1ea1131ad723a81dbf1bf00eea07504<\/p>\n\n\n\n<p>Filename: FILE_YQ4375503148YM.doc<\/p>\n\n\n\n<p>Location:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"31\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/emotet-sample-2-300x31-1.webp\" alt=\"\" class=\"wp-image-2445\"\/><\/figure>\n\n\n\n<p><br>The malicious Word file contained VB Macro code, which is executed on file open, automatically. The macro code performed multiple suspicious actions upon execution \u2013<\/p>\n\n\n\n<p>Executes another obfuscated Powershell command<\/p>\n\n\n\n<p>Drop emotet malware to C:\\Users\\&lt;username&gt;\\Xb1rqmo\\Cj2z2jp\\ folder path (MD5: a21f579180ab87e5e4bcffec3d5394ce)<\/p>\n\n\n\n<p>Emotet copies itself to C:\\users\\&lt;username&gt;\\AppData\\Local\\&lt;random&gt; folder path<\/p>\n\n\n\n<p>Connects to Command and Control<\/p>\n\n\n\n<p>Adds Autorun key in Registry to maintain Persistence<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>MITRE ATT&amp;CK MAPPING for Emotet (ID: S0367)<\/strong><\/h3>\n\n\n<div class=\"wp-block-image wp-image-1620 size-full\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"369\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/emotet-attack-mapping-1024x369.webp\" alt=\"\" class=\"wp-image-2441\"\/><figcaption class=\"wp-element-caption\"><em><strong>Fig 2:<\/strong> Emotet Att&amp;ck Mapping<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>CAPABILITES<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Information Theft: Yes<\/li>\n\n\n\n<li>Rootkit Capability: Yes<\/li>\n\n\n\n<li>File Infection: Yes<\/li>\n\n\n\n<li>Propagation: Yes<\/li>\n\n\n\n<li>Download Routine: Yes<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>IMPACT<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compromise system security &#8211; with backdoor capabilities that can execute malicious commands.<\/li>\n\n\n\n<li>Violation of user privacy &#8211; gathers and steals user credentials of various applications.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>DETECTION RULES<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/www.cisecurity.org\/ms-isac\/\" target=\"_blank\" rel=\"noopener\">MS-ISAC<\/a> developed the following Snort signature for use in detecting network activity associated with Emotet activity.<\/p>\n\n\n\n<p>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 443 (msg:&#8221;[CIS] Emotet C2 Traffic Using Form Data to Send Passwords&#8221;; content:&#8221;POST&#8221;; http_method; content:&#8221;Content-Type|3a 20|multipart\/form-data|3b 20|boundary=&#8221;; http_header; fast_pattern; content:&#8221;Content-Disposition|3a 20|form-data|3b 20|name=|22|&#8221;; http_client_body; content:!&#8221;&#8212;&#8212;WebKitFormBoundary&#8221;; http_client_body; content:!&#8221;Cookie|3a|&#8221;; pcre:&#8221;\/:?(chrome|firefox|safari|opera|ie|edge) passwords\/i&#8221;; reference:url,cofense.com\/flash-bulletin-emotet-epoch-1-changes-c2-communication\/; sid:1; rev:2;)<\/p>\n\n\n\n<p>In conclusion, campaigns like Emotet have always been used by leading threat actor networks to distribute everything from banking Trojans to Ransomware samples into the victims machine and network. And the rise of such campaigns through a well-known delivery partner such as Emotet does provide us a grim picture of the malware trends we expect to see for the rest of 2020. Our recommendation is to ensure you always use the latest pattern available from your security vendors to detect the old and new variants of Emotet Malware and advise your users to be extra careful while clicking and downloading any unknown links and documents as part of your user awareness training.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After staying dormant since February 2020, Emotet is back with full vengeance with significant surge in the variant&rsquo;s malware campaign during September 2020 and first week of Oct 2020. This has led US CERT CISA to release an official warning about the Emotet Botnet&rsquo;s return. In this latest malspam campaign we analysed, the emails have [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2453,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2436","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2436"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2436\/revisions"}],"predecessor-version":[{"id":4257,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2436\/revisions\/4257"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2453"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2436"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}