1. Home
  2. Software
  3. Emotet

Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[1]

ID: S0367
Associated Software: Geodo
Type: MALWARE
Platforms: Windows
Contributors: Omkar Gudhate
Version: 1.6
Created: 25 March 2019
Last Modified: 09 July 2024

Associated Software Descriptions

Name Description
Geodo

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Emotet has used WMI to execute powershell.exe.[3]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Emotet has been observed dropping browser password grabber modules. [2][4]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Emotet has installed itself as a new service with the service name Windows Defender System Service and display name WinDefService.[5]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Emotet has been observed creating new services to maintain persistence.[6][7][5]

Enterprise T1573 加密通道

Emotet has encrypted data before sending to the C2 server.[8]
.001 Symmetric Cryptography

Emotet is known to use RSA keys for encrypting C2 traffic. [2]
Enterprise T1620 反射性代码加载

Emotet has reflectively loaded payloads into memory.[5]
Enterprise T1140 反混淆/解码文件或信息

Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.[5]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.[9][6][10]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [9][2][10][11][3]
.003 命令与脚本解释器: Windows Command Shell

Emotet has used cmd.exe to run a PowerShell script. [10]
.005 命令与脚本解释器: Visual Basic

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [9][12][2][10][3]
Enterprise T1071 .001 应用层协议: Web Protocols

Emotet has used HTTP for command and control.[5]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Emotet has been observed dropping and executing password grabber modules including Mimikatz.[2][13]
Enterprise T1132 .001 数据编码: Standard Encoding

Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server.[5] Additionally, Emotet has used Base64 to encode data before sending to the C2 server.[8]
Enterprise T1110 .001 暴力破解: Password Guessing

Emotet has been observed using a hard coded list of passwords to brute force user accounts. [14][9][6][7][15][5]
Enterprise T1078 .003 有效账户: Local Accounts

Emotet can brute force a local admin password, then use it to facilitate lateral movement.[14]
Enterprise T1552 .001 未加密凭证: Credentials In Files

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [6][15]
Enterprise T1106 本机API

Emotet has used CreateProcess to create a new process to run its executable and WNetEnumResourceW to enumerate non-hidden shares.[5]
Enterprise T1570 横向工具传输

Emotet has copied itself to remote systems using the service.exe filename.[5]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

Emotet inflates malicious files and malware as an evasion technique.[16]
.002 混淆文件或信息: Software Packing

Emotet has used custom packers to protect its payloads.[2]
.009 混淆文件或信息: Embedded Payloads

Emotet has dropped an embedded executable at %Temp%\setup.exe.[5] Additionally, Emotet may embed entire code into other files.[13]
.010 混淆文件或信息: Command Obfuscation

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. [12][2][10][17]
.013 混淆文件或信息: Encrypted/Encoded File

Emotet uses obfuscated URLs to download a ZIP file.[16]
Enterprise T1204 .001 用户执行: Malicious Link

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.[1][3]
.002 用户执行: Malicious File

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.[1][3][4]
Enterprise T1114 电子邮件收集

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[15][4][5]
.001 Local Email Collection

Emotet has been observed leveraging a module that scrapes email data from Outlook.[15]
Enterprise T1218 .010 系统二进制代理执行: Regsvr32

Emotet uses RegSvr32 to execute the DLL payload.[16]
Enterprise T1033 系统所有者/用户发现

Emotet has enumerated all users connected to network shares.
Enterprise T1016 .002 系统网络配置发现: Wi-Fi Discovery

Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.[5]
Enterprise T1135 网络共享发现

Emotet has enumerated non-hidden network shares using WNetEnumResourceW. [5]
Enterprise T1040 网络嗅探

Emotet has been observed to hook network APIs to monitor network traffic. [1]
Enterprise T1134 .001 访问令牌操控: Token Impersonation/Theft

Emotet has the ability to duplicate the user’s token.[5] For example, Emotet may use a variant of Google’s ProtoBuf to send messages that specify how code will be executed.[13]
Enterprise T1087 .003 账号发现: Email Account

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[15][4][5]
Enterprise T1057 进程发现

Emotet has been observed enumerating local processes.[18]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Emotet has been observed injecting in to Explorer.exe and other processes. [10][1][6]
.012 进程注入: Process Hollowing

Emotet uses a copy of certutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code.[16]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement. [14][5]

Enterprise T1210 远程服务漏洞利用

Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation.[9][6][7][11]

Enterprise T1041 通过C2信道渗出

Emotet has exfiltrated data over its C2 channel.[2][5]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Emotet has been delivered by phishing emails containing attachments. [19][14][9][6][12][2][10][3][4]
.002 钓鱼: Spearphishing Link

Emotet has been delivered by phishing emails containing links. [1][20][19][14][9][6][12][12][10]
Enterprise T1571 非标准端口

Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.[12][5]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Emotet has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.[6][13]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[21][22]

References

  1. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  2. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  3. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  4. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  5. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  6. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  7. Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.
  8. Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019.
  9. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  10. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  11. Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.
  1. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  2. Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024.
  3. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  4. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  5. Kenefick, I. (2023, March 13). Emotet Returns, Now Adopts Binary Padding for Evasion. Retrieved June 19, 2024.
  6. Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019.
  7. ASEC. (2017). ASEC REPORT VOL.88. Retrieved April 16, 2019.
  8. CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.
  9. Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.
  10. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  11. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.