Related Families: TrickBot, Ryuk, QakBot, Zloader, Quantum, BlackCat
Verticals Targeted: Financial, Various
VMWare recently reported on the evolution of Emotet. New Emotet TTPs include added functionality, new anti-analysis techniques, infrastructure changes, and new attack vectors.
- Emotet has evolved TTPs since its return in late 2021.
- Emotet was originally a banking trojan but now also acts as a botnet and a loader.
- Other changes to Emotet include new functionalities, new anti-analysis techniques, infrastructure changes, and new attack vectors.
The Emotet banking trojan, first seen in the wild in 2014, was once considered the “world’s most dangerous malware.” Previous versions of Emotet were extremely dangerous because they spread quickly, were difficult to detect, and were sometimes used by other threat actor groups to install ransomware, stealers, and other malware. The threat actors behind Emotet created an elaborate infrastructure, the notorious Emotet malware botnet.
Emotet was considered dead after its takedown by law enforcement groups in January 2021. Although leftover samples existed in the wild, there was no network infrastructure to support them. In November 2021, Emotet activity was again observed in the wild. Emotet now primarily functions as a botnet and a loader as a service (LaaS). Last month, industry researchers reported that ransomware as a service (RaaS) groups, including Quantum and BlackCat, are leveraging Emotet.
How Has Emotet Evolved?
VMWare reported multiple changes indicating the evolution of Emotet’s TTPs:
Emotet has new models allowing threat actors to steal credit card information from the Google Chrome browser and to leverage SMB to spread laterally.
The threat actors behind Emotet are hiding their C2 infrastructure, making analysis more difficult. More recent Emotet variants use a new method of storing the configuration data within the binary.
VMWare noted a shift in Emotet’s infrastructure, with the current versions using clusters known as Epoch 4 and Epoch 5. VMWare researchers examined 23,811 DLL payloads and discovered 328 unique IP addresses used by Emotet. The majority belonged to Epoch 4, with just under 40% belonging to Epoch 5. One IP address overlapped both botnets. Emotet’s C2 infrastructure creates redundancy and makes activity harder to track. The ports most commonly used by Emotet include 8080 and 443.
New Attack Vectors
VMWare noted Emotet has been leveraging both malicious URLs embedded in emails and malicious Microsoft documents as an initial infection vector. Some attacks relied on Excel documents containing macros. The macros function to download the next stage payload, use rundll32.exe to execute the payload and gain registry persistence. Infections observed earlier this year used mshta.exe as an infection vector. This legitimate utility is used for LoLBins (living off the land binaries) techniques and executes Microsoft HTA files.
PolySwarm has multiple samples associated with new Emotet activity.
You can use the following CLI command to search for all Emotet samples in our portal:
$ polyswarm link list -f Emotet
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports