Insights, news, education and announcements from PolySwarm

Emotet’s New TTPs

Written by The Hivemind | Feb 13, 2023 5:26:57 PM

Related Families: Bumblebee, IcedId
Verticals Targeted: Financial

Executive Summary

BlackBerry recently reported on Emotet’s new TTPs, including new email lures, IcedID, and Bumblebee as secondary payloads and evasion methods.

Key Takeaways

  • Emotet is a now infamous banking trojan, active since at least 2014.
  • Emotet has experienced multiple cycles of apparent death, rebirth, and transformation through the years.
  • The latest Emotet variant includes new email lures, a new method for tricking victims into allowing macros in order to download the dropper, a change from 32bit to 64bit, and dropping Bumblebee and IcedID as additional payloads.
What is Emotet?

The Emotet banking trojan, first seen in the wild in 2014, was once considered the “world’s most dangerous malware.” Previous versions of Emotet were extremely dangerous because they spread quickly, were difficult to detect, and were sometimes used by other threat actor groups to install ransomware, stealers, and other malware. The threat actors behind Emotet created an elaborate infrastructure, the notorious Emotet malware botnet.

Emotet was considered dead after its takedown by law enforcement groups in January 2021. Although leftover samples existed in the wild, there was no network infrastructure to support them. In November 2021, Emotet activity was again observed in the wild. Emotet's primary functions were a botnet and a loader as a service (LaaS).

In late 2022, Emotet added new functionality, including new modules, new attack vectors,the ability to spread laterally via SMB, and new anti-analysis measures. Around the same time, Emotet also shifted its use of infrastructure to use the Epoch 4 and Epoch 5 clusters.

A recently discovered Emotet variant includes new email lures, a new method for tricking victims into allowing macros in order to download the dropper, a change from 32bit to 64bit, and drops Bumblebee and IcedID as additional payloads.

In the new Emotet campaign, spam emails contain attached .xls files with a new method to trick victims into downloading the dropper in order to bypass Microsoft’s attempts to block macros. Once the victim downloads the .xls attachment, they are instructed to move the downloaded file into Excel’s Templates folder. Since the Templates folder is automatically trusted by Microsoft, MoTW and other protections do not apply. Files executed from the Templates folder run macros without interference from security measures. Once the macros run, they download and execute Emotet. Emotet then runs in the background, retrieving additional payloads from the C2. Emotet creates a registry key to maintain persistence.


IOCs

PolySwarm has multiple samples associated with the new variant of Emotet.

EF2CE641A4E9F270EEA626E8E4800B0B97B4A436C40E7AF30AEB6F02566B809C (xls file)

199A2E0E1BB46A5DD8EB3A58AA55DE157F6005C65B70245E71CECEC4905CC2C0 (xls file)

BB444759E8D9A1A91A3B94E55DA2AA489BB181348805185F9B26F4287A55DF36 (Emotet dropper)
F6485AEF4BE4CB0EC50317B7F87694FB775F81733AF64C9BC6050F6806504207 (Emotet dropper)
05A3A84096BCDC2A5CF87D07EDE96AFF7FD5037679F9585FEE9A227C0D9CBF51 (IcedID)


You can use the following CLI command to search for all Emotet samples in our portal:

$ polyswarm link list -f Emotet


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports