S0367 Emotet
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.8
| Item | Value |
|---|---|
| ID | S0367 |
| Associated Names | Geodo |
| Type | MALWARE |
| Version | 1.7 |
| Created | 25 March 2019 |
| Last Modified | 25 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Geodo | 12 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | Emotet has the ability to duplicate the user’s token.14 For example, Emotet may use a variant of Google’s ProtoBuf to send messages that specify how code will be executed.18 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.003 | Email Account | Emotet has been observed leveraging a module that can scrape email addresses from Outlook.31714 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Emotet has used HTTP for command and control.14 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.11137 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.001 | Password Guessing | Emotet has been observed using a hard coded list of passwords to brute force user accounts. 1011136314 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. 11127415 |
| enterprise | T1059.003 | Windows Command Shell | Emotet has used cmd.exe to run a PowerShell script. 7 |
| enterprise | T1059.005 | Visual Basic | Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. 11112715 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Emotet has been observed creating new services to maintain persistence.13614 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Emotet has been observed dropping browser password grabber modules. 1217 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server.14 Additionally, Emotet has used Base64 to encode data before sending to the C2 server.19 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.14 |
| enterprise | T1114 | Email Collection | Emotet has been observed leveraging a module that can scrape email addresses from Outlook.31714 |
| enterprise | T1114.001 | Local Email Collection | Emotet has been observed leveraging a module that scrapes email data from Outlook.3 |
| enterprise | T1573 | Encrypted Channel | Emotet has encrypted data before sending to the C2 server.19 |
| enterprise | T1573.001 | Symmetric Cryptography | Emotet is known to use RSA keys for encrypting C2 traffic. 12 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Emotet has exfiltrated data over its C2 channel.1214 |
| enterprise | T1210 | Exploitation of Remote Services | Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation.111364 |
| enterprise | T1105 | Ingress Tool Transfer | Emotet can download follow-on payloads and items via malicious url parameters in obfuscated PowerShell code.20 |
| enterprise | T1570 | Lateral Tool Transfer | Emotet has copied itself to remote systems using the service.exe filename.14 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Emotet has installed itself as a new service with the service name Windows Defender System Service and display name WinDefService.14 |
| enterprise | T1106 | Native API | Emotet has used CreateProcess to create a new process to run its executable and WNetEnumResourceW to enumerate non-hidden shares.14 |
| enterprise | T1135 | Network Share Discovery | Emotet has enumerated non-hidden network shares using WNetEnumResourceW. 14 |
| enterprise | T1040 | Network Sniffing | Emotet has been observed to hook network APIs to monitor network traffic. 8 |
| enterprise | T1571 | Non-Standard Port | Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.114 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.001 | Binary Padding | Emotet inflates malicious files and malware as an evasion technique.16 |
| enterprise | T1027.002 | Software Packing | Emotet has used custom packers to protect its payloads.12 |
| enterprise | T1027.009 | Embedded Payloads | Emotet has dropped an embedded executable at %Temp%\setup.exe.14 Additionally, Emotet may embed entire code into other files.18 |
| enterprise | T1027.010 | Command Obfuscation | Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. 112721 |
| enterprise | T1027.013 | Encrypted/Encoded File | Emotet uses obfuscated URLs to download a ZIP file.16 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Emotet has been observed dropping and executing password grabber modules including Mimikatz.1218 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Emotet has been delivered by phishing emails containing attachments. 210111311271517 |
| enterprise | T1566.002 | Spearphishing Link | Emotet has been delivered by phishing emails containing links. 892101113117 |
| enterprise | T1057 | Process Discovery | Emotet has been observed enumerating local processes.22 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Emotet has been observed injecting in to Explorer.exe and other processes. 7813 |
| enterprise | T1055.012 | Process Hollowing | Emotet uses a copy of certutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code.16 |
| enterprise | T1620 | Reflective Code Loading | Emotet has reflectively loaded payloads into memory.14 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement. 1014 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Emotet has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.1318 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | Emotet uses RegSvr32 to execute the DLL payload.16 |
| enterprise | T1016 | System Network Configuration Discovery | - |
| enterprise | T1016.002 | Wi-Fi Discovery | Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.14 |
| enterprise | T1033 | System Owner/User Discovery | Emotet has enumerated all users connected to network shares. |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. 133 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Emotet has relied upon users clicking on a malicious link delivered through spearphishing.815 |
| enterprise | T1204.002 | Malicious File | Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.81517 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.003 | Local Accounts | Emotet can brute force a local admin password, then use it to facilitate lateral movement.10 |
| enterprise | T1047 | Windows Management Instrumentation | Emotet has used WMI to execute powershell.exe.15 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider | 2324 |
References
-
Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. ↩↩↩↩↩↩
-
CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019. ↩↩
-
CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019. ↩↩↩↩↩
-
Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019. ↩↩
-
ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019. ↩
-
Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019. ↩↩↩
-
Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. ↩↩↩↩↩↩↩↩
-
Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. ↩↩↩↩↩↩
-
Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019. ↩
-
Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. ↩↩↩↩↩
-
Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. ↩↩↩↩↩↩↩
-
Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019. ↩↩↩↩↩↩↩↩↩↩
-
US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. ↩↩↩↩↩↩↩↩↩
-
Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019. ↩↩↩↩↩↩
-
Kenefick, I. (2023, March 13). Emotet Returns, Now Adopts Binary Padding for Evasion. Retrieved June 19, 2024. ↩↩↩↩
-
Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. ↩↩↩↩↩
-
Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024. ↩↩↩↩
-
Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019. ↩↩
-
Süleyman Özarslan, PhD; Pincus Security Inc.. (2020, July 14). An Analysis of Emotet Malware: PowerShell Unobfuscation. Retrieved November 25, 2024. ↩
-
Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019. ↩
-
ASEC. (2017). ASEC REPORT VOL.88. Retrieved April 16, 2019. ↩
-
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. ↩
-
Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. ↩