A quick abstract of what occurred with Emotet since its comeback in November 2021
Emotet is a malware household energetic since 2014, operated by a cybercrime group often called Mealybug or TA542. Though it began as a banking trojan, it later advanced right into a botnet that turned one of the crucial prevalent threats worldwide. Emotet spreads by way of spam emails; it could possibly exfiltrate info from, and ship third-party malware to, compromised computer systems. Emotet operators usually are not very choosy about their targets, putting in their malware on programs belonging to people in addition to firms and greater organizations.
In January 2021, Emotet was the goal of a takedown because of a global, collaborative effort of eight international locations coordinated by Eurojust and Europol. Nonetheless, regardless of this operation, Emotet got here again to life in November 2021.
- Emotet launched a number of spam campaigns because it re-appeared after its takedown.
- Since then, Mealybug created a number of new modules and a number of instances up to date and improved all current modules.
- Emotet operators subsequently have put lots of effort into avoiding monitoring and monitoring of the botnet because it got here again.
- At the moment Emotet is silent and inactive, likely attributable to failing to search out an efficient, new assault vector.
Determine 1. Timeline of fascinating Emotet occasions since its return
Spam campaigns
After the comeback adopted by a number of spam campaigns on the finish of 2021, the start of 2022 continued with these tendencies and we registered a number of spam campaigns launched by Emotet operators. Throughout this time Emotet was spreading primarily by way of malicious Microsoft Phrase and Microsoft Excel paperwork with embedded VBA macros.
In July 2022, Microsoft modified the sport for all of the malware households like Emotet and Qbot – which had used phishing emails with malicious doc as the strategy of spreading – by disabling VBA macros in paperwork obtained from the Web. This alteration was announced by Microsoft at first of the yr and deployed initially in early April, however the replace was rolled again attributable to consumer suggestions. The ultimate rollout got here on the finish of July 2022 and, as will be seen in Determine 2, the replace resulted in a big drop in Emotet compromises; we didn’t observe any vital exercise in the course of the summer season of 2022.
Determine 2. Emotet detection pattern, seven-day transferring common
Disabling Emotet’s fundamental assault vector made its operators search for new methods to compromise their targets. Mealybug began experimenting with malicious LNK and XLL information, however when the yr 2022 was ending, Emotet operators struggled to discover a new assault vector that will be as efficient as VBA macros had been. In 2023, they ran three distinctive malspam campaigns, every testing a barely completely different intrusion avenue and social engineering approach. Nonetheless, the shrinking dimension of the assaults and fixed modifications within the strategy could recommend dissatisfaction with the outcomes.
The primary of these three campaigns occurred round March 8th, 2023, when the Emotet botnet began distributing Phrase paperwork, masked as invoices, with embedded malicious VBA macros. This was fairly odd as a result of VBA macros have been disabled by Microsoft by default, so victims couldn’t run embedded malicious code.
Of their second marketing campaign between March 13th and March 18th, the attackers seemingly acknowledged these flaws, and other than utilizing the reply chain strategy, additionally they switched from VBA macros to OneNote information (ONE) with embedded VBScripts. If the victims opened the file, they have been greeted by what appeared like a protected OneNote web page, asking them to click on a View button to see the content material. Behind this graphic aspect was a hidden VBScript, set to obtain the Emotet DLL.
Regardless of a OneNote warning that this motion would possibly result in malicious content material, individuals are likely to click on at comparable prompts by behavior and thus can doubtlessly enable the attackers to compromise their units.
The final marketing campaign noticed in ESET telemetry was launched on March 20th, profiting from the upcoming earnings tax due date in america. The malicious emails despatched by the botnet pretended to come back from the US tax workplace Inner Income Service (IRS) and carried an hooked up archive file named W-9 type.zip. The included ZIP file contained a Phrase doc with an embedded malicious VBA macro that the meant sufferer in all probability needed to enable. Other than this marketing campaign, focused particularly to the USA, we additionally noticed one other marketing campaign utilizing embedded VBScripts and OneNote strategy that was underway on the similar time.
As will be seen in Determine 3, a lot of the assaults detected by ESET have been aimed toward Japan (43%), Italy (13%), though these numbers could also be biased by the robust ESET consumer base in these areas. After eradicating these prime two international locations (in an effort to give attention to the remainder of the world), in Determine 4 it may be seen that the remainder of the world was additionally hit, with Spain (5%) in third place adopted by Mexico (5%) and South Africa (4%).
Determine 3. Emotet detections Jan 2022 – Jun 2023
Determine 4. Emotet detections Jan 2022 – Jun 2023 (JP and IT excluded)
Enhanced safety and obfuscations
After its reappearance, Emotet acquired a number of upgrades. The primary notable function is that the botnet switched its cryptographic scheme. Earlier than the takedown, Emotet used RSA as their major uneven scheme and after the reappearance, the botnet began to make use of Elliptic curve cryptography. At the moment each Downloader module (additionally referred to as Predominant module) comes with two embedded public keys. One is used for the Elliptic curve Diffie Hellman key trade protocol and the opposite is used for a signature verification – Digital signature algorithm.
Other than updating Emotet malware to 64-bit structure, Mealybug has additionally carried out a number of new obfuscations to guard their modules. First notable obfuscation is management movement flattening which may considerably decelerate evaluation and finding fascinating components of code in Emotet’s modules.
Mealybug additionally carried out and improved its implementation of many randomization strategies, of which probably the most notable are the randomization of order of construction members and the randomization of directions that calculate constants (constants are masked).
Yet another replace that’s value mentioning occurred over the last quarter of 2022, when modules began utilizing timer queues. With these, the primary perform of modules and the communication a part of modules have been set as a callback perform, which is invoked by a number of threads and all of that is mixed with the management movement flattening, the place the state worth that manages which block of code is to be invoked is shared among the many threads. This obfuscation provides as much as one other impediment in evaluation and makes following of the execution movement much more tough.
New modules
To stay worthwhile and prevalent malware, Mealybug carried out a number of new modules, proven in yellow in Determine 5. A few of them have been created as a defensive mechanism for the botnet, others for extra environment friendly spreading of the malware, and final however not least, a module that steals info that can be utilized to steal the sufferer’s cash.
Determine 5. Emotet’s most ceaselessly used modules. Purple existed earlier than the takedown; yellow appeared after the comeback
Thunderbird E-mail Stealer and Thunderbird Contact Stealer
Emotet is unfold by way of spam emails and folks usually belief these emails, as a result of Emotet efficiently makes use of an electronic mail thread hijacking approach. Earlier than the takedown, Emotet used modules we name Outlook Contact Stealer and Outlook E-mail Stealer, that have been able to stealing emails and call info from Outlook. However as a result of not everybody makes use of Outlook, after the takedown Emotet centered additionally on a free different electronic mail software – Thunderbird.
Emotet could deploy a Thunderbird E-mail Stealer module to the compromised pc, which (because the identify suggests) is able to stealing emails. The module searches by the Thunderbird information containing acquired messages (in MBOX format) and steals information from a number of fields together with sender, recipients, topic, date, and contents of the message. All stolen info is then despatched to a C&C server for additional processing.
Along with Thunderbird E-mail Stealer, Emotet additionally deploys a Thunderbird Contact Stealer, which is able to stealing contact info from Thunderbird. This module additionally searches by the Thunderbird information, this time in search of each acquired and despatched messages. The distinction is that this module simply extracts info from the From:, To:, CC: and Cc: fields and creates an inside graph of who communicated with whom, the place nodes are individuals, and there may be an edge between two individuals in the event that they communicated with one another. Within the subsequent step, the module orders the stolen contacts – beginning with probably the most interconnected individuals – and sends this info to a C&C server.
All this effort is complemented by two extra modules (that existed already earlier than the takedown) – the MailPassView Stealer module and the Spammer module. MailPassView Stealer abuses a official NirSoft instrument for password restoration and steals credentials from electronic mail functions. When stolen emails, credentials, and details about who’s involved with whom will get processed, Mealybug creates malicious emails that appear to be a reply to beforehand stolen conversations and sends these emails along with the stolen credentials to a Spammer module that makes use of these credentials to ship malicious replies to earlier electronic mail conversations by way of SMTP.
Google Chrome Credit score Card Stealer
Because the identify suggests, Google Chrome Credit score Card Stealer steals details about bank cards saved within the Google Chrome browser. To attain this, the module makes use of a statically linked SQLite3 library for accessing the Internet Information database file often situated in %LOCALAPPDATApercentGoogleChromeUser DataDefaultWeb Information. The module queries the desk credit_cards for name_of_card, expiration_month, expiration_year, and card_number_encrypted, containing details about bank cards saved within the default Google Chrome profile. Within the final step, the card_number_encrypted worth is decrypted utilizing the important thing saved within the %LOCALAPPDATApercentGoogleChromeUser DataLocal State file and all info is distributed to a C&C server.
Systeminfo and Hardwareinfo modules
Shortly after the return of Emotet, in November 2021 a brand new module we name Systeminfo appeared. This module collects details about a compromised system and sends it to the C&C server. Data collected consists of:
- Output of the systeminfo command
- Output of the ipconfig /all command
- Output of the nltest /dclist: command (eliminated in Oct. 2022)
- Course of record
- Uptime (obtained by way of GetTickCount) in seconds (eliminated in Oct 2022)
In October 2022 Emotet’s operators launched one other new module we name Hardwareinfo. Although it doesn’t steal completely details about the {hardware} of a compromised machine, it serves as a complementary supply of knowledge to the Systeminfo module. This module collects the next information from the compromised machine:
- Laptop identify
- Username
- OS model info, together with main and minor model numbers
- Session ID
- CPU model string
- Details about RAM dimension and utilization
Each modules have one major goal – confirm whether or not the communication comes from legitimately compromised sufferer or not. Emotet was, particularly after its comeback, a extremely sizzling matter within the pc safety trade and amongst researchers, so Mealybug went to nice lengths to guard themselves from monitoring and monitoring of their actions. Because of the knowledge collected by these two modules that not solely acquire information, but in addition include anti-tracking and anti-analysis tips, Mealybug’s capabilities to inform aside actual victims from malware researchers’ actions or sandboxes have been considerably improved.
What’s subsequent?
In line with ESET analysis and telemetry, each Epochs of the botnet have been quiet for the reason that starting of the April 2023. At the moment it stays unclear if that is yet one more trip time for the authors, in the event that they battle to search out new efficient an infection vector, or if there may be somebody new working the botnet.
Although we can not affirm the rumors that one or each Epochs of the botnet have been bought to any individual in January 2023, we observed an uncommon exercise on one of many Epochs. The most recent replace of the downloader module contained a brand new performance, which logs the interior states of the module and tracks its execution to a file C:JSmithLoader (Determine 6, Determine 7). As a result of this file needs to be current to really log one thing, this performance seems like a debugging output for somebody who doesn’t fully perceive what the module does and the way it works. Moreover, at the moment the botnet was additionally extensively spreading Spammer modules, that are thought of to be extra treasured for Mealybug as a result of traditionally they used these modules solely on machines that have been thought of by them to be protected.
Determine 6. Logging of habits of the downloader module
Determine 7. Logging of habits of the downloader module
Whichever rationalization of why the botnet is quiet now could be true, Emotet has been recognized for its effectiveness and its operators made an effort to rebuild and keep the botnet and even add some enhancements, so maintain monitor with our weblog to see what the long run will convey us.
ESET Analysis presents personal APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.
IoCs
Recordsdata
| SHA-1 | Filename | ESET detection identify | Description |
|---|---|---|---|
| D5FDE4A0DF9E416DE02AE51D07EFA8D7B99B11F2 | N/A | Win64/Emotet.AL | Emotet Systeminfo module. |
| 1B6CFE35EF42EB9C6E19BCBD5A3829458C856DBC | N/A | Win64/Emotet.AL | Emotet Hardwareinfo module. |
| D938849F4C9D7892CD1558C8EDA634DADFAD2F5A | N/A | Win64/Emotet.AO | Emotet Google Chrome Credit score Card Stealer module. |
| 1DF4561C73BD35E30B31EEE62554DD7157AA26F2 | N/A | Win64/Emotet.AL | Emotet Thunderbird E-mail Stealer module. |
| 05EEB597B3A0F0C7A9E2E24867A797DF053AD860 | N/A | Win64/Emotet.AL | Emotet Thunderbird Contact Stealer module. |
| 0CEB10940CE40D1C26FC117BC2D599C491657AEB | N/A | Win64/Emotet.AQ | Emotet Downloader module, model with timer queue obfuscation. |
| 8852B81566E8331ED43AB3C5648F8D13012C8A3B | N/A | Win64/Emotet.AL | Emotet Downloader module, x64 model. |
| F2E79EC201160912AB48849A5B5558343000042E | N/A | Win64/Emotet.AQ | Emotet Downloader module, model with debug strings. |
| CECC5BBA6193D744837E689E68BC25C43EDA7235 | N/A | Win32/Emotet.DG | Emotet Downloader module, x86 model. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
|---|---|---|---|---|
| 1.234.2[.]232 | N/A | SK Broadband Co Ltd | N/A | N/A |
| 1.234.21[.]73 | N/A | SK Broadband Co Ltd | N/A | N/A |
| 5.9.116[.]246 | N/A | Hetzner On-line GmbH | N/A | N/A |
| 5.135.159[.]50 | N/A | OVH SAS | N/A | N/A |
| 27.254.65[.]114 | N/A | CS LOXINFO Public Firm Restricted. | N/A | N/A |
| 37.44.244[.]177 | N/A | Hostinger Worldwide Restricted | N/A | N/A |
| 37.59.209[.]141 | N/A | Abuse-C Position | N/A | N/A |
| 37.187.115[.]122 | N/A | OVH SAS | N/A | N/A |
| 45.71.195[.]104 | N/A | NET ALTERNATIVA PROVEDOR DE INTERNET LTDA – ME | N/A | N/A |
| 45.79.80[.]198 | N/A | Linode | N/A | N/A |
| 45.118.115[.]99 | N/A | Asep Bambang Gunawan | N/A | N/A |
| 45.176.232[.]124 | N/A | CABLE Y TELECOMUNICACIONES DE COLOMBIA S.A.S (CABLETELCO) | N/A | N/A |
| 45.235.8[.]30 | N/A | WIKINET TELECOMUNICAÇÕES | N/A | N/A |
| 46.55.222[.]11 | N/A | DCC | N/A | N/A |
| 51.91.76[.]89 | N/A | OVH SAS | N/A | N/A |
| 51.161.73[.]194 | N/A | OVH SAS | N/A | N/A |
| 51.254.140[.]238 | N/A | Abuse-C Position | N/A | N/A |
| 54.37.106[.]167 | N/A | OVH SAS | N/A | N/A |
| 54.37.228[.]122 | N/A | OVH SAS | N/A | N/A |
| 54.38.242[.]185 | N/A | OVH SAS | N/A | N/A |
| 59.148.253[.]194 | N/A | CTINETS HOSTMASTER | N/A | N/A |
| 61.7.231[.]226 | N/A | IP-network CAT Telecom | N/A | N/A |
| 61.7.231[.]229 | N/A | The Communication Authoity of Thailand, CAT | N/A | N/A |
| 62.171.178[.]147 | N/A | Contabo GmbH | N/A | N/A |
| 66.42.57[.]149 | N/A | The Fixed Firm, LLC | N/A | N/A |
| 66.228.32[.]31 | N/A | Linode | N/A | N/A |
| 68.183.93[.]250 | N/A | DigitalOcean, LLC | N/A | N/A |
| 72.15.201[.]15 | N/A | Flexential Colorado Corp. | N/A | N/A |
| 78.46.73[.]125 | N/A | Hetzner On-line GmbH – Contact Position, ORG-HOA1-RIPE | N/A | N/A |
| 78.47.204[.]80 | N/A | Hetzner On-line GmbH | N/A | N/A |
| 79.137.35[.]198 | N/A | OVH SAS | N/A | N/A |
| 82.165.152[.]127 | N/A | 1&1 IONOS SE | N/A | N/A |
| 82.223.21[.]224 | N/A | IONOS SE | N/A | N/A |
| 85.214.67[.]203 | N/A | Strato AG | N/A | N/A |
| 87.106.97[.]83 | N/A | IONOS SE | N/A | N/A |
| 91.121.146[.]47 | N/A | OVH SAS | N/A | N/A |
| 91.207.28[.]33 | N/A | Optima Telecom Ltd. | N/A | N/A |
| 93.104.209[.]107 | N/A | MNET | N/A | N/A |
| 94.23.45[.]86 | N/A | OVH SAS | N/A | N/A |
| 95.217.221[.]146 | N/A | Hetzner On-line GmbH | N/A | N/A |
| 101.50.0[.]91 | N/A | PT. Beon Intermedia | N/A | N/A |
| 103.41.204[.]169 | N/A | PT Infinys System Indonesia | N/A | N/A |
| 103.43.75[.]120 | N/A | Choopa LLC administrator | N/A | N/A |
| 103.63.109[.]9 | N/A | Nguyen Nhu Thanh | N/A | N/A |
| 103.70.28[.]102 | N/A | Nguyen Thi Oanh | N/A | N/A |
| 103.75.201[.]2 | N/A | IRT-CDNPLUSCOLTD-TH | N/A | N/A |
| 103.132.242[.]26 | N/A | Ishan’s Community | N/A | N/A |
| 104.131.62[.]48 | N/A | DigitalOcean, LLC | N/A | N/A |
| 104.168.155[.]143 | N/A | Hostwinds LLC. | N/A | N/A |
| 104.248.155[.]133 | N/A | DigitalOcean, LLC | N/A | N/A |
| 107.170.39[.]149 | N/A | DigitalOcean, LLC | N/A | N/A |
| 110.232.117[.]186 | N/A | RackCorp | N/A | N/A |
| 115.68.227[.]76 | N/A | SMILESERV | N/A | N/A |
| 116.124.128[.]206 | N/A | IRT-KRNIC-KR | N/A | N/A |
| 116.125.120[.]88 | N/A | IRT-KRNIC-KR | N/A | N/A |
| 118.98.72[.]86 | N/A | PT Telkom Indonesia APNIC Assets Administration | N/A | N/A |
| 119.59.103[.]152 | N/A | 453 Ladplacout Jorakhaebua | N/A | N/A |
| 119.193.124[.]41 | N/A | IP Supervisor | N/A | N/A |
| 128.199.24[.]148 | N/A | DigitalOcean, LLC | N/A | N/A |
| 128.199.93[.]156 | N/A | DigitalOcean, LLC | N/A | N/A |
| 128.199.192[.]135 | N/A | DigitalOcean, LLC | N/A | N/A |
| 129.232.188[.]93 | N/A | Xneelo (Pty) Ltd | N/A | N/A |
| 131.100.24[.]231 | N/A | EVEO S.A. | N/A | N/A |
| 134.122.66[.]193 | N/A | DigitalOcean, LLC | N/A | N/A |
| 139.59.56[.]73 | N/A | DigitalOcean, LLC | N/A | N/A |
| 139.59.126[.]41 | N/A | Digital Ocean Inc administrator | N/A | N/A |
| 139.196.72[.]155 | N/A | Hangzhou Alibaba Promoting Co.,Ltd. | N/A | N/A |
| 142.93.76[.]76 | N/A | DigitalOcean, LLC | N/A | N/A |
| 146.59.151[.]250 | N/A | OVH SAS | N/A | N/A |
| 146.59.226[.]45 | N/A | OVH SAS | N/A | N/A |
| 147.139.166[.]154 | N/A | Alibaba (US) Expertise Co., Ltd. | N/A | N/A |
| 149.56.131[.]28 | N/A | OVH SAS | N/A | N/A |
| 150.95.66[.]124 | N/A | GMO Web Inc administrator | N/A | N/A |
| 151.106.112[.]196 | N/A | Hostinger Worldwide Restricted | N/A | N/A |
| 153.92.5[.]27 | N/A | Hostinger Worldwide Restricted | N/A | N/A |
| 153.126.146[.]25 | N/A | IRT-JPNIC-JP | N/A | N/A |
| 159.65.3[.]147 | N/A | DigitalOcean, LLC | N/A | N/A |
| 159.65.88[.]10 | N/A | DigitalOcean, LLC | N/A | N/A |
| 159.65.140[.]115 | N/A | DigitalOcean, LLC | N/A | N/A |
| 159.69.237[.]188 | N/A | Hetzner On-line GmbH – Contact Position, ORG-HOA1-RIPE | N/A | N/A |
| 159.89.202[.]34 | N/A | DigitalOcean, LLC | N/A | N/A |
| 160.16.142[.]56 | N/A | IRT-JPNIC-JP | N/A | N/A |
| 162.243.103[.]246 | N/A | DigitalOcean, LLC | N/A | N/A |
| 163.44.196[.]120 | N/A | GMO-Z com NetDesign Holdings Co., Ltd. | N/A | N/A |
| 164.68.99[.]3 | N/A | Contabo GmbH | N/A | N/A |
| 164.90.222[.]65 | N/A | DigitalOcean, LLC | N/A | N/A |
| 165.22.230[.]183 | N/A | DigitalOcean, LLC | N/A | N/A |
| 165.22.246[.]219 | N/A | DigitalOcean, LLC | N/A | N/A |
| 165.227.153[.]100 | N/A | DigitalOcean, LLC | N/A | N/A |
| 165.227.166[.]238 | N/A | DigitalOcean, LLC | N/A | N/A |
| 165.227.211[.]222 | N/A | DigitalOcean, LLC | N/A | N/A |
| 167.172.199[.]165 | N/A | DigitalOcean, LLC | N/A | N/A |
| 167.172.248[.]70 | N/A | DigitalOcean, LLC | N/A | N/A |
| 167.172.253[.]162 | N/A | DigitalOcean, LLC | N/A | N/A |
| 168.197.250[.]14 | N/A | Omar Anselmo Ripoll (TDC NET) | N/A | N/A |
| 169.57.156[.]166 | N/A | SoftLayer | N/A | N/A |
| 172.104.251[.]154 | N/A | Akamai Related Cloud | N/A | N/A |
| 172.105.226[.]75 | N/A | Akamai Related Cloud | N/A | N/A |
| 173.212.193[.]249 | N/A | Contabo GmbH | N/A | N/A |
| 182.162.143[.]56 | N/A | IRT-KRNIC-KR | N/A | N/A |
| 183.111.227[.]137 | N/A | Korea Telecom | N/A | N/A |
| 185.4.135[.]165 | N/A | ENARTIA Single Member S.A. | N/A | N/A |
| 185.148.168[.]15 | N/A | Abuse-C Position | N/A | N/A |
| 185.148.168[.]220 | N/A | Abuse-C Position | N/A | N/A |
| 185.168.130[.]138 | N/A | GigaCloud NOC | N/A | N/A |
| 185.184.25[.]78 | N/A | MUV Bilisim ve Telekomunikasyon Hizmetleri Ltd. Sti. | N/A | N/A |
| 185.244.166[.]137 | N/A | Jan Philipp Waldecker buying and selling as LUMASERV Techniques | N/A | N/A |
| 186.194.240[.]217 | N/A | SEMPRE TELECOMUNICACOES LTDA | N/A | N/A |
| 187.63.160[.]88 | N/A | BITCOM PROVEDOR DE SERVICOS DE INTERNET LTDA | N/A | N/A |
| 188.44.20[.]25 | N/A | Firm for communications providers A1 Makedonija DOOEL Skopje | N/A | N/A |
| 190.90.233[.]66 | N/A | INTERNEXA Brasil Operadora de Telecomunicações S.A | N/A | N/A |
| 191.252.103[.]16 | N/A | Locaweb Serviços de Web S/A | N/A | N/A |
| 194.9.172[.]107 | N/A | Abuse-C Position | N/A | N/A |
| 195.77.239[.]39 | N/A | TELEFONICA DE ESPANA S.A.U. | N/A | N/A |
| 195.154.146[.]35 | N/A | Scaleway Abuse, ORG-ONLI1-RIPE | N/A | N/A |
| 196.218.30[.]83 | N/A | TE Information Contact Position | N/A | N/A |
| 197.242.150[.]244 | N/A | Afrihost (Pty) Ltd | N/A | N/A |
| 198.199.65[.]189 | N/A | DigitalOcean, LLC | N/A | N/A |
| 198.199.98[.]78 | N/A | DigitalOcean, LLC | N/A | N/A |
| 201.94.166[.]162 | N/A | Claro NXT Telecomunicacoes Ltda | N/A | N/A |
| 202.129.205[.]3 | N/A | NIPA TECHNOLOGY CO., LTD | N/A | N/A |
| 203.114.109[.]124 | N/A | IRT-TOT-TH | N/A | N/A |
| 203.153.216[.]46 | N/A | Iswadi Iswadi | N/A | N/A |
| 206.189.28[.]199 | N/A | DigitalOcean, LLC | N/A | N/A |
| 207.148.81[.]119 | N/A | The Fixed Firm, LLC | N/A | N/A |
| 207.180.241[.]186 | N/A | Contabo GmbH | N/A | N/A |
| 209.97.163[.]214 | N/A | DigitalOcean, LLC | N/A | N/A |
| 209.126.98[.]206 | N/A | GoDaddy.com, LLC | N/A | N/A |
| 210.57.209[.]142 | N/A | Andri Tamtrijanto | N/A | N/A |
| 212.24.98[.]99 | N/A | Interneto vizija | N/A | N/A |
| 213.239.212[.]5 | N/A | Hetzner On-line GmbH | N/A | N/A |
| 213.241.20[.]155 | N/A | Netia Telekom S.A. Contact Position | N/A | N/A |
| 217.182.143[.]207 | N/A | OVH SAS | N/A | N/A |
MITRE ATT&CK strategies
This desk was constructed utilizing version 12 of the MITRE ATT&CK enterprise strategies.
| Tactic | ID | Title | Description |
|---|---|---|---|
| Reconnaissance | T1592.001 | Collect Sufferer Host Data: {Hardware} | Emotet gathers details about {hardware} of the compromised machine, equivalent to CPU model string. |
| T1592.004 | Collect Sufferer Host Data: Shopper Configurations | Emotet gathers details about system configuration such because the ipconfig /all and systeminfo instructions. | |
| T1592.002 | Collect Sufferer Host Data: Software program | Emotet exfiltrates a listing of operating processes. | |
| T1589.001 | Collect Sufferer Identification Data: Credentials | Emotet deploys modules which can be in a position to steal credentials from browsers and electronic mail functions. | |
| T1589.002 | Collect Sufferer Identification Data: E-mail Addresses | Emotet deploys modules that may extract electronic mail addresses from electronic mail functions. | |
| Useful resource Improvement | T1586.002 | Compromise Accounts: E-mail Accounts | Emotet compromises electronic mail accounts and makes use of them for spreading malspam emails. |
| T1584.005 | Compromise Infrastructure: Botnet | Emotet compromises quite a few third-party programs to type a botnet. | |
| T1587.001 | Develop Capabilities: Malware | Emotet consists of a number of distinctive malware modules and elements. | |
| T1588.002 | Receive Capabilities: Device | Emotet makes use of NirSoft instruments to steal credentials from contaminated machines. | |
| Preliminary Entry | T1566 | Phishing | Emotet sends phishing emails with malicious attachments. |
| T1566.001 | Phishing: Spearphishing Attachment | Emotet sends spearphishing emails with malicious attachments. | |
| Execution | T1059.005 | Command and Scripting Interpreter: Visible Primary | Emotet has been seen utilizing Microsoft Phrase paperwork containing malicious VBA macros. |
| T1204.002 | Consumer Execution: Malicious File | Emotet has been counting on customers opening malicious electronic mail attachments and executing embedded scripts. | |
| Protection Evasion | T1140 | Deobfuscate/Decode Recordsdata or Data | Emotet modules use encrypted strings and masked checksums of API perform names. |
| T1027.002 | Obfuscated Recordsdata or Data: Software program Packing | Emotet makes use of customized packers to guard their payloads. | |
| T1027.007 | Obfuscated Recordsdata or Data: Dynamic API Decision | Emotet resolves API calls at runtime. | |
| Credential Entry | T1555.003 | Credentials from Password Shops: Credentials from Internet Browsers | Emotet acquires credentials saved in net browsers by abusing NirSoft’s WebBrowserPassView software. |
| T1555 | Credentials from Password Shops | Emotet is able to stealing passwords from electronic mail functions by abusing NirSoft’s MailPassView software. | |
| Assortment | T1114.001 | E-mail Assortment: Native E-mail Assortment | Emotet steals emails from Outlook and Thunderbird functions. |
| Command and Management | T1071.003 | Software Layer Protocol: Mail Protocols | Emotet can ship malicious emails by way of SMTP. |
| T1573.002 | Encrypted Channel: Uneven Cryptography | Emotet is utilizing ECDH keys to encrypt C&C visitors. | |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | Emotet is utilizing AES to encrypt C&C visitors. | |
| T1571 | Non-Normal Port | Emotet is understood to speak on nonstandard ports equivalent to 7080. |
