The Return of Emotet

Share On Facebook
Share On Twitter
Share On Linkedin

On 17 July, Proofpoint’s threat research team observed a malicious spam (malspam) campaign featuring the return of the Emotet malware after a five-month hiatus. This was a sizable campaign that included nearly a quarter-million malspam messages.1

While the scope of this campaign differs from our previous report on Emotet,2 the tactics and techniques it uses are largely the same. Threat actors use Emotet to steal stored passwords, sensitive banking data, and browser histories from victims’ computers.

The email lures observed in this campaign are simple in nature and are similar to lures that Emotet has previously used. The subject lines are largely generic terms like Re: or Invoice#followed by a series of numbers, but some also include the names of targeted organizations. Message bodies are generic and reference an attachment that the user must open. The attachments are Microsoft Office documents (e.g. Word or Excel) with filenames themed after common business documents like payroll and resumes.

When the user opens the attached document, they are directed to enable macros. Once the user enables macros, the macros execute a Powershell (powershell.exe) command that attempts to download the Emotet payload (WFSR.exe) from one of five Base64-encoded domain names embedded in the command. If this download is successful then the Powershell command proceeds to execute the Emotet payload.

Upon execution, Emotet attempts to steal sensitive information from the victim and exfiltrate this data to one of its command and control (C2) servers. After stealing the victim’s information Emotet will typically attempt to install additional malware, but it is currently unclear what additional payloads this particular campaign may be delivering.

Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. https://www.proofpoint.com/us/blog/security-briefs/emotet-returns-after-five-month-hiatus
  2. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–53

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×