A Quick Look at Emotet’s Progression Since its Resurgence

Post-resurgence enhancements

• Emotet is using different attack vectors while trying to stay hidden from security radars. This includes the use of spam messages, malicious documents, or embedded URLs that lead to the download of malware.
• In January, it was using three different infection mechanisms to deliver the payload - directly via an Excel 4.0 macro, an Excel 4.0 macro with PowerShell script, or a VBA macro with PowerShell.
• In some instances, it was seen using the legitimate tool mshta.exe to drop the Emotet malware via a malicious HTA file.

Infrastructure changes

• The malware has launched two new botnet clusters dubbed Epochs 4 and 5, which are leveraged heavily during cyberattacks. 
• Between March 15 and June 18, 10,235 Emotet payloads were found using C2 servers belonging to the Epoch 5 cluster.
• During analysis, out of 328 unique IP addresses obtained from DLL payloads, around 38.6% belonged to Epoch 5 botnet, while 60.8% were from Epoch 4. There was just one IP address that bgedelon to both the botnet clusters.

Additional enhancements

• Emotet started two new modules, one designed to target Google Chrome browsers to steal credit card information, and the other is designed for lateral movement by leveraging SMB protocol.
• All the sample payloads used in a recent campaign comprised 10 modules: one WebBrowserPassView, one MailPassView, four ThunderbirdStealer, and four spam.

Recommendations