Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [1]

ID: S0367
Associated Software: Geodo
Type: MALWARE
Platforms: Windows
Contributors: Omkar Gudhate
Version: 1.1

Associated Software Descriptions

Name Description
Geodo [7]

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force

Emotet has been observed using a hard coded list of passwords to brute force user accounts. [2][3][4][5][6]

Enterprise T1059 Command-Line Interface

Emotet has used cmd.exe to run a PowerShell script.[9]

Enterprise T1043 Commonly Used Port

Emotet has used ports 20, 22, 80, 443, 8080, and 8443.[11][8][7][12]

Enterprise T1003 Credential Dumping

Emotet has been observed dropping browser and password grabber modules including Mimikatz.[7]

Enterprise T1081 Credentials in Files

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.[4][6]

Enterprise T1094 Custom Command and Control Protocol

Emotet has been observed using an encrypted, modified protobuf-based protocol for command and control messaging.[15][17]

Enterprise T1022 Data Encrypted

Emotet has been observed encrypting the data it collects before sending it to the C2 server.[16]

Enterprise T1114 Email Collection

Emotet has been observed leveraging a module that scrapes email data from Outlook.[6]

Enterprise T1041 Exfiltration Over Command and Control Channel

Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers.[7]

Enterprise T1210 Exploitation of Remote Services

Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation. [4][5][13]

Enterprise T1040 Network Sniffing

Emotet has been observed to hook network APIs to monitor network traffic.[1]

Enterprise T1050 New Service

Emotet has been observed creating new services to maintain persistence. [4][5]

Enterprise T1027 Obfuscated Files or Information

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts.[8][7][9][10]

Enterprise T1086 PowerShell

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.[3][7][9][13][12]

Enterprise T1057 Process Discovery

Emotet has been observed enumerating local processes.[18]

Enterprise T1055 Process Injection

Emotet has been observed injecting in to Explorer.exe and other processes.[9][1][4]

Enterprise T1060 Registry Run Keys / Startup Folder

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.[3][4][9]

Enterprise T1053 Scheduled Task

Emotet has maintained persistence through a scheduled task.[4]

Enterprise T1064 Scripting

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.[3][8][7][9][12]

Enterprise T1045 Software Packing

Emotet has used custom packers to protect its payloads.[7]

Enterprise T1193 Spearphishing Attachment

Emotet has been delivered by phishing emails containing attachments.[11][2][3][4][8][7][9][12]

Enterprise T1192 Spearphishing Link

Emotet has been delivered by phishing emails containing links.[1][14][11][2][3][4][8][8][9]

Enterprise T1032 Standard Cryptographic Protocol

Emotet is known to use RSA keys for encrypting C2 traffic.[7]

Enterprise T1065 Uncommonly Used Port

Emotet has been observed communicating over non standard ports, including 7080 and 50000.[14][9][15][8]

Enterprise T1204 User Execution

Emotet has relied upon users clicking on a malicious link or attachment delivered through spearphishing.[1][12]

Enterprise T1078 Valid Accounts

Emotet can brute force a local admin password, then use it to facilitate lateral movement.[2]

Enterprise T1077 Windows Admin Shares

Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. [2]

Enterprise T1047 Windows Management Instrumentation

Emotet has used WMI to execute powershell.exe.[12]

References