Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware

MITRE Techniques

• [T1059.001] PowerShell – The LNK-delivered PowerShell script decodes and executes payloads to download Emotet. Quote: “The Powershell script embedded within the LNK is a Base64 encoded script with various components split into different variables for obfuscation purposes. The script will decode itself…”
• [T1218.011] Rundll32 – Emotet execution utilized Windows’ rundll32 to trigger payloads. Quote: “The specific mechanism used to inject into a foreign process, was injecting arbitrary code into its memory space, and executing it as a remotely created thread.”
• [T1218.010] Regsvr32 – The Emotet DLL was launched via regsvr32. Quote: “As we can see, regsvr32.exe Windows’s native utility was used to launch the Emotet DLL.”
• [T1055] Process Injection – The threat actor injected code into legitimate processes (e.g., winlogon.exe, svchost.exe) to run Cobalt Strike payloads. Quote: “The specific mechanism used to inject into a foreign process, was injecting arbitrary code into its memory space, and executing it as a remotely created thread.”
• [T1057] Process Discovery – Discovery using tasklist and other process-oriented queries. Quote: “The threat actors proceeded to run the net commands to review the Domain Administrators group again.”
• [T1018] Remote System Discovery – Discovery activities across the network (domain controllers, domain admins). Quote: “they began conducting a new round of discovery activity.”
• [T1021.002] SMB/Windows Admin Shares – Lateral movement across SMB shares and remote services. Quote: “SMB file transfers and remote services to move laterally across domain controllers…”
• [T1570] Lateral Tool Transfer – Tools transferred between hosts (SMB, WMI) for propagation. Quote: “transferring a beacon executable over SMB to the remote host’s ProgramData directory.”
• [T1078] Valid Accounts – Domain admin and credential-related activity observed (e.g., domain admins group, Netlogon authentications). Quote: “review the Domain Administrators group again” and “A flight of netlogon authentications were observed…”
• [T1569.002] Service Execution – Creation of services to run malicious agents (Tactical RMM Agent Service, Mesh Agent). Quote: “A service was installed in the system. Service Name: TacticalRMM Agent Service…”
• [T1021.001] Remote Desktop Protocol – RDP was used to move laterally and reach additional hosts. Quote: “Remote Desktop connections were discovered on multiple compromised hosts…”
• [T1071.001] Web Protocols – Emotet/Cobalt Strike C2 used HTTP/HTTPS for command and control. Quote: “Cobalt Strike C2 servers were observed being used. Both HTTP and HTTPS were observed to be used.”
• [T1567.002] Exfiltration to Cloud Storage – Data exfiltrated to Mega via Rclone. Quote: “threat actors leveraged Rclone to exfiltrate data to Mega storage services.”
• [T1210] Exploitation of Remote Services – Zerologon attempt and remote-service exploitation observed (e.g., domain controller targeting). Quote: “a possible attempt at exploiting the domain controller.”
• [T1082] System Information Discovery – Repeated enumeration of system information. Quote: “three automated discovery commands were observed… systeminfo … nltest … ipconfig.”
• [T1069.002] Domain Groups – Discovery of domain groups (Domain Admins, Domain Controllers, etc.). Quote: “whoami /groups net group /domain ‘Domain admins’ /domain”