Cyble – Emotet Returns Targeting Users Worldwide

MITRE Techniques

• [T1566.001] Phishing – Spearphishing Attachment – The Emotet campaign uses spam email with xls/xlsm or password-protected attachments to deliver the payload. “…The Emotet arrives to users via spam email containing an xls/xlsm or password-protected attachment…”
• [T1204] User Execution – Malicious macro execution is triggered when users open the Office document and are social engineered to enable macros. “…Threat Actors behind this Emotet try various social Engineering techniques to lure the users into enabling the macro content.”
• [T1059] Command and Scripting Interpreter – Macros in Office documents download and execute the Emotet payload, acting as the scripting interpreter for the drop.
• [T1547.001] Boot or Logon Autostart Execution – Persistence via startup/autorun mechanisms (e.g., task scheduler entries) to maintain presence. “After installing the IcedID into the victim’s system, it adds the DLL files into the task scheduler entry for its persistence.”
• [T1497] Virtualization/Sandbox Evasion – Defenses are bypassed by new templates that circumvent Protected View to run macros. “…new template that contains instructions to bypass Microsoft’s Protected View.”
• [T1087] Account Discovery – The article’s MITRE mapping includes Account Discovery as a phase of the attack sequence. “…Account Discovery”
• [T1071] Application Layer Protocol – Ingress Tool Transfer – The malware communicates with C2 and transfers tools via application-layer protocols. “…connects to the C&C server for further instructions or to install additional payloads.”
• [T1105] Ingress Tool Transfer – Downloading Emotet/IcedID payloads from remote URLs. “…downloads Emotet DLL (Dynamic Link Library) file from the following URLs…”