Threat Research

Emotet is Back

Securonix

Emotet—a modular banking trojan that can download other malware such as TrickBot and IcedID—has re-emerged, with Cisco GTA enhancing detection coverage for its latest wave. The article details its infection flow, PowerShell payload chain, observable IOCs, and recommended mitigations to keep networks and endpoints safe from evolving Emotet activity. Hashtags: #Emotet #Ryuk #CobaltStrike #Log4J

Keypoints

  • Emotet is a modular malware that can serve as a dropper for other payloads (e.g., TrickBot, IcedID) and can act as an initial payload in a multi-stage infection.
  • It can remain inactive for extended periods, enabling adversaries to launch staged attacks when needed.
  • The initial infection method is phishing with an attached Office document; macros are enabled to drop the Emotet DLL.
  • During infection, Emotet downloads a PowerShell payload that subsequently retrieves the Emotet binary and establishes C2 communications.
  • Emotet utilizes HTTP/HTTPS for C2 on ports 80, 8080, and 443, with observable IOCs including IPs, domains, and hostnames linked to its activity.
  • Cisco GTA detects Emotet as high-risk and provides IOCs, file modification patterns, and endpoint/network detection guidance to mitigate the threat.

MITRE Techniques

  • [T1566.001] Phishing – “phishing, via an email with an attached file … enable macros” – “According to the analysis … the attack vector seems to be phishing, via an email with an attached file (1). The file contained in the phishing email, is an Office document (2). When the victims open the office document files and enable macros (3) the Emotet DLL is downloaded in the victim’s device (4).”
  • [T1204.002] User Execution – “open the office document files and enable macros” – User opens a document and enables macros to execute the payload.
  • [T1059.001] PowerShell – “PowerShell payload” downloaded to fetch Emotet binary and establish C2.
  • [T1105] Ingress Tool Transfer – “downloads a PE file and then establishes a communication with its Command and Control” – Emotet downloads the binary/PE file as part of infection.
  • [T1071.001] Web Protocols – “establishes a communication with its Command and Control, using HTTP or HTTPS protocols, on ports 80, 8080 and 443”
  • [T1497] Virtualization/Sandbox Evasion – “Polymorphic – can evade signature-based detection” and “Virtual machine aware”

Indicators of Compromise

  • [IP Address] Communications with known Emotet infrastructure – 91.240.118.172, 201.213.32.59
  • [Domain] Domains related to Emotet activity – robertmchilespe.com, vbaint.com
  • [URL] infection chain URLs – hxxp://91.240.118[.]172/hh/hello.png, http://ttisecurity[.]com/cgi/7RFeiqkgymCs/

Read more: https://blogs.cisco.com/security/emotet-is-back