Threat Research

Emotet Malware Is Back – Virus Analysis | Proofpoint US

Securonix

Emotet resurfaced in early November 2022 after a four-month hiatus, resuming high-volume email campaigns and acting as a delivery network for other malware families. Proofpoint notes significant changes to Emotet’s lures, payloads, modules, loader, and packer, plus new malware drops like IcedID and Bumblebee, suggesting possible new operators or management. #TA542 #Emotet #IcedID #XMRig #Proofpoint

Keypoints

  • Emotet returns to the email threat landscape in November 2022, delivering hundreds of thousands of emails per day.
  • There are notable changes to lures (new Excel visuals), the Emotet binary, loader, and packer, with IcedID (and Bumblebee) observed as payloads.
  • Emotet again functions as a delivery network for other malware families, including IcedID and potentially others.
  • New operators or management may be involved, evidenced by deviations in C2 infrastructure and module behavior.
  • Macro-based Excel attachments remain the primary delivery method, now instructing victims to copy files to a trusted Template location to trigger execution.
  • IcedID loader variant observed, including a new two-stage loader and decrypted bot payload, with indicators of more integrated IcedID/Emotet activity.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – Excel attachments used as lure to deliver Emotet (‘The malicious content included in the emails … typically an Excel attachment or a password-protected zip attachment with an Excel file inside.’)
  • [T1059.005] Visual Basic – Office Macros – Excel files contain XL4 macros that download the Emotet payload from several built-in URLs (‘Excel files contain XL4 macros that download the Emotet payload from several (typically four) built-in URLs.’)
  • [T1105] Ingress Tool Transfer – Downloader fetches payload from remote sources (‘The Excel files contain XL4 macros that download the Emotet payload …’)
  • [T1071.001] Web Protocols – C2 communications over HTTP/HTTPS to fetch the next stage (‘the loader starts by resolving the APIs needed to execute properly then it makes up to two HTTP requests to download the encrypted next stage.’)
  • [T1140] Deobfuscate/Decode Files or Information – Botpack/bot decryption and unpacking steps (‘decrypting botpack and parsing out the DLL loader and the encrypted bot’)
  • [T1027] Obfuscated/Compressed Files and Information – Payload obfuscation and arithmetic to hide values (‘obfuscated arithmetic to return a constant value’)
  • [T1496] Resource Hijacking – Cryptocurrency mining with XMRig (‘XMRig miner … contains a configuration that specifies the mining pool and the wallet address’)

Indicators of Compromise

  • [Hash] IcedID SHA256 Observed on Emotet E4 – 05a3a84096bcdc2a5cf87d07ede96aff7fd5037679f9585fee9a227c0d9cbf51 – First Seen: 3 November 2022
  • [Domain] IcedID domain containing the encrypted bot – Bayernbadabum[.]com – First Seen: 3 November 2022
  • [Hash] XMRig module SHA256 delivered to E4 – 99580385a4fef0ebba70134a3d0cb143ebe0946df148d84f9e43334ec506e301 – First Seen: 13 September 2022

Read more: https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint