Threat Research

Emotet returns and deploys loaders

Securonix

Emotet has returned after four months of inactivity, reviving spam campaigns and leveraging its loader-as-a-service model to deploy other malware. The campaign shows evolving social engineering and obfuscation techniques, continuing to drop modules like IcedID, Bumblebee, and even miners, while maintaining strong links to the Epoch5/EtterSilent ecosystem. #Emotet #AshkERE

Keypoints

  • Emotet re-emerged in November 2022 after a four-month lull, continuing Emotet-related operations observed by researchers.
  • Historically a banking Trojan, Emotet now operates as a loader-as-a-service (LaaS), distributing additional malware for ransomware gangs.
  • The current campaign uses spearphishing attachments (maldocs) with an Excel-based social-engineering technique to bypass Mark-of-the-Web and trigger macros.
  • Emotet distributions rely on EtterSilent maldoc builder, with AshkERE identified as a key figure behind EtterSilent.
  • Persistence and execution leverage LOLBins (regsvr32.exe), DLL loading, and Windows registry keys to maintain startup and run downloaded payloads.
  • Network behavior features obfuscated C2 addresses and new encryption approaches (EDCH/ECDSA) for communications; observed C2 IPs and domains tied to Emotet operations.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The campaign uses a spear phishing attachment technique to deliver maldocs. Quote: “a spear phishing attachment technique [T1566.001].”
  • [T1059.001] PowerShell – Emotet uses a downloaded PowerShell script (‘tps1.ps1’) to fetch additional payloads. Quote: “downloaded PowerShell script (‘tps1.ps1’)”.
  • [T1105] Ingress Tool Transfer – The malware downloads and saves files from URLs using URLDownloadToFileA. Quote: “CALL URLDownloadToFileA … download and save files to the disk”.
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – The LOLBin regsvr32.exe is used to load and execute DLLs. Quote: “regsvr32.exe” and “regsvr32.exe /S ..oxnv1.ooccxx”.
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence is maintained by adding Windows registry keys to execute DLLs at startup. Quote: “adding multiple keys to the Windows registry, which will execute the DLL at every restart”.
  • [T1027] Obfuscated/Compressed Files and Information – C2 addresses/ports are obfuscated and the sample shows packing and high entropy. Quote: “IP addresses and ports of the C2 servers are obfuscated in functions” and “high entropy of the text section … packed”.
  • [T1071.001] Web Protocols – Emotet uses network communications to reach C2 servers over web protocols. Quote: “Networks communications showing direct requests to one of Emotet’s C2.”
  • [T1059.005] Visual Basic for Applications – Malicious macros are used in Excel documents to trigger payload execution. Quote: “macros” and “the Excel macro will run immediately”.

Indicators of Compromise

  • [IP Address] C2/IPs – 182.162.143.56 (C2), 159.65.88.10 (example in emulation), 39.65.8.170 (listed in Bumblebee config), 103.144.139.156 (Bumblebee C2). These show direct communications with Emotet-related payloads.
  • [Domain] Domains – spkdeutshnewsupp.com (observed in IcedID/Bumblebee workflows); clanbaker.org (used in described payloads); and other obfuscated domains referenced in campaign analysis.
  • [File hash] Hashes – 06b3d3c50da5054b9e37fb6c429c560484be457a09a900b21b5185cf10128ed4; 199a2e0e1bb46a5dd8eb3a58aa55de157f6005c65b70245e71cecec4905cc2c0.
  • [File name] Artifacts – tps1.ps1 (PowerShell loader); bb.dll (Bumblebee DLL).

Read more: https://www.intrinsec.com/emotet-returns-and-deploys-loaders/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint