Emotet Sending Malicious Emails After Three-Month Hiatus

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – Emotet arrives via malicious emails with attached .zip files. ‘Malicious emails contain attached .zip files that are not password protected.’
• [T1204.002] User Execution: Malicious File – The attached .zip files deliver Office documents with malicious macros; when opened, the user is prompted to “Enable Content”, which will allow the malicious macros to run. ‘When opened, the user is prompted to “Enable Content”, which will allow the malicious macros to run.’
• [T1059.005] Command and Scripting Interpreter: Visual Basic – Office macros download and execute Emotet DLL. ‘The macros will download an Emotet .dll from an external site and execute it locally on the machine.’
• [T1105] Ingress Tool Transfer – Downloading the Emotet DLL from an external site and executing it locally. ‘The macros will download an Emotet .dll from an external site and execute it locally on the machine.’
• [T1021] Lateral Movement – Emotet can spread itself across networks without user interaction. ‘spread itself across networks without user interaction.’
• [T1499] Endpoint Denial of Service: DDoS – Modern Emotet can perform distributed denial-of-service attacks. ‘distributed denial-of-service (DDoS) attacks—where attackers overwhelm websites with traffic until they crash or become inaccessible for legitimate visitors.’
• [T1486] Data Encrypted for Impact: Ransomware – Emotet can be used for ransomware attacks. ‘where attackers encrypt files on computers until victims pay a ransom.’
• [T1555.003] Credentials from Web Browsers – Emotet can steal passwords from web browsers. ‘steal passwords from web browsers.’