Threat Research

Kaspersky report on Emotet modules and recent attacks

Securonix

Emotet has evolved into a modular botnet capable of downloading up to 16 modules for credential theft, email harvesting, and spam delivery. The analysis covers its infection chain, module types (Process List, Mail PassView, WebBrowser PassView, Outlook/Thunderbird grabbers, Spam, UPnP), hardcoded C2 IPs, and a notable rise in activity since its 2021 comeback.

Keypoints

  • Emotet now supports 16 modules; 10 were retrieved, including two Spam modules, used for credential theft and spamming.
  • Infection typically starts with spam emails containing Office documents; malicious macros launch PowerShell to download and run an Emotet DLL.
  • Emotet creates a random-named service and, if that fails, a Run registry key to achieve persistence.
  • Upon launch, Emotet registers with hardcoded C2 IPs and loads modules via Rundll32, using encryption and signature checks to secure payloads.
  • Modules include Process List, Mail PassView, WebBrowser PassView, Outlook/Thunderbird grabbers, Spam, and UPnP, with modules delivered on demand and obfuscated to evade detection.
  • Geographic distribution shows rising activity in 2022, with Italy, Russia, Japan, and others being targeted; no IOC hashes are provided due to polymorphism.

MITRE Techniques

  • [T1566.001] Phishing – A typical Emotet infection begins with spam e-mails delivered with Microsoft Office attachments. Malicious macros are used to start PowerShell, and download and execute an Emotet DLL. ‘A typical Emotet infection begins with spam e-mails delivered with Microsoft Office (Word, Excel) attachments. Malicious macros are used to start PowerShell, and download and execute an Emotet DLL.’
  • [T1059.001] PowerShell – Malicious macros are used to start PowerShell. ‘Malicious macros are used to start PowerShell, and download and execute an Emotet DLL.’
  • [T1105] Ingress Tool Transfer – The macros download and execute an Emotet DLL. ‘start PowerShell, and download and execute an Emotet DLL.’
  • [T1218.011] Rundll32 – The Emotet payload is loaded via Rundll32. ‘the Emotet module comes in the form of a DLL that is parsed and loaded directly into the Rundll32 process.’
  • [T1543.003] Windows Service – Emotet creates a Windows service via CreateServiceW. ‘The Emotet malware creates a service by calling the CreateServiceW() function.’
  • [T1060] Run Keys/Startup Folder – Persistence via Run registry key when service creation fails. ‘If the attempt to create a new service fails, Emotet creates a new registry key in HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun …’
  • [T1016] System Network Configuration Discovery – Module enumerates network interfaces to determine reachable paths for remote control. ‘The module enumerates the network interfaces and compares their addresses with the IP address obtained from the module’s configuration settings.’
  • [T1133] External Remote Services – UPnP module opens ports and enables remote access; uses AddPortMapping to allow port forwarding. ‘The module can open the following ports: 80, 443, 8080, … If suitable devices are found, the module tries to reconfigure them using AddPortMapping to allow port forwarding.’
  • [T1071] Command and Control – C2 communications and payload delivery/back-and-forth with modules. ‘During communication, C2 returns the module bodies and configuration.’
  • [T1057] Process Discovery – Process List module sends the list of running processes back to C2. ‘This module sends the list of running processes back to C2.’
  • [T1114] Email Collection – Outlook/Thunderbird grabbers collect emails and addresses and send to C2. ‘A data exfiltration module for Outlook. The module uses the Outlook Messaging API interface, iterates through Outlook profiles and extracts all displayed names and mail addresses … and sends the collected e-mail addresses to C2.’
  • [T1555] Credential Access – Mail PassView / WebBrowser PassView reveal passwords and account details for email clients and browsers. ‘the embedded executable called Nir Sofer’s Mail PassView, a password recovery tool that reveals passwords and account details for various e-mail clients’ and ‘WebBrowser PassView module … reveals passwords and other account details in various web browsers.’
  • [T1114] Email Collection (Thunderbird) – Thunderbird grabbers extract and exfiltrate e-mail data. ‘Thunderbird Address Grabber module’ and ‘Thunderbird E-mails Grabber module’ describe collection of contact info and emails.

Indicators of Compromise

  • [IP addresses] C2 IP addresses – 70.36.102.35:443, 197.242.150.244:8080, and other C2 IPs (as listed in the article)

Read more: https://securelist.com/emotet-modules-and-recent-attacks/106290/