The Return of Emotet

emotet

The notorious Emotet malware is staging a comeback of sorts, months after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. While the malware maintainers remain unknown, this campaign suspiciously coincides with the Russian invasion of Ukraine.

Indicators of Compromise

zhivir.comSOCRadar2022-11-05

www.cenomp.com.brSOCRadar2022-11-05

www.lavameapp.com.arSOCRadar2022-11-05

e3technology.inSOCRadar2022-11-05

aaticd.co.zaSOCRadar2022-11-05

www.altinoluk-akcay.comSOCRadar2022-11-05

www.muslimproperty.co.ukSOCRadar2022-11-05

da-industrial.comSOCRadar2022-11-05

lista33rivera.uySOCRadar2022-11-05

blog.centerking.topSOCRadar2022-11-05

frascona.com.arSOCRadar2022-11-05

ispapazarlama.com.trSOCRadar2022-11-05

buffetmazzi.com.brSOCRadar2022-11-05

armannahalpersian.irSOCRadar2022-11-05

www.almoeqatar.comSOCRadar2022-11-05

hacktool.win32.toolpow.smSOCRadar2022-11-05

formulationdrugstore.comSOCRadar2022-11-05

cointrade.worldSOCRadar2022-11-05

click.discoverSOCRadar2022-11-05

kulshai.comSOCRadar2022-11-05

advisereviews.comSOCRadar2022-11-05

diacrestgroup.comSOCRadar2022-11-05

merturku.comSOCRadar2022-11-05

saeblaser.comSOCRadar2022-11-05

wanderlustphtravel.comSOCRadar2022-11-05

winnieswondersaviary.comSOCRadar2022-11-05

pregy.orgSOCRadar2022-11-05

ckfoods.netSOCRadar2022-11-05

server.zmotpro.comSOCRadar2022-11-05

consejosdeorlando.comSOCRadar2022-11-05

chadhymas.comSOCRadar2022-11-05

abdellglobalservice.comSOCRadar2022-11-05

www.techniquesbroadband.netSOCRadar2022-11-05

curite.netSOCRadar2022-11-05

flexaviationcenter.comSOCRadar2022-11-05

msndesign.nlSOCRadar2022-11-05

aliceevefan.comSOCRadar2022-11-05

www.arisgears.comSOCRadar2022-11-05

nameserversecurity.comSOCRadar2022-11-05

mivaria.comSOCRadar2022-11-05

www.sunflowerlaboratory.inSOCRadar2022-11-05

im2020.vipSOCRadar2022-11-05

info.openjdklab.xyzSOCRadar2022-11-05

85.lp.ret.sbx.tgSOCRadar2022-11-05

cupsolution.comSOCRadar2022-11-05

aesiafrique.comSOCRadar2022-11-05

www.apesb.comSOCRadar2022-11-05

easassessoria.com.brSOCRadar2022-11-05

el28.oneSOCRadar2022-11-05

petrol.irSOCRadar2022-11-05

soprateste.zipSOCRadar2022-11-05

www.birebiregitim.netSOCRadar2022-11-05

click.zeroSOCRadar2022-11-05

greycoconut.comSOCRadar2022-11-05

loa-hk.comSOCRadar2022-11-05

zarzamora.com.mxSOCRadar2022-11-05

borgelin.orgSOCRadar2022-11-05

realmacnow.comSOCRadar2022-11-05

avjcomp.ruSOCRadar2022-11-05

baronandstagger.comSOCRadar2022-11-05

galileuconcursos.com.brSOCRadar2022-11-05

enamsg.comSOCRadar2022-11-05

flywithme.dkSOCRadar2022-11-05

barcoindo.comSOCRadar2022-11-05

www.poljimenez.comSOCRadar2022-11-05

www.equus.comSOCRadar2022-11-05

eles-tech.comSOCRadar2022-11-05

ballpointmedia.comSOCRadar2022-11-05

yardgaosei.infoSOCRadar2022-11-05

atici.netSOCRadar2022-11-05

oftalmocity.comSOCRadar2022-11-05

baboonworks.comSOCRadar2022-11-05

brutobrasil.com.brSOCRadar2022-11-05

github.coSOCRadar2022-11-05

musculation-esisa.frSOCRadar2022-11-05

www.altoxi.comSOCRadar2022-11-05

disweb.skSOCRadar2022-11-05

www.mivaria.comSOCRadar2022-11-05

www.clinicaportalpsicologia.com.brSOCRadar2022-11-05

cnrsindia.inSOCRadar2022-11-05

flumedya.comSOCRadar2022-11-05

smelecpro.comSOCRadar2022-11-05

pianistprodigy.comSOCRadar2022-11-05

submit.orgSOCRadar2022-11-05

baykusoglu.com.trSOCRadar2022-11-05

www.akatsaestateinterior.co.keSOCRadar2022-11-05

balletmagazine.roSOCRadar2022-11-05

bjornbol.dkSOCRadar2022-11-05

click.openSOCRadar2022-11-05

www.ara-choob.comSOCRadar2022-11-05

www.omarhospital.comSOCRadar2022-11-05

actua.dkSOCRadar2022-11-05

jetanahtarcilingir.netSOCRadar2022-11-05

progea4d.plSOCRadar2022-11-05

zonainformatica.esSOCRadar2022-11-05

2fgithub.comSOCRadar2022-11-05

gedebey-tvradio.infoSOCRadar2022-11-05

cenaf.com.coSOCRadar2022-11-05

yywbl.comSOCRadar2022-11-05

jimlowry.comSOCRadar2022-11-05

aplicativos.xyzSOCRadar2022-11-05

click.contactSOCRadar2022-11-05

risamfg.comSOCRadar2022-11-05

eliteturismo.comSOCRadar2022-11-05

tugbagoncaguzellik.comSOCRadar2022-11-05

abildtrup.euSOCRadar2022-11-05

newspraize.comSOCRadar2022-11-05

haircutbar.comSOCRadar2022-11-05

udsp77.comSOCRadar2022-11-05

seasidesolutions.comSOCRadar2022-11-05

support.techopesolutions.comSOCRadar2022-11-05

domesticuif.co.zaSOCRadar2022-11-05

www.manchesterslt.co.ukSOCRadar2022-11-05

medreg.uzSOCRadar2022-11-05

www.garantihaliyikama.comSOCRadar2022-11-05

herscan.ioSOCRadar2022-11-05

scandryer.seSOCRadar2022-11-05

parsmemoryesfahan.irSOCRadar2022-11-05

lopespublicidade.comSOCRadar2022-11-05

belisip.netSOCRadar2022-11-05

continue.emailSOCRadar2022-11-05

epac.dzSOCRadar2022-11-05

escueladecinemza.com.arSOCRadar2022-11-05

cloudsphere.com.mxSOCRadar2022-11-05

www.fabmasters.netSOCRadar2022-11-05

dmaicinnovations.comSOCRadar2022-11-05

yakosurf.comSOCRadar2022-11-05

dbmtechnologies.caSOCRadar2022-11-05

praachichemfood.comSOCRadar2022-11-05

www.fundaciontheoz.clSOCRadar2022-11-05

bpsjambi.idSOCRadar2022-11-05

www.ayelet.infoSOCRadar2022-11-05

greenlizard.co.zaSOCRadar2022-11-05

goodfriendsdriving.comSOCRadar2022-11-05

click.talkSOCRadar2022-11-05

fractal.vnSOCRadar2022-11-05

puntamimarlik.com.trSOCRadar2022-11-05

xsnonline.usSOCRadar2022-11-05

atperson.comSOCRadar2022-11-05

thailand-rocco.comSOCRadar2022-11-05

mayatherm.comSOCRadar2022-11-05

focusmedica.inSOCRadar2022-11-05

repository.clickSOCRadar2022-11-05

agen.eeSOCRadar2022-11-05

alsafwa.com.lySOCRadar2022-11-05

bosny.comSOCRadar2022-11-05

biesenbeek.nlSOCRadar2022-11-05

sk-1-b9833c.ingress-florina.ewp.liveSOCRadar2022-11-05

fi.oclean.comSOCRadar2022-11-05

vulkanvegasbonus.jeunete.comSOCRadar2022-11-05

click.compareSOCRadar2022-11-05

businessandhr.comSOCRadar2022-11-05

lpj917.comSOCRadar2022-11-05

APT Groups6

MUMMY SPIDER

TA542GOLDCRESTWOODGOLD CRESTWOOD

TA505Russian Federation

Gold EvergreenChimborazoATK 103Gold TahoeGraceful SpiderSpandex TempestSectorJ04TA505Hive0065TEMP.Warlock

KillnetRussian Federation

GOLD CABIN

TA551G0127ATK236Monster LibraShakthakMonsterLibra

Silence group

Description of MISP: a relatively new threat actor that’s been operating since mid-2016 Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services. Description of Mitre: Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. [1][2] Description of Etda: (Group-IB) Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services. Group-IB found several relationships between Silence and {{TA505, Graceful Spider, Gold Evergreen}}.

ATK 86Whisper SpiderContract CrewSilenceTEMP.TruthTellerTAG-CR8

Earth BerberokaChina

Earth BerberokaEarthBerberokaGamblingPuppet

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Technique	Use
OS Credential Dumping: LSASS Memory [T1003.001]	Emotet has been observed dropping password grabber modules including Mimikatz.
Remote Services: SMB/Windows Admin Shares [T1021.002]	Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.
Obfuscated Files or Information [T1027]	Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, `cmd.exe` arguments, and PowerShell scripts.
Obfuscated Files or Information: Software Packing [T1027.002]	Emotet has used custom packers to protect its payloads.
Network Sniffing [T1040]	Emotet has been observed to hook network APIs to monitor network traffic.
Exfiltration Over C2 Channel [T1041]	Emotet has been seen exfiltrating system information stored within cookies sent within a `HTTP GET` request back to its command and control (C2) servers.
Windows Management Instrumentation [T1047]	Emotet has used WMI to execute `powershell.exe`.
Process Injection: Dynamic-link Library Injection [T1055.001]	Emotet has been observed injecting in to `Explorer.exe` and other processes.
Process Discovery [T1057]	Emotet has been observed enumerating local processes.
Command and Scripting Interpreter: PowerShell [T1059.001]	Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.
Command and Scripting Interpreter: Windows Command Shell [T1059.003]	Emotet has used `cmd.exe` to run a PowerShell script.
Command and Scripting Interpreter: Visual Basic [T1059.005]	Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.
Valid Accounts: Local Accounts [T1078.003]	Emotet can brute force a local admin password, then use it to facilitate lateral movement.
Account Discovery: Email Account [T1087.003]	Emotet has been observed leveraging a module that can scrape email addresses from Outlook.
Brute Force: Password Guessing [T1110.001]	Emotet has been observed using a hard-coded list of passwords to brute force user accounts.
Email Collection: Local Email Collection [T1114.001]	Emotet has been observed leveraging a module that scrapes email data from Outlook.
User Execution: Malicious Link [T1204.001]	Emotet has relied upon users clicking on a malicious link delivered through spearphishing.
User Execution: Malicious File [T1204.002]	Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.
Exploitation of Remote Services [T1210]	Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.
Create or Modify System Process: Windows Service [T1543.003]	Emotet has been observed creating new services to maintain persistence.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]	Emotet has been observed adding the downloaded payload to the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` key to maintain persistence.
Scheduled Task/Job: Scheduled Task [T1053.005]	Emotet has maintained persistence through a scheduled task.
Unsecured Credentials: Credentials In Files [T1552.001]	Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.
Credentials from Password Stores: Credentials from Web Browsers [T1555.003]	Emotet has been observed dropping browser password grabber modules.
Archive Collected Data [T1560]	Emotet has been observed encrypting the data it collects before sending it to the C2 server.
Phishing: Spearphishing Attachment [T1566.001]	Emotet has been delivered by phishing emails containing attachments.
Phishing: Spearphishing Link [T1566.002]	Emotet has been delivered by phishing emails containing links.
Non-Standard Port [T1571]	Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/Hypertext Transfer Protocol Secure.
Encrypted Channel: Asymmetric Cryptography [T1573.002]	Emotet is known to use RSA keys for encrypting C2 traffic.

Reports & References2

[object Object][object Object]

Observed Countries250

AD (856)

AE (909)

AF (143)

AG (869)

AI (480)

AL (221)

AM (561)

AO (891)

AQ (740)

AR (793)

AS (636)

AT (287)

AU (641)

AW (905)

AX (467)

AZ (149)

BA (998)

BB (561)

BD (245)

BE (274)

BF (658)

BG (866)

BH (851)

BI (257)

BJ (26)

BL (892)

BM (309)

BN (854)

BO (707)

BQ (739)

BR (943)

BS (987)

BT (831)

BV (773)

BW (220)

BY (440)

BZ (480)

CA (59)

CC (190)

CD (464)

CF (916)

CG (162)

CH (257)

CI (838)

CK (183)

CL (386)

CM (635)

CN (351)

CO (357)

CR (760)

CU (925)

CV (754)

CW (352)

CX (445)

CY (463)

CZ (866)

DE (639)

DJ (91)

DK (981)

DM (291)

DO (852)

DZ (916)

EC (875)

EE (708)

EG (379)

EH (207)

ER (397)

ES (875)

ET (346)

FI (902)

FJ (613)

FK (450)

FM (903)

FO (45)

FR (228)

GA (849)

GB (770)

GD (508)

GE (780)

GF (639)

GG (781)

GH (778)

GI (29)

GL (905)

GM (802)

GN (868)

GP (973)

GQ (774)

GR (610)

GS (552)

GT (601)

GU (236)

GW (350)

GY (518)

HK (358)

HM (572)

HN (464)

HR (85)

HT (650)

HU (96)

ID (815)

IE (281)

IL (490)

IM (104)

IN (549)

IO (950)

IQ (535)

IR (797)

IS (237)

IT (892)

JE (55)

JM (454)

JO (899)

JP (168)

KE (727)

KG (758)

KH (350)

KI (955)

KM (835)

KN (401)

KP (80)

KR (875)

KW (529)

KY (468)

KZ (365)

LA (681)

LB (740)

LC (359)

LI (782)

LK (871)

LR (1)

LS (52)

LT (416)

LU (918)

LV (930)

LY (462)

MA (502)

MC (71)

MD (954)

ME (532)

MF (349)

MG (515)

MH (189)

MK (963)

ML (981)

MM (574)

MN (174)

MO (84)

MP (908)

MQ (652)

MR (169)

MS (86)

MT (581)

MU (806)

MV (59)

MW (67)

MX (79)

MY (892)

MZ (237)

NA (907)

NC (5)

NE (434)

NF (265)

NG (724)

NI (990)

NL (926)

NO (445)

NP (645)

NR (533)

NU (914)

NZ (866)

OM (376)

PA (827)

PE (556)

PF (23)

PG (371)

PH (758)

PK (445)

PL (551)

PM (969)

PN (950)

PR (885)

PS (798)

PT (595)

PW (328)

PY (475)

QA (694)

RE (644)

RO (2)

RS (539)

RU (125)

RW (967)

SA (8)

SB (662)

SC (805)

SD (353)

SE (836)

SG (816)

SH (726)

SI (216)

SJ (349)

SK (584)

SL (69)

SM (505)

SN (629)

SO (752)

SR (300)

SS (988)

ST (748)

SV (727)

SX (55)

SY (76)

SZ (737)

TC (987)

TD (418)

TF (242)

TG (558)

TH (799)

TJ (60)

TK (247)

TL (254)

TM (499)

TN (288)

TO (125)

TR (159)

TT (579)

TV (912)

TW (469)

TZ (855)

UA (864)

UG (630)

UM (260)

US (868)

UY (799)

UZ (393)

VA (114)

VC (432)

VE (918)

VG (926)

VI (530)

VN (335)

VU (33)

WF (240)

WS (189)

XK (924)

YE (749)

YT (351)

ZA (263)

ZM (53)

ZW (841)