SOC Incident Toolkit
Back to Campaigns
The Return of Emotet

The Return of Emotet

emotet

The notorious Emotet malware is staging a comeback of sorts, months after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. While the malware maintainers remain unknown, this campaign suspiciously coincides with the Russian invasion of Ukraine.

Indicators of Compromise

Domains (153)

zhivir.comwww.cenomp.com.brwww.lavameapp.com.are3technology.inaaticd.co.zawww.altinoluk-akcay.comwww.muslimproperty.co.ukda-industrial.comlista33rivera.uyblog.centerking.topfrascona.com.arispapazarlama.com.trbuffetmazzi.com.brarmannahalpersian.irwww.almoeqatar.comhacktool.win32.toolpow.smformulationdrugstore.comcointrade.worldclick.discoverkulshai.com+133 more

Hashes (9475)

a92e487b0206e92a8cfb2d1e1f47c9640f909fab85989b2b4f563624ce10def2a878b264ba592a6e63c0119f7b0dfe7e9fc7889cdc59a6ad92e3234cfc31cc29b04d0c9aeca2551ef891e77f084e9a59a14d08f6b4124be07dd977374ae129e0ba46d93c9380e4dd3552859633f738491784e69e4277f466db2e8f95fe70cfdfb4af380839652f805049aa482fb62df2703abeb65486175cd9c20b0d8bc7fdc5b15e961f8d05889f333e9f3acfe52fa7579b6e9d1d3cf1cca608898c0606ee99b17ec886832fa7254d1fb3c4b08c6f460beb8224d0c60477be24c69c8fb5d9c1b726cf9dc0b6375503e5375ad08041944610a7bc267f7e7b9d844d3bcf275dbaab0345703155bbc1e1560b79e3daad64019b57d3e6cad56e8f093ebde0849a57ad85d918fbb69ccc78e84091c286c9e743d6ed52acb3c5c56a5bd7ff08a661d6b689292ed69ce1fa38f732fd21e68792040fba67e78eeaf98347d6b6f889474bad71ccd52b728768db3c3c7bccd617fbbfed383a68eafc4caee55d7705a8e816aaf7d4c5b41878a34d8c0439c9cf1f95dec98cc6be4b6723506813fbc439b432b9f4937b35010accdd2a9464d40a152f3b7c6a8ddc6b7855b90bb12b0eeb9285ac5d709cdb058a39abd7038e1cc34333704f6465b6409ccde04d2d2ca2bd3c22ae7b447d151b6de997f4cb4457403864e9d25a0781b88b1c1f8a21bcfe74246fab14826b596b4b0be06f53e513a4331d76c8d1e55c026e27ca481971661f6c54ba675aad939112360b171616e825073cdfb06fe8d576c6a8c3c4ba39155c1ce7a909b1ce99b856c7746dac4b2480c0bb6d1f2f9c728906b445314e7e289dac04aac20b92732d7496fd3f946dfa8f335ffa8309b68af252e0f2705da3c31bebf3+9455 more

IPv4 (350)

91.200.186.228200.17.134.35107.182.225.142210.57.209.142149.202.179.100139.180.184.1475.9.116.24651.68.141.164103.71.99.5781.0.236.9089.29.244.7146.59.226.4579.143.187.14736.75.75.75173.239.37.17861.7.231.229134.209.164.18158.227.42.236213.190.4.22331.24.158.56+330 more

APT Groups

MUMMY SPIDER

TA505

Russian Federation

Killnet

Russian Federation

GOLD CABIN

Silence group

Earth Berberoka

China

Notes

<div><div><font color="#000000"><span style="font-size: 18px;">Emotet’s main infection vector is through phishing attacks, which use email with malicious links or Macro-embedded Microsoft Word files to spread. Once deployed, Emotet can launch different malware payloads based on the target machine and its goal. In recent years, it has become one of the most commonly employed commodity malware.</span></font></div></div><div><br></div><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">Emotet is an advanced Trojan primarily spread via phishing <a href="https://">email</a> attachments and links that, once clicked, launch the payload (</span><em style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">Phishing: Spearphishing Attachment</em><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">&nbsp;</span><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">[</span><a href="https://attack.mitre.org/versions/v7/techniques/T1566/001/" style="box-sizing: border-box; background-color: transparent; font-family: &quot; font-size: 16px; color: rgb(43, 114, 175);">T1566.001</a><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">],</span><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">&nbsp;</span><em style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">Phishing: Spearphishing Link</em><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">&nbsp;</span><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">[</span><a href="https://attack.mitre.org/versions/v7/techniques/T1566/002/" style="box-sizing: border-box; background-color: transparent; font-family: &quot; font-size: 16px; color: rgb(43, 114, 175);">T1566.002</a><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (</span><em style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">Brute Force: Password Guessing</em><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">&nbsp;</span><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">[</span><a href="https://attack.mitre.org/versions/v7/techniques/T1110/001/" style="box-sizing: border-box; background-color: transparent; font-family: &quot; font-size: 16px; color: rgb(43, 114, 175);">T1110.001</a><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">],</span><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">&nbsp;</span><em style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">Valid Accounts: Local Accounts</em><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">&nbsp;</span><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">[</span><a href="https://attack.mitre.org/versions/v7/techniques/T1078/003/" style="box-sizing: border-box; background-color: transparent; font-family: &quot; font-size: 16px; color: rgb(43, 114, 175);">T1078.003</a><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">],</span><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">&nbsp;</span><em style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">Remote Services: SMB/Windows Admin Shares</em><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">&nbsp;</span><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">[</span><a href="https://attack.mitre.org/versions/v7/techniques/T1021/002/" style="box-sizing: border-box; background-color: transparent; font-family: &quot; font-size: 16px; color: rgb(43, 114, 175);">T1021.002</a><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">]).</span><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">Emotet is difficult to combat because of its “worm-like” features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.</p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (<em style="box-sizing: border-box;">Exploitation of Remote Services</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1210/" style="box-sizing: border-box; color: rgb(43, 114, 175);">T1210</a>]). Figure 1 lays out Emotet’s use of enterprise techniques.</p><p style="box-sizing: border-box; outline: 0px; margin-top: 28px; margin-bottom: 28px; padding: 0px; overflow-wrap: break-word; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 16px; line-height: inherit; font-family: Roboto, -apple-system, &quot; vertical-align: baseline; content: &quot; color: rgb(43, 45, 65);">According to a&nbsp;<a href="https://cyber.wtf/2021/11/15/guess-whos-back/" rel="noopener" target="_blank" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">new report</a>&nbsp;from security researcher Luca Ebach, the infamous&nbsp;<a href="https://thehackernews.com/2021/11/trickbot-operators-partner-with-shatak.html" rel="noopener" target="_blank" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">TrickBot</a>&nbsp;malware is being used as an entry point to distribute what appears to be a new version of Emotet on systems previously infected by the former. The latest&nbsp;<a href="https://urlhaus.abuse.ch/url/1789877/" rel="noopener" target="_blank" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">variant</a>&nbsp;takes the form of a DLL file, with the first occurrence of the deployment being detected on November 14.</p><div class="ad_two clear" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 15px 0px; overflow-wrap: break-word; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 16px; line-height: inherit; font-family: Roboto, -apple-system, &quot; vertical-align: baseline; color: rgb(43, 45, 65); text-align: center;">&lt;center class="cf" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline;"&gt;<div id="967ecfad-bf6b-429e-9a39-9770c8b7d188" class="_ap_apex_ad" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; text-align: left;"></div>&lt;/center&gt;</div><p style="box-sizing: border-box; outline: 0px; margin-top: 28px; margin-bottom: 28px; padding: 0px; overflow-wrap: break-word; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 16px; line-height: inherit; font-family: Roboto, -apple-system, &quot; vertical-align: baseline; content: &quot; color: rgb(43, 45, 65);">Europol&nbsp;<a href="https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action" rel="noopener" target="_blank" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">dubbed</a>&nbsp;<a href="https://securelist.com/the-chronicles-of-emotet/99660/" rel="noopener" target="_blank" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">Emotet</a>&nbsp;as the "world's most dangerous malware" for its ability to act as a "door opener" for threat actors to obtain unauthorized access, becoming a precursor to many critical data theft and ransomware attacks. Interestingly, the loader operation enabled other malware families such as Trickbot, QakBot, and Ryuk to enter a machine.</p><p style="box-sizing: border-box; outline: 0px; margin-top: 28px; margin-bottom: 28px; padding: 0px; overflow-wrap: break-word; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 16px; line-height: inherit; font-family: Roboto, -apple-system, &quot; vertical-align: baseline; content: &quot; color: rgb(43, 45, 65);">The increase in&nbsp;<a href="https://isc.sans.edu/diary/28044" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">Emotet activity</a>&nbsp;has also been accompanied by a surge in malspam campaigns, with select infection chains&nbsp;<a href="https://twitter.com/ffforward/status/1460425182313684993" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">dropping</a>&nbsp;the&nbsp;<a href="https://twitter.com/MBThreatIntel/status/1460682216200019973" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">loader</a>&nbsp;directly using macro-enabled Word and Excel documents attached to stolen email threads without relying on TrickBot.</p><p style="box-sizing: border-box; outline: 0px; margin-top: 28px; margin-bottom: 28px; padding: 0px; overflow-wrap: break-word; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 16px; line-height: inherit; font-family: Roboto, -apple-system, &quot; vertical-align: baseline; content: &quot; color: rgb(43, 45, 65);">"[Emotet is] back and retooled. Code and infrastructure has had updates, it is better secured now. It must be somebody/somebodies with access to original source code," security researcher Kevin Beaumont&nbsp;<a href="https://twitter.com/GossiTheDog/status/1460682826773372931" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word; border: 0px; font: inherit; vertical-align: baseline; color: rgb(53, 106, 230); transition: all 0.2s linear 0s;">tweeted</a>.</p><p style="box-sizing: border-box; outline: 0px; margin-top: 28px; margin-bottom: 28px; padding: 0px; overflow-wrap: break-word; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; font-size: 16px; line-height: inherit; font-family: Roboto, -apple-system, &quot; vertical-align: baseline; content: &quot; color: rgb(43, 45, 65);"><br></p><h2 style="overflow-wrap: break-word; clear: none; color: rgb(64, 64, 64); font-family: CiscoSans, Arial, sans-serif; letter-spacing: normal;"><span style="font-weight: bolder;"><span style="color: rgb(106, 191, 75);">Summary of Emotet characteristics</span></span></h2><ul style="overflow-wrap: break-word; margin: 0px 0px 1.5em 3em; color: rgb(73, 80, 87); font-size: 18px; list-style-position: initial; list-style-image: initial; line-height: 1.44; padding-top: 1em; font-family: CiscoSans, Arial, sans-serif;"><li style="padding-bottom: 1em;">Modular banking trojan</li><li style="padding-bottom: 1em;">Downloader/Dropper</li><li style="padding-bottom: 1em;">Polymorphic – can evade signature-based detection</li><li style="padding-bottom: 1em;">Virtual machine aware</li></ul><h2 style="overflow-wrap: break-word; clear: none; color: rgb(64, 64, 64); font-family: CiscoSans, Arial, sans-serif; letter-spacing: normal;"><span style="font-weight: bolder;"><span style="color: rgb(106, 191, 75);">Emotet behavior</span></span></h2><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">The attack flow is detailed in Figure 1. According to the analysis presented by Brad Duncan [2], the attack vector seems to be phishing, via an email with an attached file (1). The file contained in the phishing email, is an Office document (2). When the victims open the office document files and enable macros (3) the Emotet DLL is downloaded in the victim’s device (4). After downloaded, this DLL file is executed (5) and it generates the connection with Emotet Command and control (6) [5, 7].</p>&lt;figure id="attachment_395631" aria-describedby="caption-attachment-395631" class="wp-caption aligncenter" style="margin: 1em auto 1.5em; clear: both; max-width: 100%; color: rgb(64, 64, 64); font-family: CiscoSans, Arial, sans-serif; font-size: 16px; width: 640px;"&gt;<img class="wp-image-395631 size-medium_large" src="https://storage.googleapis.com/blogs-images/ciscoblogs/1/2022/03/Picture1-768x450.jpg" alt="" width="640" style="height: auto; max-width: 100%; border-radius: 15px; display: block; margin-left: auto; margin-right: auto;">&lt;figcaption id="caption-attachment-395631" class="wp-caption-text" style="text-align: center; margin: 0.8075em 0px;"&gt;Figure 1. Emotet attack flow&lt;/figcaption&gt;&lt;/figure&gt;<h2 style="overflow-wrap: break-word; clear: none; color: rgb(64, 64, 64); font-family: CiscoSans, Arial, sans-serif; letter-spacing: normal;"><span style="font-weight: bolder;"><span style="color: rgb(106, 191, 75);">Attached files and PowerShell execution</span></span></h2><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">Once the victim opens and executes the infected files and enables the macros (mainly with docx or xml extensions), a command is executed to obtain and execute a HTML application. The pattern of the URL observed for this step is the following:</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">hxxp://{IP address}/[yy]/[y].{html|png}</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">Where “yy” are usually two alphabetical characters.</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">For example, one of the of the URLs founded in the wild:</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">hxxp://91.240.118[.]172/hh/hello.png</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">Then, it downloads PowerShell payload then it leads to downloading Emotet binary, which is a dll file from any of the given URLs contained in the URL described above. The format, in this case can vary, some of the URL’s patterns look like this:</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">http://ttisecurity[.]com/cgi/7RFeiqkgymCs/</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">Where the regex is:<br>.*/(gci/){0,1}[a-z0-9\_]{3,20}$</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">Another pattern related to Emotet was</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">.*/(wp-admin/){0,1}[a-z0-9\_]{3,20}$</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">During the download of the Emotet payload, user agent pattern was, Mozilla/5.0 (Windows NT; Windows NT %; en-US) WindowsPowerShell/5.1.%</p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;"><span style="font-weight: bolder;">DLL execution and Emotet C2</span></p><p style="overflow-wrap: break-word; margin-top: 1.125em; margin-bottom: 0px; font-size: 18px; font-stretch: normal; line-height: 1.44; color: rgb(73, 80, 87); font-family: CiscoSans, Arial, sans-serif;">Once the DLL files is in the infected system, it downloads a PE file and then establishes a communication with its Command and Control, using HTTP or HTTPS protocols, on ports 80, 8080 and 443 [2]. Even though some researchers claim there is no relationship between Log4J vulnerability and Emotet, there are some common behaviours, as the use of the same IPs for C2.&nbsp;</p>

Mitigation

<table border="1" cellpadding="1" cellspacing="1" class="general-table" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; color: rgb(51, 51, 51); font-family: &quot; margin-left: auto; margin-right: auto;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background-color: rgb(241, 241, 241);"><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Technique</p></th><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 492px;">Use</th></tr></thead><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">OS Credential Dumping: LSASS Memory</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1003/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1003.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed dropping password grabber modules including Mimikatz.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Remote Services: SMB/Windows Admin Shares</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1021/002/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1021.002</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Obfuscated Files or Information&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1027</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware,&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">cmd.exe</code>&nbsp;arguments, and PowerShell scripts.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Obfuscated Files or Information: Software Packing&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/002/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1027.002</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has used custom packers to protect its payloads.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Network Sniffing</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1040/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1040</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed to hook network APIs to monitor network traffic.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Exfiltration Over C2 Channel&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1041/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1041</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been seen exfiltrating system information stored within cookies sent within a&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">HTTP GET</code>&nbsp;request back to its command and control (C2) servers.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Windows Management Instrumentation</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1047/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1047</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has used WMI to execute&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">powershell.exe</code>.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Process Injection: Dynamic-link Library Injection</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1055/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1055.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed injecting in to&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">Explorer.exe</code>&nbsp;and other processes.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Process Discovery</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1057/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1057</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed enumerating local processes.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Command and Scripting Interpreter: PowerShell</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1059.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Command and Scripting Interpreter: Windows Command Shell&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/003/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1059.003</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has used&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">cmd.exe</code>&nbsp;to run a PowerShell script.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Command and Scripting Interpreter: Visual Basic</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/005/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1059.005</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Valid Accounts: Local Accounts&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/003/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1078.003</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet can brute force a local admin password, then use it to facilitate lateral movement.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Account Discovery: Email Account&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1087/003/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1087.003</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed leveraging a module that can scrape email addresses from Outlook.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Brute Force: Password Guessing&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1110/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1110.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed using a hard-coded list of passwords to brute force user accounts.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Email Collection: Local Email Collection</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1114/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1114.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed leveraging a module that scrapes email data from Outlook.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">User Execution: Malicious Link&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1204/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1204.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has relied upon users clicking on a malicious link delivered through spearphishing.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">User Execution: Malicious File</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1204/002/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1204.002</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Exploitation of Remote Services</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1210/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1210</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Create or Modify System Process: Windows Service&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1543/003/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1543.003</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed creating new services to maintain persistence.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1547.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed adding the downloaded payload to the&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>&nbsp;key to maintain persistence.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Scheduled Task/Job: Scheduled Task</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1053.005</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has maintained persistence through a scheduled task.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Unsecured Credentials: Credentials In Files</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1552/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1552.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Credentials from Password Stores: Credentials from Web Browsers</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1555/003/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1555.003</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed dropping browser password grabber modules.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Archive Collected Data&nbsp;</em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1560/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1560</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been observed encrypting the data it collects before sending it to the C2 server.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Phishing: Spearphishing Attachment</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1566.001</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been delivered by phishing emails containing attachments.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Phishing: Spearphishing Link</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1566.002</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has been delivered by phishing emails containing links.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Non-Standard Port</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1571/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1571</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/Hypertext Transfer Protocol Secure.</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 448px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"><em style="box-sizing: border-box;">Encrypted Channel: Asymmetric Cryptography</em>&nbsp;[<a href="https://attack.mitre.org/versions/v7/techniques/T1573/002/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">T1573.002</a>]</p></td><td style="box-sizing: border-box; padding: 0px; width: 492px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Emotet is known to use RSA keys for encrypting C2 traffic.</p></td></tr></tbody></table><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;"><br></span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><br></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;"><br></span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Block email attachments commonly associated with malware (e.g.,.dll and .exe).</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><span style="font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">Implement Group Policy Object and firewall rules.</span></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Implement an antivirus program and a formalized patch management process.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Implement filters at the email gateway, and block suspicious IP addresses at the firewall.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Adhere to the principle of least privilege.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Implement a Domain-Based Message Authentication, Reporting &amp; Conformance validation system.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Segment and segregate networks and functions.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Limit unnecessary lateral communications.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Enforce multi-factor authentication.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Disable unnecessary services on agency workstations and servers.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Monitor users' web browsing habits; restrict access to suspicious or risky sites.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Scan all software downloaded from the internet prior to executing.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Maintain situational awareness of the latest threats and implement appropriate access control lists.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">Visit the MITRE ATT&amp;CK Techniques pages for additional mitigation and detection strategies.</span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;"><br></span></font></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font color="#333333"><span style="font-size: 16px;">For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.</span></font></p>