Reading:
Loader Malware Emotet is Now Led by Quantum and BlackCat

Loader Malware Emotet is Now Led by Quantum and BlackCat

September 14, 2022

Emotet (also known as SpmTools) is a sophisticated, modular banking trojan. Emotetmostly serves as a downloader or dropper of other banking trojans. It is a loader-as-a-service (LaaS). It is mainly distributed by spam emails (malspam).

Malicious scripts, document files with built-in macros, or malicious links can all spread the infection. Emotet has become a prominent, intrusive malware loader due to changes throughout time, mainly as a result of its capacity to carry out a complete infection cycle and smoothly spread other types of malware.

BlackCat and Quantum Use Emotet as Initial Attack Vector

AdvIntel recorded 1,267,598total Emotet infections globally in 2022. Further data from the research shows that Emotet infections peaked at the beginning of the Russian/Ukrainian crisis, with groups like Quantum and BlackCat starting to use the malware after Conti. The malware’s most targeted country is the U.S., with an approximately 36% rate.

Emotet infection rates in countries
Emotet infection rates in countries (Source: AdvIntel)

Emotet was once a tool mainly used by Conti affiliates. It has also been used by many threat actors and groups in various cyberattacks. Now, Quantum and BlackCat are the ones who lead the Emotet infection chain.

Emotet’s botnet attack flow utilizes Cobalt Strike to launch ransomware. In other words, threat actors presently use Emotet primarily as a dropper or downloader for a Cobalt Strike beacon, which distributes a payload enabling threat actors to hijack networks and carry out ransomware operations.

TTPs & IoCs

Emotet TTPs

ID

Name

T1087

.003

Account DiscoveryEmail Account

T1560

Archive Collected Data

T1547

.001

Boot or Logon Autostart ExecutionRegistry Run Keys / Startup Folder

T1110

.001

Brute ForcePassword Guessing

T1059

.001

Command and Scripting InterpreterPowerShell

 

.005

Command and Scripting InterpreterVisual Basic

 

.003

Command and Scripting InterpreterWindows Command Shell

T1543

.003

Create or Modify System ProcessWindows Service

T1555

.003

Credentials from Password StoresCredentials from Web Browsers

T1114

.001

Email CollectionLocal Email Collection

T1573

.002

Encrypted ChannelAsymmetric Cryptography

T1041

Exfiltration Over C2 Channel

T1210

Exploitation of Remote Services

T1040

Network Sniffing

T1571

Non-Standard Port

T1027

Obfuscated Files or Information

 

.002

Software Packing

T1003

.001

OS Credential DumpingLSASS Memory

T1566

.002

PhishingSpearphishing Link

 

.001

PhishingSpearphishing Attachment

T1057

Process Discovery

T1055

.001

Process InjectionDynamic-link Library Injection

T1021

.002

Remote ServicesSMB/Windows Admin Shares

T1053

.005

Scheduled Task/JobScheduled Task

T1552

.001

Unsecured CredentialsCredentials In Files

T1204

.001

User ExecutionMalicious Link

 

.002

User ExecutionMalicious File

T1078

.003

Valid AccountsLocal Accounts

T1047

Windows Management Instrumentation

Latest Emotet IoCs

URL

Date Added

https://xsnonline.us/blogs/4x466v/

2022-09-07

http://jimlowry.com/9tag/

2022-08-24

https://saeblaser.com/wp-admin/jx7w814/

2022-08-17

http://scandryer.se/you-d-not-agree-to-elements-of-the-letter-s/

2022-08-09

http://avjcomp.ru/I5Su4/

2022-08-09

http://ispapazarlama.com.tr/JcEXH/

2022-08-09

https://kulshai.com/wp-includes/7fslng/

2022-08-09

https://fractal.vn/users_contact/ol-e-g-d-m-i-tr-ie-nko4-9-7gmail-com/

2022-08-09

https://progea4d.pl/waloryzacja-przyrodnicza-kamieniolomow-mydlniki-oraz-bodzow/

2022-08-09

https://www.altinoluk-akcay.com/9uZYqjHN/

2022-08-09

Emotet botnet IoCs can be found here. CIRT published a longer list of IoCs.

IoCs for BlackCat and Quantum Locker are also available.