Loader Malware Emotet is Now Led by Quantum and BlackCat

Emotet (also known as SpmTools) is a sophisticated, modular banking trojan. Emotetmostly serves as a downloader or dropper of other banking trojans. It is a loader-as-a-service (LaaS). It is mainly distributed by spam emails (malspam).

Malicious scripts, document files with built-in macros, or malicious links can all spread the infection. Emotet has become a prominent, intrusive malware loader due to changes throughout time, mainly as a result of its capacity to carry out a complete infection cycle and smoothly spread other types of malware.

BlackCat and Quantum Use Emotet as Initial Attack Vector

AdvIntel recorded 1,267,598total Emotet infections globally in 2022. Further data from the research shows that Emotet infections peaked at the beginning of the Russian/Ukrainian crisis, with groups like Quantum and BlackCat starting to use the malware after Conti. The malware’s most targeted country is the U.S., with an approximately 36% rate.

Emotet infection rates in countries (Source: AdvIntel)

Emotet was once a tool mainly used by Conti affiliates. It has also been used by many threat actors and groups in various cyberattacks. Now, Quantum and BlackCat are the ones who lead the Emotet infection chain.

Emotet’s botnet attack flow utilizes Cobalt Strike to launch ransomware. In other words, threat actors presently use Emotet primarily as a dropper or downloader for a Cobalt Strike beacon, which distributes a payload enabling threat actors to hijack networks and carry out ransomware operations.

TTPs & IoCs

Emotet TTPs

ID		Name
T1087	.003	Account Discovery: Email Account
T1560		Archive Collected Data
T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1110	.001	Brute Force: Password Guessing
T1059	.001	Command and Scripting Interpreter: PowerShell
	.005	Command and Scripting Interpreter: Visual Basic
	.003	Command and Scripting Interpreter: Windows Command Shell
T1543	.003	Create or Modify System Process: Windows Service
T1555	.003	Credentials from Password Stores: Credentials from Web Browsers
T1114	.001	Email Collection: Local Email Collection
T1573	.002	Encrypted Channel: Asymmetric Cryptography
T1041		Exfiltration Over C2 Channel
T1210		Exploitation of Remote Services
T1040		Network Sniffing
T1571		Non-Standard Port
T1027		Obfuscated Files or Information
	.002	Software Packing
T1003	.001	OS Credential Dumping: LSASS Memory
T1566	.002	Phishing: Spearphishing Link
	.001	Phishing: Spearphishing Attachment
T1057		Process Discovery
T1055	.001	Process Injection: Dynamic-link Library Injection
T1021	.002	Remote Services: SMB/Windows Admin Shares
T1053	.005	Scheduled Task/Job: Scheduled Task
T1552	.001	Unsecured Credentials: Credentials In Files
T1204	.001	User Execution: Malicious Link
	.002	User Execution: Malicious File
T1078	.003	Valid Accounts: Local Accounts
T1047		Windows Management Instrumentation

Latest Emotet IoCs

URL	Date Added
https://xsnonline.us/blogs/4x466v/	2022-09-07
http://jimlowry.com/9tag/	2022-08-24
https://saeblaser.com/wp-admin/jx7w814/	2022-08-17
http://scandryer.se/you-d-not-agree-to-elements-of-the-letter-s/	2022-08-09
http://avjcomp.ru/I5Su4/	2022-08-09
http://ispapazarlama.com.tr/JcEXH/	2022-08-09
https://kulshai.com/wp-includes/7fslng/	2022-08-09
https://fractal.vn/users_contact/ol-e-g-d-m-i-tr-ie-nko4-9-7gmail-com/	2022-08-09
https://progea4d.pl/waloryzacja-przyrodnicza-kamieniolomow-mydlniki-oraz-bodzow/	2022-08-09
https://www.altinoluk-akcay.com/9uZYqjHN/	2022-08-09