Loader Malware Emotet is Now Led by Quantum and BlackCat
Emotet (also known as SpmTools) is a sophisticated, modular banking trojan. Emotetmostly serves as a downloader or dropper of other banking trojans. It is a loader-as-a-service (LaaS). It is mainly distributed by spam emails (malspam).
Malicious scripts, document files with built-in macros, or malicious links can all spread the infection. Emotet has become a prominent, intrusive malware loader due to changes throughout time, mainly as a result of its capacity to carry out a complete infection cycle and smoothly spread other types of malware.

BlackCat and Quantum Use Emotet as Initial Attack Vector
AdvIntel recorded 1,267,598total Emotet infections globally in 2022. Further data from the research shows that Emotet infections peaked at the beginning of the Russian/Ukrainian crisis, with groups like Quantum and BlackCat starting to use the malware after Conti. The malware’s most targeted country is the U.S., with an approximately 36% rate.

Emotet was once a tool mainly used by Conti affiliates. It has also been used by many threat actors and groups in various cyberattacks. Now, Quantum and BlackCat are the ones who lead the Emotet infection chain.
Emotet’s botnet attack flow utilizes Cobalt Strike to launch ransomware. In other words, threat actors presently use Emotet primarily as a dropper or downloader for a Cobalt Strike beacon, which distributes a payload enabling threat actors to hijack networks and carry out ransomware operations.
TTPs & IoCs
Emotet TTPs
| ID | Name | |
| T1087 | .003 | Account Discovery: Email Account |
| T1560 | Archive Collected Data | |
| T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| T1110 | .001 | Brute Force: Password Guessing |
| T1059 | .001 | Command and Scripting Interpreter: PowerShell |
| .005 | Command and Scripting Interpreter: Visual Basic | |
| .003 | Command and Scripting Interpreter: Windows Command Shell | |
| T1543 | .003 | Create or Modify System Process: Windows Service |
| T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
| T1114 | .001 | Email Collection: Local Email Collection |
| T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
| T1041 | Exfiltration Over C2 Channel | |
| T1210 | Exploitation of Remote Services | |
| T1040 | Network Sniffing | |
| T1571 | Non-Standard Port | |
| T1027 | Obfuscated Files or Information | |
| .002 | Software Packing | |
| T1003 | .001 | OS Credential Dumping: LSASS Memory |
| T1566 | .002 | Phishing: Spearphishing Link |
| .001 | Phishing: Spearphishing Attachment | |
| T1057 | Process Discovery | |
| T1055 | .001 | Process Injection: Dynamic-link Library Injection |
| T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
| T1053 | .005 | Scheduled Task/Job: Scheduled Task |
| T1552 | .001 | Unsecured Credentials: Credentials In Files |
| T1204 | .001 | User Execution: Malicious Link |
| .002 | User Execution: Malicious File | |
| T1078 | .003 | Valid Accounts: Local Accounts |
| T1047 | Windows Management Instrumentation | |
Latest Emotet IoCs
| URL | Date Added |
| https://xsnonline.us/blogs/4x466v/ | 2022-09-07 |
| http://jimlowry.com/9tag/ | 2022-08-24 |
| https://saeblaser.com/wp-admin/jx7w814/ | 2022-08-17 |
| http://scandryer.se/you-d-not-agree-to-elements-of-the-letter-s/ | 2022-08-09 |
| http://avjcomp.ru/I5Su4/ | 2022-08-09 |
| http://ispapazarlama.com.tr/JcEXH/ | 2022-08-09 |
| https://kulshai.com/wp-includes/7fslng/ | 2022-08-09 |
| https://fractal.vn/users_contact/ol-e-g-d-m-i-tr-ie-nko4-9-7gmail-com/ | 2022-08-09 |
| https://progea4d.pl/waloryzacja-przyrodnicza-kamieniolomow-mydlniki-oraz-bodzow/ | 2022-08-09 |
| https://www.altinoluk-akcay.com/9uZYqjHN/ | 2022-08-09 |
IoCs for BlackCat and Quantum Locker are also available.
