Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Emotet
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Emotet
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.(Citation: Trend Micro Banking Malware Jan 2019)
ID: S0367
Associated Software: Geodo
Type: MALWARE
Platforms: Windows
Version: 1.6
Created: 25 Mar 2019
Last Modified: 09 Jul 2024

Associated Software Descriptions
Name Description
Geodo (Citation: Trend Micro Emotet Jan 2019)

Techniques Used
Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Emotet has the ability to duplicate the user’s token.(Citation: Binary Defense Emotes Wi-Fi Spreader) For example, Emotet may use a variant of Google’s ProtoBuf to send messages that specify how code will be executed.(Citation: emotet_hc3_nov2023)
Enterprise T1087 .003 Account Discovery: Email Account

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Emotet Dec 2018)(Citation: IBM IcedID November 2017)(Citation: Binary Defense Emotes Wi-Fi Spreader)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Emotet has used HTTP for command and control.(Citation: Binary Defense Emotes Wi-Fi Spreader)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Picus Emotet Dec 2018)
Enterprise T1110 .001 Brute Force: Password Guessing

Emotet has been observed using a hard coded list of passwords to brute force user accounts. (Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: CIS Emotet Dec 2018)(Citation: Binary Defense Emotes Wi-Fi Spreader)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. (Citation: Symantec Emotet Jul 2018)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019)(Citation: Carbon Black Emotet Apr 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

Emotet has used cmd.exe to run a PowerShell script. (Citation: Picus Emotet Dec 2018)

.005 Command and Scripting Interpreter: Visual Basic

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. (Citation: Symantec Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Carbon Black Emotet Apr 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Emotet has been observed creating new services to maintain persistence.(Citation: US-CERT Emotet Jul 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: Binary Defense Emotes Wi-Fi Spreader)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Emotet has been observed dropping browser password grabber modules. (Citation: Trend Micro Emotet Jan 2019)(Citation: IBM IcedID November 2017)
Enterprise T1132 .001 Data Encoding: Standard Encoding

Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server.(Citation: Binary Defense Emotes Wi-Fi Spreader) Additionally, Emotet has used Base64 to encode data before sending to the C2 server.(Citation: Fortinet Emotet May 2017)
Enterprise T1114 .001 Email Collection: Local Email Collection

Emotet has been observed leveraging a module that scrapes email data from Outlook.(Citation: CIS Emotet Dec 2018)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Emotet is known to use RSA keys for encrypting C2 traffic. (Citation: Trend Micro Emotet Jan 2019)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Emotet has installed itself as a new service with the service name `Windows Defender System Service` and display name `WinDefService`.(Citation: Binary Defense Emotes Wi-Fi Spreader)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Emotet has been observed dropping and executing password grabber modules including Mimikatz.(Citation: Trend Micro Emotet Jan 2019)(Citation: emotet_hc3_nov2023)
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Emotet inflates malicious files and malware as an evasion technique.(Citation: emotet_trendmicro_mar2023)
.002 Obfuscated Files or Information: Software Packing

Emotet has used custom packers to protect its payloads.(Citation: Trend Micro Emotet Jan 2019)

.009 Obfuscated Files or Information: Embedded Payloads

Emotet has dropped an embedded executable at `%Temp%\setup.exe`.(Citation: Binary Defense Emotes Wi-Fi Spreader) Additionally, Emotet may embed entire code into other files.(Citation: emotet_hc3_nov2023)

.010 Obfuscated Files or Information: Command Obfuscation

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. (Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: ESET Emotet Dec 2018)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Emotet uses obfuscated URLs to download a ZIP file.(Citation: emotet_trendmicro_mar2023)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Emotet has been delivered by phishing emails containing attachments. (Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Carbon Black Emotet Apr 2019)(Citation: IBM IcedID November 2017)
.002 Phishing: Spearphishing Link

Emotet has been delivered by phishing emails containing links. (Citation: Trend Micro Banking Malware Jan 2019)(Citation: Kaspersky Emotet Jan 2019)(Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Talos Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Emotet has been observed injecting in to Explorer.exe and other processes. (Citation: Picus Emotet Dec 2018)(Citation: Trend Micro Banking Malware Jan 2019)(Citation: US-CERT Emotet Jul 2018)
.012 Process Injection: Process Hollowing

Emotet uses a copy of `certutil.exe` stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code.(Citation: emotet_trendmicro_mar2023)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement. (Citation: Malwarebytes Emotet Dec 2017)(Citation: Binary Defense Emotes Wi-Fi Spreader)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Emotet has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.(Citation: US-CERT Emotet Jul 2018)(Citation: emotet_hc3_nov2023)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Emotet uses RegSvr32 to execute the DLL payload.(Citation: emotet_trendmicro_mar2023)
Enterprise T1016 .002 System Network Configuration Discovery: Wi-Fi Discovery

Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.(Citation: Binary Defense Emotes Wi-Fi Spreader)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. (Citation: US-CERT Emotet Jul 2018)(Citation: CIS Emotet Dec 2018)
Enterprise T1204 .001 User Execution: Malicious Link

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Carbon Black Emotet Apr 2019)
.002 User Execution: Malicious File

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Carbon Black Emotet Apr 2019)(Citation: IBM IcedID November 2017)

Enterprise T1078 .003 Valid Accounts: Local Accounts

Emotet can brute force a local admin password, then use it to facilitate lateral movement.(Citation: Malwarebytes Emotet Dec 2017)

Groups That Use This Software
ID Name References
G0102 Wizard Spider

(Citation: CrowdStrike Grim Spider May 2019) (Citation: Sophos New Ryuk Attack October 2020)

References

  1. CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.
  2. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  3. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  4. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  5. Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019.
  6. Brandt, A.. (2019, May 5). Emotet 101, stage 4: command and control. Retrieved April 16, 2019.
  7. Manea, D.. (2019, May 25). Emotet v4 Analysis. Retrieved April 16, 2019.
  8. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  9. Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.
  10. ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.
  11. Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.
  12. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  13. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  14. Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.
  15. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  16. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  17. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  18. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  19. Kenefick, I. (2023, March 13). Emotet Returns, Now Adopts Binary Padding for Evasion. Retrieved June 19, 2024.
  20. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  21. Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024.
  22. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  23. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.