Dead or Alive? An Emotet Story
Emotet, while perviously takendown by Interpol and Eurojust efforts, has seen a resurgence since November 2021. In May of this year, DFIR witnessed an intrusion that started from a phishing email which included Emotet. The intrusion lasted four days and contained many of the usual suspects, including the Cobalt Strike post-exploitation framework.
The Emotet infection was delivered using a xls file containing a malicious macro, a technique that has been on the wane in recent months. After executing the Emotet malware, it ran a few basic Windows discovery commands (systeminfo, ipconfig, etc.), wrote a registry run key for persistence, and made its initial call outs to the command and control servers.
Around 40 minutes after the initial execution, the Emotet malware started to run a new Emotet email spreader campaign. This entailed connecting to various email servers and sending new emails with attached xls and zip files. Around 26 hours after the initial infection, while still running the email spreader, the Emotet malware pulled down and executed a Cobalt Strike payload on the beachhead host. At 29 hours from initial access, the threat actors began their first lateral movement. This was achieved by transferring a Cobalt Strike DLL over SMB and executing via a remote service on another workstation.
These cases commonly end up with ransomware in addition to data exfiltration.