Search

Emotet Malware is Back With a Vengeance - New Detection Rules

Source:

SOC Prime Threat Bounty Program

 

This blog and subsequent new detection rules have been written and produced by our long-standing partner, SOC Prime.


The notorious Emotet is back, having its Epoch 5 resurgence after all the command and control (C&C) servers of the botnet were disrupted in a joint international law enforcement Operation Ladybird in early 2021. As per researchers, it was only a matter of time for Emotet’s C&C infrastructure to restore and begin a full-fledged cyber-attack campaign all over again. And while the malware maintainers remain unknown, this campaign suspiciously coincides with the Russian invasion of Ukraine.


At SOC Prime, we continue to renew our detection content so you can capture the latest activity of Emotet and alike as early as possible. Below you will find the newest detection rules and in-depth analysis.


Emotet Attack Detection

To detect the newest behavior of Emotet, check out the rules made by our Threat Bounty developer Furkan Celik:


Emotet Detected Again in MS Office Files (March) (via registry event)


This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, LimaCharlie, Sumo Logic, ArcSight, QRadar, Humio

FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, AWS OpenSearch.


The rules are aligned with the latest MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with Modify Registry (T1112) as the primary technique.


Detection of New Emotet Behaviors (March) (via process creation)


This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, LimaCharlie, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache, Kafka ksqlDB, Securonix, AWS OpenSearch.


The rules are aligned with the latest MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with Signed Binary Proxy Execution (T1218) as a primary technique.

Organizations should also be aware that once this botnet gets into the network, it can download other strains of malware attacks like Emotet that would provoke further exploits of different behavior. That’s why it’s necessary to check for any signs of collateral damage like ransomware along with Emotet bot distribution. To find all content addressing Emotet’s malicious behaviour, you can check the detection content available in the SOC Prime platform.


Cyber defenders are more than welcome to join our Threat Bounty program to tap into the power of the community and get rewarded for their threat detection content.


Join Threat Bounty


Emotet Infection Process

To illustrate the significance of the Emotet revival, Proofpoint found more than 2.73 million phishing emails sent by Emotet as of the first week of March 2022. It was more than the amount of the same emails for the entire month of February 2022 (2.07 million). Previously, in November 2021, a network of 130,000 new bots across 179 countries was detected.

New evidence of Emotet activity shows that the attackers have been using new features to run undetected and unnoticed by the security systems of their victims. For that, adversaries encrypted network traffic via elliptic curve cryptography (ECC) and separated the process list into its own module. Additionally, new malware versions tend to gather more information about the infected hosts.


The Black Lotus Labs researchers mention that the average speed of the new Emotet campaign growth is about 77 unique Tier 1 C&Cs per day from late February, 2022 through March 4, 2022, with most of Emotet C2 locations being in the US and Germany. Meanwhile, infected bots are mainly concentrated in regions like Asia, India, Mexico, South Africa, China, Brazil, and Italy. Given the number of outdated Windows devices, it’s understandable why these regions were hit so heavily.


Emotet botnet grows at unprecedented speed as long as they are able to infect millions of victims’ machines and turn them into malicious bots. Stopping them is possible by joining the collaborative defense approach. Join SOC Prime Detection as Code platform and gain immediate access to the newest content that will help you detect the latest and the stealthiest cyber threats. And if you feel like you can contribute with valuable knowledge, submit your detection content to our crowdsourcing program and get recurrent rewards for your unique content.


Reference

SOC Prime Threat Bounty Program