Emotet malware is distributed through malicious spam (malspam), and its active nearly every day--at least every weekday. Sometimes the criminals behind Emotet take a break, such as a one month-long hiatus from early October through early November, but the infrastructure pushing Emotet has been very active since Monday 2018-11-05.
As Symantec and others have reported, the group behind Emotet has evolved from maintaining its own banking Trojan, and it now also distributes malware for other groups. I commonly see follow-up malware like Trickbot and Zeus Panda Banker during Emotet infections generated in my lab environment.
Today's diary examines an Emotet infection on Wednesday 2018-11-14 with the IcedID banking Tojan as its follow-up malware.
A quick check of URLhaus showed me several URLs tagged emotet and heodo, which is another name for Emotet. After you've seen enough of these URLs, you get a feel for their patterns and can identify an Emotet URL by looking at it.
Using a vulnerable Windows host, I picked an Emotet URL to download a Word document. I opened the document, enabled macros, and saw the expected infection traffic.
Forensics on the infected Windows host
After reviewing the infection traffic, I checked my infected Windows host for malware. Malware binaries for both Emotet and the IcedID banking Trojan were in the same places I've seen them before.
Indicators of Compromise (IoCs)
Malware from my infected Windows host:
Traffic from my infected Windows host:
Traffic that returned the initial Word document:
Traffic that returned the Emotet malware binary:
Post-infection traffic caused by Emotet:
Post-infection traffic caused by the IcedID banking Trojan:
Both Emotet and IcedID have remained fairly consistent in their behavioral patterns, so nothing here is unusual. This diary is yet another reminder the criminals behind Emotet remain active, and they continue to push follow-up malware like the IcedID banking Trojan.
A pcap of the infection traffic and the associated malware from today's diary can be found here.
Nov 15th 2018
|Thread locked Subscribe||
Nov 15th 2018
3 years ago