Dead or Alive? An Emotet Story

Back in May, The DFIR Report witnessed an intrusion that started from a phishing email which included Emotet.
The intrusion lasted four days and contained many of the usual suspects, including the Cobalt Strike post-exploitation framework.

The Emotet infection was delivered using a xls file containing a malicious macro, a technique that has been on the wane in recent months.
After executing the Emotet malware, it ran a few basic Windows discovery commands (systeminfo, ipconfig, etc.), wrote a registry run key for persistence, and made its initial call outs to the command and control servers.

Around 40 minutes after the initial execution, the Emotet malware started to run a new Emotet email spreader campaign.
This entailed connecting to various email servers and sending new emails with attached xls and zip files.
This activity continued until the UTC clock turned over to the next day; at which point, the email spreader halted for a period of time and around seven hours into the second day, it began running the email spreader again.

Around 26 hours after the initial infection, while still running the email spreader, the Emotet malware pulled down and executed a Cobalt Strike payload on the beachhead host.
Right after the beacon was executed, the threat actors began enumerating the network using native Windows binaries and the PowerView module, Invoke-ShareFinder.
Around 30 minutes after dropping the beacon the threat actor injected into a dllhost.exe process and then proceeded to dump credentials from LSASS.
Another 20 minutes later, the threat actor ran Invoke-ShareFinder again and Invoke-Kerberoast.

At 29 hours from initial access, the threat actors began their first lateral movement.
This was achieved by transferring a Cobalt Strike DLL over SMB and executing via a remote service on another workstation.
From there, they ran Invoke-Sharefinder once again, along with AdFind, using a batch file named find.bat.
Pass-the-Hash behavior was observed targeting several accounts on the lateral host.
Use of Cobalt Strike’s Get-System module was also apparent via the logs.

The threat actors then proceeded to do additional network discovery using a batch script named p.bat to ping all servers in the network.
More account discovery was then observed, with queries for Domain Administrators and a backup account.

At 31 hours into the intrusion, the threat actors pivoted to the Domain Controller using the same Cobalt Strike DLL.
Once on the Domain Controller, the threat actors again used Get-System to elevate and then dumped LSASS.
After completing that activity, the threat actors chose another server to push a file, 1.msi, to, which was the installation package for Atera-for an additional means of persistence and command and control.
During this whole second day, the original Emotet infection on the beachhead host was still trying to send more malicious emails, finally stopping for the day a little before 23:00 UTC.

They returned the next day, at the same time as the previous day, and picked up where they left off.
They pivoted to a couple of workstations on the network using Cobalt Strike and installed Atera and Splashtop with a different MSI installer.
Once again, they executed Invoke-Sharefinder, AdFind, and the p.bat batch script to ping online servers.
Using the remote admin tools, they used Rclone to exfiltrate important data from a file server and upload it to MEGA.
Interestingly, the threat actors exfiltrated the same data twice while running Rclone with the parameter -ignore-existing from two different hosts on the network.
Around 20:00 UTC the Emotet infection on the beachhead host began its email spreader activity again, only to halt at the change over at 00:00 UTC.

On the last day of this intrusion, the threat actors returned during their normal working hours and used Rclone to exfiltrate IT-related data from a separate server.
This was the last activity observed from this group.
These cases commonly end up with ransomware in addition to data exfiltration.
This, however, was not the case with this intrusion as the threat actors were evicted before any final actions could be taken.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...