The resurgence of a crippling malware: How to threat hunt Emotet
December 2022 by Logpoint
Emotet keeps coming back with renewed force. Despite being taken down by authorities in 2021, it’s back again and rapidly evolving. Emotet is now a Loader-as-a-service downloading other malware and wreaking havoc for an increased number of organizations. Logpoint’s research team has closely monitored Emotet’s emergence, attack patterns, and possible detections to help organizations stop it before it becomes a threat.
An analysis of multiple malware samples reveals that Emotet has changed its tactics from stealing credentials in the banking sector to stealing other sensitive data and acting as a dropper to distribute other malware like IcedID, Trickbot, or Ruyk. Initial access is done mainly through malspam, emails in bulk containing malware, or a link to download it. From the static and dynamic analysis, Logpoint uncovered multiple files, domains, and botnet networks that are still active in the wild.
"Emotet is the most detected malware sample on many platforms. The fact that there has been a variant for several years and it still manages to bypass defenses is a true testament to its amazing adaptability," says Doron Davidson, VP Logpoint Global Services. "At Logpoint, we’re working to stop threats like Emotet in their tracks before they wreak havoc and cause detrimental damage."
To safeguard your organization against Emotet, Logpoint recommends to:
• Look out for common Tactics, Techniques and Procedures (TTPs) used by Emotet
• Familiarize yourself with known Indicators of Compromise (IoC) and ensure you can detect and block them.
• Look out for malicious macros, like a download of a macro-enabled document, and delete or isolate the spawned and child processes.
• Isolate the endpoints, i.e., in case of an attack, isolate the system, take proper logs, evaluate the situation and remediate.