![]() If the attempt to create a new service fails, Emotet creates a new registry key in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the same names that were used when creating the service.Īs soon as the Emotet DLL is launched, it registers with one of the 20 C2 IPs that are hardcoded in encrypted form into the malware body. A randomly generated name and extension, which were used to create a copy, act as service names. The exported Control_RunDLL function is used to run the main activity of the Emotet DLL.Īfter being run, the Emotet malware creates a service by calling the CreateServiceW() function. Depending on the available access, Emotet creates a subdirectory with a random name in the %Windows%\SysWOW64\ or %User%\AppData\Local\ directory, and copies itself there under a randomly generated name and extension. Malicious macros are used to start PowerShell, and download and execute an Emotet DLL. Emotet technical analysis Infection chainĪ typical Emotet infection begins with spam e-mails delivered with Microsoft Office (Word, Excel) attachments. In this post, we provide a brief analysis of these modules, as well as statistics on recent Emotet attacks. We were able to retrieve 10 of them (including two different copies of the Spam module), used by Emotet for Credential/Password/Account/E-mail stealing and spamming. Now, Emotet is spreading by itself in malicious spam campaigns.īased on recent Emotet protocol analysis and C2 responses, we can say that now Emotet can download 16 additional modules. At that time, Trickbot malware was used to deliver Emotet. It took the threat actors almost 10 months to rebuild the infrastructure, whereupon Emotet returned in November. ![]() In January 2021 Emotet was disrupted by a joint effort of different countries’ authorities. Since then it has survived numerous transformations, started delivering other malware and finally became a powerful botnet. Back then its main functionality was stealing user banking credentials. ![]() Emotet was first found in the wild in 2014. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |