Emotet is one of the most sophisticated and dangerous malware families currently in existence. It is a modular banking Trojan that can steal sensitive information and infect other machines on a network.
Emotet has been active since 2014 and has evolved significantly over time. In this blog, we will discuss the latest version of Emotet, known as Epoch4, which has been responsible for several high-profile attacks in recent months.
Emotet Epoch4 Campaign
The Emotet Epoch4 campaign starts with a phishing email that uses subject lines related to fake invoices or finances. The email contains a .zip or .doc attachment that appears to be a legitimate document. When the victim opens the attachment, they are prompted to enable content to view the document. If the content is enabled, the document contains a malicious macro that executes when the victim closes the document. The macro uses rundll32 regsvr32 to load a malicious DLL file from a non-standard directory.
The DLL file creates a suspicious file using regsvr32 and adds malicious entries in the Registry Run to maintain persistence. The malware uses System Network Discovery to spread to other machines on the network, making it extremely difficult to contain. Once installed, the malware contacts the Command and Control (C2) server to download additional payloads and receive commands.
The Emotet Epoch4 campaign is particularly dangerous because of its use of advanced techniques to evade detection. The malware uses AutoOpen VBA MalDoc macro to execute code, which makes it difficult for antivirus software to detect the malicious code. The DLL files are loaded using rundll32 regsvr32 from non-standard directories, making it difficult to detect and block the malicious code. Additionally, the malware uses encryption to protect the C2 communications, making it difficult for security researchers to monitor the malware’s activities.
The Emotet Epoch4 campaign has been responsible for several high-profile attacks in recent months. In February 2021, the campaign targeted the European Union’s diplomatic communication network, resulting in a significant data breach. The campaign has also targeted several government agencies, financial institutions, and healthcare organizations.
Indicators of Compromise (IOC)
Below are the IOC details of which our research team found from our analysis of a recent phishing campaign Emotet Epoch4:
.zip (The name and hash of the zip file are seeming to change in each email)
- comments 832.zip’
.dll (The name and hash of the dll file are seeming to changing in each email)
.doc (The name and hash of the doc file are seeming to changing in each email)
- PO 2023-03-08_0827, United States.doc
“C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE” /n “C:\Users\Admin\AppData\Local\Temp\Rechnungs-Details.doc” /o “”
“C:\Windows\System32\regsvr32.exe” /s “C:\Users\Admin\AppData\Local\Temp\200907.tmp”
“C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE” /n “C:\Users\Admin\AppData\Local\Temp\PO 2023-03-08_0827, United States.doc” /o “”
“C:\Windows\System32\regsvr32.exe” /s “C:\Users\Admin\AppData\Local\Temp\133800.tmp”
GET request for downloading zip file which contain DLL:
The Emotet Epoch4 campaign is one of the most sophisticated and dangerous malware campaigns currently in existence. It uses advanced techniques to evade detection and can cause significant damage to organizations that are targeted. It is essential for organizations to be vigilant and implement robust security measures to protect against this threat. This includes implementing security best practices, such as regularly updating software and educating employees on how to recognize and avoid phishing attacks.