March 15, 2022

Emotet Surges in Japan

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason’s tracking of Emotet malware in the first quarter of 2022, has identified a surge of Emotet activity against Japanese organizations. Emotet’s distribution has been identified through malicious Excel documents that downloads the malware upon execution. The malware uses regsvr32 to execute a malicious DLL file however it also uses a .ocx file extension. Events following, involve the malware establishing persistence in the registry and conducting reconnaissance activity. Cybereason noticed Emotet in it’s current attacks has not utilized PowerShell for deployment.

  • Anvilogic Scenarios:
    • Emotet Behaviors
    • Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • regsvr32 Execution
    • New AutoRun Registry Key
    • Common Reconnaissance Commands