
On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE. We share the emulation plan so the community can also emulate the Emotet campaign to test and improve people, process, and technology. Lastly, we discuss how to defend against Emotet, in this case, we cover training the end users by performing phishing simulations. We hope you enjoy it.
Cyber Threat Intelligence
This week, our Cyber Threat Intelligence comes from a company that is at the forefront of email security, ProofPoint. We interview Sherrod DeGrippo who wrote the article emotet returns after a 5 month hiatus to understand what Emotet is, how they operate, and how we can improve security. Here is this week’s interview:
We found a number of additional resources related to the latest Emotet campaign to pull out the Cyber Threat Intelligence:
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
- https://arstechnica.com/information-technology/2020/07/destructive-emotet-botnet-returns-with-250k-strong-blast-of-toxic-email/
- https://www.bleepingcomputer.com/news/security/emotet-spam-trojan-surges-back-to-life-after-5-months-of-silence/
- https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/
An excellent resource to see replays of what occurs when someone falls for the phishing email and opens the emotet document is the site any.run. Here are a few for emotet:
- https://any.run/malware-trends/emotet
- https://app.any.run/tasks/a434f4f2-994b-4e53-99bf-955697e2aff1/
- https://app.any.run/tasks/876c3d4d-f46e-4ade-9f2c-3207c4baa82d/
Emotet has been around for a number of years and is tracked by MITRE ATT&CK. We can see the TTPs via the ATT&CK Navigator Layer created from the JSON in the SCYTHE Community Github.
Adversary Emulation Plan
Emotet works by spamming targets with business-related emails containing malicious Office documents that are either attached to the email or with a link to download the malicious file. If someone falls for the phishing email, opens the document, and enables macros, the Emotet malware will execute.
As usual, below is the adversary emulation profile for Emotet. The emulation plan can be downloaded from the SCYTHE Community Threats Github and imported to your SCYTHE instance.
Tactic |
Description |
Description |
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. |
Objective |
Banking Trojan - steal banking information and PII |
Initial Access |
T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link |
Command and Control |
T1573 - Encrypted Channel T1573.002 - Asymmetric Cryptography T1571 - Non-Standard Port |
Execution |
T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 - Visual Basic T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1047 - Windows Management Instrumentation |
Defense Evasion |
T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1055 - Process Injection T1055.001 - Dynamic-link Library Injection T1078 - Valid Accounts T1078.003 - Local Accounts |
Discovery |
T1087 - Account Discovery T1087.003 - Email Account T1057 - Process Discovery |
Credential Access |
T1110 - Brute Force T1110.001 - Password Guessing T1555 - Credentials from Password Stores T1555.003 - Credentials from Web Browsers T1040 - Network Sniffing T1003 - OS Credential Dumping T1003.001 - LSASS Memory T1552 - Unsecured Credentials T1552.001 - Credentials In Files |
Collection |
T1560 - Archive Collected Data T1114 - Email Collection T1114.001 - Local Email Collection |
Persistence |
T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1543 - Create or Modify System Process T1543.003 - Windows Service |
Lateral Movement |
T1210 - Exploitation of Remote Services T1021 - Remote Services T1021.002 - SMB/Windows Admin Shares |
Exfiltration |
T1041 - Exfiltration Over C2 Channel |
Defend against Emotet
Defending against emotet and other phishing campaigns can be broken up by people, process, and technology. ProofPoint is an excellent technology solution to cut down and stop phishing and malicious emails from getting to users.
From a people and process perspective, user awareness training is one of the best defenses against phishing attacks like emotet campaigns. Creating a phishing simulation program involves coordination with a number of internal teams but at a high level:
- Create an email template that is used against the target organization
- Create a unique link per email address
- Send the emails to the target addresses
- Metrics: Clicked email (failed test); Reported email (passed test)
- If someone clicks on the email, they should get a message immediately informing them this was a test and with best practices of what to do next time
- People reporting the phishing email should have some sort of positive reinforcement
Conclusion
Emotet campaigns are back and ProofPoint was quick to catch it. We had a chat with Sherrod DeGrippo from ProofPoint and discussed the new campaign, phishing as a whole, emulating emotet, and how to defend against it. We created an adversary emulation plan and shared it on our Github. Lastly, we covered how to defend against phishing attacks by focusing on people, process, and technology. We hope you enjoyed it.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
About SCYTHE
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.

July 30, 2020
Comments