The resurgence of a crippling malware: How to threat hunt Emotet

News -

The resurgence of a crippling malware: How to threat hunt Emotet

  • Logpoint research reveals that Emotet has developed into a Loader-as-a-Service - a dropper of other malware
  • Logpoint recommends looking out for its common TTPs, IoCs, and malicious macros to detect Emotet

COPENHAGEN, Denmark & BOSTON, December 15, 2022 – Emotet keeps coming back with renewed force. Despite being taken down by authorities in 2021, it's back again and rapidly evolving. Emotet is now a Loader-as-a-service downloading other malware and wreaking havoc for an increased number of organizations. Logpoint's research team has closely monitored Emotet's emergence, attack patterns, and possible detections to help organizations stop it before it becomes a threat.

An analysis of multiple malware samples reveals that Emotet has changed its tactics from stealing credentials in the banking sector to stealing other sensitive data and acting as a dropper to distribute other malware like IcedID, Trickbot, or Ruyk. Initial access is done mainly through malspam, emails in bulk containing malware, or a link to download it. From the static and dynamic analysis, Logpoint uncovered multiple files, domains, and botnet networks that are still active in the wild.

"Emotet is the most detected malware sample on many platforms. The fact that there has been a variant for several years and it still manages to bypass defenses is a true testament to its amazing adaptability," says Doron Davidson, VP Logpoint Global Services. "At Logpoint, we're working to stop threats like Emotet in their tracks before they wreak havoc and cause detrimental damage."

To safeguard your organization against Emotet, Logpoint recommends to:

  • Look out for common Tactics, Techniques and Procedures (TTPs) used by Emotet
  • Familiarize yourself with known Indicators of Compromise (IoC) and ensure you can detect and block them.
  • Look out for malicious macros, like a download of a macro-enabled document, and delete or isolate the spawned and child processes.
  • Isolate the endpoints, i.e., in case of an attack, isolate the system, take proper logs, evaluate the situation and remediate.

Read Logpoint's blog post about Emotet here, and access the full Emerging Threats Protection Report, Emotet-ually Unstable - The resurgence of a nuisance. The report offers in-depth vulnerability analysis, means to detect and respond to the threat, and insights about incident investigation and response.

Related links

Topics

Categories

Contacts

Maimouna Corr Fonsbøl

Maimouna Corr Fonsbøl

Press contact Head of PR PR & Communications +45 25 66 82 98

Related content

Logpoint 2023 predictions: The year of the business-driven CISO

Logpoint 2023 predictions: The year of the business-driven CISO

2023 is the year CISOs will be empowered – and forced – to address cybersecurity from a business perspective

Hunting BlackCat: A ransomware family on the rise

Hunting BlackCat: A ransomware family on the rise

Logpoint research reveals that BlackCat has the fourth-highest number of victims in the last six months. BlackCat uses its public leak site to intimidate victims, where anyone can easily search and access the leaked victim information.

Logpoint Global Services has researched the banking trojan IcedID, which has developed into a gateway for more sophisticated attacks

Cyber attackers hiding behind legal threats: A deep-dive into the IcedID gateway to sophisticated cyberattacks

Logpoint Global Services has researched the banking trojan IcedID, which has developed into a gateway for more sophisticated attacks. IcedID leverage legitimate infrastructure like contact forms and email to deliver fake legal threats or spoofed invoices.

LockBit: A deep-dive into the rapidly evolving RaaS gang and its unique business model

LockBit: A deep-dive into the rapidly evolving RaaS gang and its unique business model

New Logpoint study unfolds the ransomware threat landscape in the wake of the LockBit 3.0 launch in June 2022. LockBit 3.0 introduces new unique services such as automatic data exfiltration and the world’s first ransomware bug-bounty program.

An old acquaintance resurfaces with new capabilities

QakBOT: An old acquaintance resurfaces with new capabilities

A new Logpoint study reveals that the latest QakBot malware version is heavily used in malspam campaigns by notorious ransomware gangs. The new QakBot emergence uses multiple, simple yet effective defense evasion techniques against static detection methods.

Warning about Russian threat actor Gamaredon

Warning about Russian threat actor Gamaredon: How to stay protected ahead of invasion anniversary cyber threat

Logpoint has conducted research into the hacktivist group Gamaredon, which according to Ukrainian CERT, is actively renewing attack efforts shifting focus from destruction to espionage and information stealing.

Royal ransomware investigation: How to brace for the sharp increase

Royal ransomware investigation: How to brace for the sharp increase

Logpoint research reveals what organizations should monitor for to safeguard against the rapid increase in royal ransomware attacks. The Royal ransomware group has leaked data of more than 60 victims since November 2022.

About Logpoint

Headquartered in Copenhagen, Denmark, with offices across Europe, the USA, and Asia, Logpoint is a multinational, multicultural, inclusive cybersecurity company. LogPoint bolsters organizations in the fight against evolving threats by giving them a single source of truth — an intuitively designed platform with the powerful capabilities needed to ensure their safety. Powered by machine learning and backed by an industry-leading support team, Logpoint’s cybersecurity operations platform accelerates detection and response, allowing organizations to respond to tomorrow’s threats.

Logpoint’s core belief lies in creating software that empowers security teams to make confident decisions, feel justified in their choices, and more efficiently protect their organizations. That principle has earned them the trust of more than 1,000 organizations worldwide, as well as a place in Gartner’s Magic Quadrant.

The company’s culture prioritizes passion, innovation, team spirit, and client satisfaction. Together, these values fuel Logpoint’s success across cybersecurity technologies: from SIEM, UEBA, and SOAR to SAP security, converged into an integrated security operations platform, created to protect the digital heart of organizations.

Logpoint
Bryggervangen 55
2100 Copenhagen
Denmark
Our website
Visit our other newsrooms