Analytics Story: Emotet Malware DHS Report TA18-201A

Date: 2020-01-27 ID: bb9f5ed2-916e-4364-bb6d-91c310efcf52 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.

Why it matters

The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants. According to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014. The searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Email Attachments With Lots Of Spaces None Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Anomaly
Prohibited Software On Endpoint None Hunting
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell TTP
Detection of tools built by NirSoft Software Deployment Tools TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1