Threat Hunting Content: Emotet Returns Once Again

For never was a story of more woe than this of once again returning Emotet. This time, there were no full-scale campaigns for about seven months, although isolated cases of infection were recorded and researchers found documents distributing this malware. The attacks resumed last Friday, with the botnet sending about 250,000 emails in a matter of hours, targeting recipients primarily in the United States and the United Kingdom. Since then, the botnet continued to supply researchers with new samples occupying a leading position on any.run. 

In recent campaigns, the botnet has been distributing the IcedID trojan, but attackers can quickly reconfigure it for any payload. Recall that last year Emotet went on vacation for the whole summer and after a long time ‘came to his senses’. This time everything happened faster, and we are already looking forward to his next long vacation. In the meantime, the Threat Bounty Program members present you fresh  community content to detect this threat:

Emotet Through Word Document (Sysmon Behavior) by Lee Archinal – https://tdm.socprime.com/tdm/info/2tYN2TlMxm0a/zMQad3MBQAH5UgbB7xy7/?p=1

Public cyber enemy Emotet has returned by Osman Demir – https://tdm.socprime.com/tdm/info/mX8YnI2czLHA/pMYLe3MBQAH5UgbBgol9/?p=1

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Initial Access, Execution, Defense Evasion, Command And Control

Techniques: Spearphishing Attachment (T1193), Command-Line Interface (T1059), Indicator Removal on Host (T1070), Standard Application Layer Protocol (T1071)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.