SOC109 - Emotet Malware Detected

In this LetsDefend alert, I was presented with notice that the Emotet malware had been detected on our network. Not having heard of Emotet before, a quick internet search told me everything I needed to know.

According to a threat post from Malwarebytes, Emotet, also known as Heodo, is a Ukranian-based malware strain first identified in 2014 that is delivered to victim machines mainly through malspam and propogates to other devices via a worm. This worm spreads, infecting machines and stealing sensitive and private information. Over time, the malware evolved to perform additional tasks such as delivering other malware and spamming. Emotet is known for laying dormant upon detection of a sandbox environment to avoid detection.

Now having a good sense of what I was dealing with, I opened a case for the alert, first noting that this event involved a file called "1word.doc." The first step in the playbook was to identify the threat indicator. Despite knowing the history of the malware, I still needed to investigate to observe its tactics.

I began by scanning the file in VirusTotal and Hybrid Analysis, both of which reporting it as a malicious Trojan threat with high confidence. It appeared the malware extracted additional files during detonation.

Executing the file in an AnyRun sandbox did not corroborate the statement that Emotet lays dormant when detecting sandbox environments. Immediately upon detonation, the file executed a Powershell script. This script did MANY things, such as modifying temporary and system files, writing changes to the registry and requesting remote procedure calls (RPCs). There were 4 HTTP requests, only 1 of which was successful and communicated with a German domain by the name of "evilnerd[.]com." I noted both the domain name and IP for further investigation.

VirusTotal confirmed the domain was a malicious phishing site, however neither VirusTotal nor Hybrid Analysis had reports on the associated IP. I suspect that the IP was spoofed and that this was evidence of a possible command and control (C2) server. Based on the results of this analysis, I selected "Unknown or unexpected outbound traffic" as our threat indicator.

The next step in our playbook had us determine whether or not the malware was cleaned. I could see from the alert details that the victim device's action was "cleaned." Additionally, there was no relevant web traffic logs pertaining to the victim's IP. The device belonged to a user on the network and was named "RichardPRD." Browser, command, network and process history were asbent of any evidence suggesting unauthorized access. Additionally, the process history showed the activation of the device's Symantec endpoint protection, so I could be pretty certain that the malware was cleaned before an attack could take place. In absence of any log history showing interaction with the attacker's IP, I determined that no one had requested nor made connection with the C2.

To close up the alert, I reported that my analysis proved the malware to be malicious. The alert was therefore declared a true positive, however with the threat cleaned, there would be no need for device containment nor Tier 2 escalation. The domain and IP of the domain should be added to the blacklist, however. I reported my artifacts and closed the alert.