EMOTET ECOSYSTEM - Sophos News · 2020. 1. 29. · EMOTET modules run as a child process from the...
Transcript of EMOTET ECOSYSTEM - Sophos News · 2020. 1. 29. · EMOTET modules run as a child process from the...
BA
NK
ING
RA
NS
OM
WA
RE
Local NetworkMail Clients & Browsers Microsoft Outlook
Massive spam email campaigns deliver EMOTET to most victims, by means of malicious office documents. Some of the payloads may be attached to the message, while others may be linked in the spam. The malicious macro code runs a PowerShell script that, in turn, downloads the malware binary to the %temp% folder.
The main EMOTET executable establishes persistence, then collects user and hardware information from the infected machine. It communicates with a C2 server that decides which of the several available payload modules it will deliver based on the victim's profile.
EMOTET modules run as a child process from the main executable, or can be injected into a new instance of it. It saves the results to a temporary data file then sends it to the C2. The modules may be third party utilities, or bespoke tools that carry out specific tasks.
Breaking in...
Partners in Crime
Arsenal
Targets
© Copyright 2019 Sophos Ltd. All rights reserved.
EMOTET ECOSYSTEM
Find out more at www.sophos.com/en-us/labs
Email Conversation Threads
Email Address Books
Email Credentials
Scans WebBrowsers
Brute-Force Credentials
SMB Enumeration
Outlook Messaging APIOutlook Messaging API
ComponentsTo Friends,Colleaguesand Family
Scans Email Clients
Download andLaunch Binary
SPAM BOTMAILPASSVIEW
BROWSERPASSVIEW
EMAILCONTACTS
EXTRACTOR
EMAILCONTENT
HARVESTER
UPnPMODULE
LANSPREADER