On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint ...
Jorge Orchilles
4 min. read
30 Jul 2020
On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE. We share the emulation plan so the community can also emulate the Emotet campaign to test and improve people, process, and technology. Lastly, we discuss how to defend against Emotet, in this case, we cover training the end users by performing phishing simulations. We hope you enjoy it.
Cyber Threat Intelligence
This week, our Cyber Threat Intelligence comes from a company that is at the forefront of email security, ProofPoint. We interview Sherrod DeGrippo who wrote the article emotet returns after a 5 month hiatus to understand what Emotet is, how they operate, and how we can improve security. Here is this week’s interview:
We found a number of additional resources related to the latest Emotet campaign to pull out the Cyber Threat Intelligence:
An excellent resource to see replays of what occurs when someone falls for the phishing email and opens the emotet document is the site any.run. Here are a few for emotet:
Emotet works by spamming targets with business-related emails containing malicious Office documents that are either attached to the email or with a link to download the malicious file. If someone falls for the phishing email, opens the document, and enables macros, the Emotet malware will execute.
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector.
Objective
Banking Trojan - steal banking information and PII
Initial Access
T1566 - Phishing
T1566.001 - Spearphishing Attachment
T1566.002 - Spearphishing Link
Command and Control
T1573 - Encrypted Channel
T1573.002 - Asymmetric Cryptography
T1571 - Non-Standard Port
Execution
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1059.005 - Visual Basic
T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task
T1204 - User Execution
T1204.001 - Malicious Link
T1204.002 - Malicious File
T1047 - Windows Management Instrumentation
Defense Evasion
T1027 - Obfuscated Files or Information
T1027.002 - Software Packing
T1055 - Process Injection
T1055.001 - Dynamic-link Library Injection
T1078 - Valid Accounts
T1078.003 - Local Accounts
Discovery
T1087 - Account Discovery
T1087.003 - Email Account
T1057 - Process Discovery
Credential Access
T1110 - Brute Force
T1110.001 - Password Guessing
T1555 - Credentials from Password Stores
T1555.003 - Credentials from Web Browsers
T1040 - Network Sniffing
T1003 - OS Credential Dumping
T1003.001 - LSASS Memory
T1552 - Unsecured Credentials
T1552.001 - Credentials In Files
Collection
T1560 - Archive Collected Data
T1114 - Email Collection
T1114.001 - Local Email Collection
Persistence
T1547 - Boot or Logon Autostart Execution
T1547.001 - Registry Run Keys / Startup Folder
T1543 - Create or Modify System Process
T1543.003 - Windows Service
Lateral Movement
T1210 - Exploitation of Remote Services
T1021 - Remote Services
T1021.002 - SMB/Windows Admin Shares
Exfiltration
T1041 - Exfiltration Over C2 Channel
Defend against Emotet
Defending against emotet and other phishing campaigns can be broken up by people, process, and technology. ProofPoint is an excellent technology solution to cut down and stop phishing and malicious emails from getting to users.
From a people and process perspective, user awareness training is one of the best defenses against phishing attacks like emotet campaigns. Creating a phishing simulation program involves coordination with a number of internal teams but at a high level:
Create an email template that is used against the target organization
If someone clicks on the email, they should get a message immediately informing them this was a test and with best practices of what to do next time
People reporting the phishing email should have some sort of positive reinforcement
Conclusion
Emotet campaigns are back and ProofPoint was quick to catch it. We had a chat with Sherrod DeGrippo from ProofPoint and discussed the new campaign, phishing as a whole, emulating emotet, and how to defend against it. We created an adversary emulation plan and shared it on our Github. Lastly, we covered how to defend against phishing attacks by focusing on people, process, and technology. We hope you enjoyed it.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
About SCYTHE
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.