Additional infection traffic if Emotet drops follow-up malware.Encoded/encrypted command and control (C2) traffic over HTTP.Web traffic to retrieve the initial binary.Various distribution paths for an Emotet Word document.Īfter the Word document is delivered, if a victim opens the document and enables macros on a vulnerable Windows host, the host is infected with Emotet.įrom a traffic perspective, we see the following steps from an Emotet Word document to an Emotet infection: In previous years, malspam pushing Emotet has also used PDF attachments with embedded links to deliver these Emotet Word documents.įigure 2 illustrates these four distribution techniques. Instead, they contain a link to download the Word document. Some emails distributing Emotet do not have any attachments. In recent months, we have seen several examples where these ZIP archives are password-protected. The malspam may contain an attached Microsoft Word document or have an attached ZIP archive containing the Word document. Malspam spreading Emotet uses different techniques to distribute these Word documents. Screenshot of a Word document used to cause an Emotet infection in January 2021. The critical step in an Emotet infection chain is a Microsoft Word document with macros designed to infect a vulnerable Windows host. Emotet is commonly distributed through malicious spam (malspam) emails. To understand network traffic caused by Emotet, you must first understand the chain of events leading to an infection. If possible, we recommend you review these pcaps in a non-Windows environment like BSD, Linux or macOS. There is a risk of infection if using a Windows computer. Warning: Some of the pcaps used for this tutorial contain Windows-based malware. You will need to access a GitHub repository with ZIP archives containing the pcaps used for this tutorial. Note: These instructions assume you have customized Wireshark as described in our previous Wireshark tutorial about customizing the column display. Today’s Wireshark tutorial reviews recent Emotet activity and provides some helpful tips on identifying this malware based on traffic analysis. It has since evolved with additional functions such as a dropper, distributing other malware families like Gootkit, IcedID, Qakbot and Trickbot. Familiarity with Wireshark is necessary to understand this tutorial, which focuses on Wireshark version 3.x.Įmotet is an information-stealer first reported in 2014 as banking malware.
This tutorial is designed for security professionals who investigate suspicious network activity and review packet captures (pcaps).
0 kommentar(er)
