Threat Intelligence

Emotet Exposed: A Look Inside the Cybercriminal Supply Chain

Emotet is one of the most evasive and destructive malware delivery systems ever deployed. Now it has resurrected itself following a takedown by law enforcement in 2021. It is the very definition of an advanced persistent threat, causing substantial damage during its earlier reign and continuing to pose a danger to organizations everywhere.  

The VMware Threat Analysis Unit™ is releasing insights learned from Emotet’s most recent resurgence in hopes that organizations can better understand and defend themselves against this resilient risk. With telemetry from VMware Contexa cloud-delivered threat intelligence, VMware Threat Analysis Unit first observed the newest waves of Emotet attacks in January 2022.   

By analyzing Emotet’s software development lifecycle, the VMware Threat Analysis Unit was able to dissect how it quickly changes its command and control (C2) infrastructure, obfuscates its configuration, adapts and tests its evasive execution chains, deploys different attack vectors at various stages, laterally propagates, and continues to evolve using numerous tactics and techniques. 

This report covers these findings, providing you with comprehensive information on the exploitation chains and inner workings of the malware deployed by the most recent Emotet attacks. In addition, you will find in this report samples and observed network indicators of compromise (IoCs).  

The report reveals never-before-exposed insights into Emotet, including a large-scale, detailed analysis of: 

  • The modules Emotet delivers  
  • Emotet’s execution chains and their evolution 
  • Emotet’s multiple attack waves, campaigns, and network infrastructure 
  • How to create an Emotet sock puppet to fetch modules  
  • How to extract the recently updated Emotet configuration 
  • Correlating infection techniques and Emotet’s network infrastructure, revealing the agile-like software development lifecycle of Emotet

Key highlights and takeaways for you from the Emotet research report: 

  • Shows evidence that attacking patterns are in continuous evolution 
  • Its attacks serve multiple objectives and have become more prolific due to its wide range of infiltration tactics  
  • Infrastructure is constantly shifting due to threat actors attempts to stay covert and maintain their C2 framework 

The report concludes with recommendations and best practices to support your security strategy for a more ironclad defense against Emotet and other nefarious malware strains.  

Download the Report