If you’ve set up Wireshark according to our initial tutorial about customizing Wireshark displays, your display should look similar to Figure 6. Open Example-1-Emotet-infection.pcap in Wireshark and use a basic web filter as described in our previous tutorial about Wireshark filters. Example-5-Emotet-infection-with-Qakbot.pcap.Example-4-Emotet-infection-with-Trickbot.pcap.Example-3-Emotet-with-spambot-traffic-part-2.pcap.Example-2-Emotet-with-spambot-traffic-part-1.pcap.This should give you the following five pcap files: Use infected as the password to extract pcaps from these ZIP archives. Downloading one of the ZIP archives for this tutorial. GitHub repository with links to ZIP archives used for this tutorial. Once on the GitHub page, click on each of the ZIP archive entries and download them, as shown in Figures 4 and 5. Pcaps of Emotet Infection Activityįive password-protected ZIP archives containing pcaps of recent Emotet infection traffic are available at this GitHub repository. Analysts should search for traffic from other malware when investigating traffic from an Emotet-infected host.įinally, an Emotet-infected host may also become a spambot generating large amounts of traffic over TCP ports associated with SMTP like TCP ports 25, 465 and 587. Since Emotet is also a malware dropper, the victim may become infected with other malware. This C2 activity also consists of data exfiltration and traffic to update the initial Emotet binary. This C2 activity can use either standard or non-standard TCP ports associated with HTTP traffic. Previously, this binary had been a Windows EXE file.Įmotet C2 traffic consists of encoded or otherwise encrypted data sent over HTTP. 21, 2020, the initial binary for Emotet has been a Windows DLL file. SMTP traffic if Emotet uses the infected host as a spambot.įigure 3 shows a flowchart of network activity we might find during an Emotet infection.Additional infection traffic if Emotet drops follow-up malware.Encoded/encrypted command and control (C2) traffic over HTTP.Web traffic to retrieve the initial binary.Various distribution paths for an Emotet Word document.Īfter the Word document is delivered, if a victim opens the document and enables macros on a vulnerable Windows host, the host is infected with Emotet.įrom a traffic perspective, we see the following steps from an Emotet Word document to an Emotet infection: In previous years, malspam pushing Emotet has also used PDF attachments with embedded links to deliver these Emotet Word documents.įigure 2 illustrates these four distribution techniques. Instead, they contain a link to download the Word document. Some emails distributing Emotet do not have any attachments. In recent months, we have seen several examples where these ZIP archives are password-protected. The malspam may contain an attached Microsoft Word document or have an attached ZIP archive containing the Word document. Malspam spreading Emotet uses different techniques to distribute these Word documents. Screenshot of a Word document used to cause an Emotet infection in January 2021. The critical step in an Emotet infection chain is a Microsoft Word document with macros designed to infect a vulnerable Windows host. Emotet is commonly distributed through malicious spam (malspam) emails. To understand network traffic caused by Emotet, you must first understand the chain of events leading to an infection. If possible, we recommend you review these pcaps in a non-Windows environment like BSD, Linux or macOS. There is a risk of infection if using a Windows computer. Warning: Some of the pcaps used for this tutorial contain Windows-based malware. You will need to access a GitHub repository with ZIP archives containing the pcaps used for this tutorial. Note: These instructions assume you have customized Wireshark as described in our previous Wireshark tutorial about customizing the column display. Today’s Wireshark tutorial reviews recent Emotet activity and provides some helpful tips on identifying this malware based on traffic analysis. It has since evolved with additional functions such as a dropper, distributing other malware families like Gootkit, IcedID, Qakbot and Trickbot. Familiarity with Wireshark is necessary to understand this tutorial, which focuses on Wireshark version 3.x.Įmotet is an information-stealer first reported in 2014 as banking malware. This tutorial is designed for security professionals who investigate suspicious network activity and review packet captures (pcaps).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |