Mummy Spider’s Emotet, a short introduction ++copy/paste++
Mummy Spider
Mummy Spider was a criminal threat actor who was linked in development of the malware known as Emotet or Geodo.
They are also known by many names.
TA542 (Proofpoint)
ATK 104 (Thales)
Mealybug (Symantec)
Gold Crestwood (SecureWorks)
The main motivation behind their work was financial crime. There aren’t any sources or proof which depict that they were backed by any government. Their present on the internet was first seen in 2014. After 2014 they evolved into an international threat actor by distributing Malware-as-a-Service and dropping other banking trojans named Trickbot, Ursnif, Ryuk, and IceDLD.
Top cybersecurity firm CrowdStrike in their report categorized them in their report as MUMMY SPIDER because of their malware named Emotet and also known as Geodo. This malware is recognized as an evolved binary due to its different iterations over the years as it continuously changed its payload. Emotet malware poses a threat because of its “worm-like” features that enable network wide infections as it duplicates itself into standard permanent locations on the windows system in charge of handling files.
Goals of this malware:
- Gaining access to infected device
- Collecting much different information on the victim from the infected device.
- Downloading payload modules from C2 in such a way that it analyses the machine’s profile and steals credentials.
It is difficult for the Malware analyst to remove the malware because of these capabilities of Emotet
- Random services creation
- Auto-start registry values
- Loaded DLL
The payloads residing have mostly been banking trojans with trickbot and ryuk ransomware the most prevalent. According to reports from security specialists at G DATA they recorded more than 53,000 variations of the emotet malware in the first half of 2019.
So here are some of the variants. Each of the variants are categorized in terms of their modular structure.
Emotet Variant 1:
It has three modules:
- installation module
- banking module
- spam bot module
These modules conduct DDOS attack to steal address books from the MS outlook and money from the emotet and infected victims bank account directly.
Emotet Variant 2:
It injects code into the victims system via following these steps:
- Opening a process
- Writing a process in memory
- Creating a remote thread.
It target app/data folder and save itself with random 8 characters binary name i.e, abcdefgh.exe after that it establish stronghold in registry it delete from the app/data
As emotet works as a Malware-as-a-Service and they have hosted thousands of payloads in the past.
In order to find the hash of emotet use these website:
MalwareBazaar | Malware sample exchange
Free Automated Malware Analysis Service — powered by Falcon Sandbox
Valhalla YARA Rules — Valhalla
Here is the tool with which you can use to detect emotet presence in your pc
JPCERTCC/EmoCheck: Emotet detection tool for Windows OS
And here are some other resources where you can find a complete analysis of Emotet.
Threat Research Deep Analysis of New Emotet Variant — Part 1
Tactics of an “Emotet” malware. Overview | by Sachiel | Medium
neutrify analysis on new variant of emotet
