forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
emotet_malware_dhs_report_ta18_201a.yml
39 lines (37 loc) · 2.06 KB
/
emotet_malware_dhs_report_ta18_201a.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Emotet Malware DHS Report TA18-201A
id: bb9f5ed2-916e-4364-bb6d-91c310efcf52
version: 1
date: '2020-01-27'
author: Bhavin Patel, Splunk
description: Detect rarely used executables, specific registry paths that may confer
malware survivability and persistence, instances where cmd.exe is used to launch
script interpreters, and other indicators that the Emotet financial malware has
compromised your environment.
narrative: 'The trojan downloader known as Emotet first surfaced in 2014, when it
was discovered targeting the banking industry to steal credentials. However, according
to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A),
Emotet has evolved far beyond those beginnings to become what a ThreatPost article
called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For
example, in early 2018, Emotet was found to be using its loader function to spread
the Quakbot and Ransomware variants.
According to the TA, the the malware continues to be among the most costly and destructive
malware affecting the private and public sectors. Researchers have linked it to
the threat group Mealybug, which has also been on the security communitys radar
since 2014.
The searches in this Analytic Story will help you find executables that are rarely
used in your environment, specific registry paths that malware often uses to ensure
survivability and persistence, instances where cmd.exe is used to launch script
interpreters, and other indicators that Emotet or other malware has compromised
your environment. '
references:
- https://www.us-cert.gov/ncas/alerts/TA18-201A
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
- https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection