Try in Splunk Security Cloud

Description

Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email, Endpoint, Network_Traffic
  • Last Updated: 2020-01-27
  • Author: Bhavin Patel, Splunk
  • ID: bb9f5ed2-916e-4364-bb6d-91c310efcf52

Narrative

The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.
According to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.
The searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment.

Detections

Name Technique Type
Detect Rare Executables   Anomaly
Detect Use of cmd exe to Launch Script Interpreters Windows Command Shell TTP
Detection of tools built by NirSoft Software Deployment Tools TTP
Email Attachments With Lots Of Spaces   Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
SMB Traffic Spike SMB/Windows Admin Shares Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment Anomaly

Reference

source | version: 1