In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet.
The post-exploitation started very soon after the initial compromise. The threat actors began enumerating the network once Emotet deployed a Cobalt Strike beacon on the beachhead host. After three days of discovery and lateral movement, the threat actors exfiltrated sensitive data using Rclone before leaving the network.
After a successful takedown thanks to Interpol and Eurojust efforts, Emotet was resurrected in November 2021 with the help of Trickbot malware. Since then, Emotet has been testing different initial access payloads while its developers were busy improving the core functionality of the actual malware. Since January 2022 we observed an increase in the activity of Cobalt Strike deployments following Emotet intrusions.
In a few weeks, we’ll have another Emotet report out from June, where the intrusion used similar TTPs and ended in ransomware.Dead or Alive? An Emotet Story – The DFIR Report
