This repository contains documents relating to a malware analysis conducted on 7/30/2020. The analysis was conducted for the purpose of finding correlations in attack patterns being observed against a specific target to see if any of the attacks are related.
- These samples were obtained via an email received from an infected mail account.
- The email account which sent the sample was trusted by the recipient.
- The email which contained the malicious attachment was a reply to a legitimate email thread between the two parties.
- The sender was notified and acknowledged that this account had been compromised.
- Emails from the compromised sender were targeted to all of his contacts, not just specific ones.
- All malicious samples have been removed and replaced with their hash values for security reasons.
- The machine used was Windows 7 Professional SP1 Build 7601 on bare-metal.
- The username used was TESTER.
- The hostname used was SANDBOX.
- All indicators of compromise detected were identified as belonging to the Emotet family of Trojan.
- Emotet is a versatile trojan initially designed for information theft and later evolved to adopt remote persistance, ransomware delivery, and botnet management features.
- Emotet propagates primarily through infected email attachments and phishing campaigns.
- I do not believe this campaign is part of an attack aimed at a specific organization.
- I believe the attackers are exploiting their position in low-level supply chain companies to send as many malicious emails as possible to as many companies as possible from a trusted source.
- I believe the attackers have access to legitimate, trusted email accounts and leverage this very well in subtle ways.
- The technological complexity of this campaign appears to be average.
- The social engineering complexity of this campaign appears to be well above average.
- This campaign primarily relies on human vulnerabilities to infect a target rather than technological vulnerabilities.
- Organizational commitment to training.
- Due dilligence on an individual level.
- Communication and collaboration between vested parties when compromise is detected.