What was originally designed to be a banking Trojan has now become a versatile malicious code used to deploy a massive botnet, and is considered one of the most dangerous active malware families today.
In an alert published by the U.S. Department of Homeland Security last year, Emotet was described as “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT)." Emotet was extremely active in the first half of 2019, until a recent two-month period when the malware family went under the radar (rumor has it that the sudden disappearance was to allow for maintenance and upgrades). Last week, the malware re-emerged with renewed activity spotted by Cofense researchers.
Our Security Research Team has come across endless Emotet indicators of compromise, which comes as no surprise considering how widespread the malware’s activity is. In addition to automated ThreatSTOP Emotet IOC feeds, the team reviews some Emotet indicators posted on sharing platforms in an in-depth analysis, to ensure reliability and to search for additional malicious indicators, as many Emotet IOCs have been found related to additional malicious activity in the past.
In May, an Emotet sample was analyzed and posted on Any Run, a malware analysis platform. The analysis was posted on Twitter by a team specializing in Emotet research, and it came to our attention via AlienVault’s OTX. so they chose to analyze the IOCs posted in the sample analysis, discovering additional malicious IOCs. In this use case, we will show how our analysis team used free open-source analysis tools to analyze an IP from the Emotet reports - 108[.]179[.]217[.]238.
To start off, a simple search on VirusTotal shows that the IP is related to a ton of malicious activity, seen to be downloading and communicating with a number of malicious files. By pressing on each file icon on VT, analysts can see the malware type, in this case ranging from Emotet to Valyria downloader.
Another useful feature of the VirusTotal relations graph is the related URLs. The graph displays the URLs deemed malicious by industry-leading security companies, and pressing on the “Show Node List” button on the left-side menu uncovers a convenient list of the malicious URLs. On this IP, two domains showed up in the list that were not mentioned in the original reports - homedepot-managepayment[.]com and orders-dressbarn[.]com, the latter showing activity a few days before the posts were released.
Using the visual relations display on VirusTotal, our analysts were able to find an additional, unknown malicious domain in a matter of seconds. Often, a simple search like this can yield many more indicators, which can in turn lead to a deeper relations analysis.
Want to hear more about the tools and platforms mentioned in this use case?
Check out our previous posts in this series:
Part 1: Why use IOCs?
Part 2: Threat Exchanges and IOC Sharing
Part 3: Analyzing Threat Infrastructure
Want to see more IOC analysis use cases?
If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security. For more information about ThreatSTOP and proactively using threat intelligence, check us out below.