Incident Response Guide: Emotet Malware Loader

Incident Triage Steps

Within the first 30 minutes, your priority is to determine the scope of the infection and contain its spread. Emotet primarily propagates via malicious email campaigns, often using password-protected ZIP files or malicious Office documents with macros. It also spreads laterally through network shares using stolen credentials.

Immediate Actions:

1. Isolate the Initial System: Immediately disconnect the first reported or suspected host from the network, both wired and wireless. Emotet uses C2 communication and attempts to spread to other systems on the network.
2. Identify the Initial Vector: Check the user’s email client or webmail for the malicious email. Look for common Emotet lures: invoice-themed emails, shipping notifications, or COVID-19 related subjects. The payload is often a Word document prompting the user to “Enable Content” to execute malicious VBA macros.
3. Assess Scope of Compromise:
   • Query your SIEM platform and EDR solution for process creation events related to rundll32.exe, wscript.exe, cscript.exe, or powershell.exe with suspicious command-line arguments, especially those containing long strings of random characters or connecting to external IPs.
   • Search for network connections to known Emotet C2 IPs or domains. Emotet uses a large, rotating list. Check for outbound connections on ports 443, 8080, or 8443 to IPs with low reputation scores.
   • Review authentication logs on domain controllers for a spike in failed logins followed by successful logins from unusual workstations, indicating credential theft and lateral movement attempts.
4. Determine Data Exfiltration: Emotet’s primary role is as a loader, but it can download additional modules. Check for:
   • Large, unexpected outbound data transfers from infected hosts.
   • Connections to IP addresses associated with post-infraction traffic (e.g., TrickBot, QakBot, Ryuk) which are commonly deployed after Emotet.
   • Examine the infected system’s process memory (if a dump is taken) for strings containing harvested email threads, credentials, or browser data.

Evidence Collection

Before initiating containment or eradication, collect forensic evidence to understand the attack chain and ensure complete removal.

Collect from Initially Infected Host(s):

• Memory Dump: Acquire a full physical memory dump using a trusted, offline tool. Analyze for Emotet’s reflective DLL injection patterns and process hollowing (often into svchost.exe or explorer.exe).
• Volatile Data: Capture running processes (tasklist /v), network connections (netstat -anob), and scheduled tasks (schtasks /query /fo LIST /v). Emotet often creates scheduled tasks for persistence.
• File System Artifacts: Preserve these locations:
  • %AppData%, %LocalAppData%, and %ProgramData% for randomly named executable or DLL files (e.g., fjkewhn.exe).
  • %Temp% and %Windows%\Temp for dropped payloads and script files.
  • %UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\ for LNK files used in lateral movement.
• Registry Artifacts: Export these keys/hives:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SYSTEM\CurrentControlSet\Services\ (look for new, suspicious services)
  • Emotet may create Run keys or services with names mimicking legitimate software.
• Network Evidence: Export full packet captures (PCAP) from the infected segment, focusing on the first 24 hours of infection. Preserve proxy logs, DNS query logs, and firewall connection logs for all identified IOCs.

Containment Procedures

Containment aims to halt the spread while preserving evidence for eradication.

1. Network Segmentation:

   • Immediately segment off network segments containing infected hosts using VLAN ACLs or firewall rules. Block all traffic from these segments except for management access from your incident response jump host.
   • Disable Wi-Fi on infected hosts to prevent spread via wireless networks.

2. Credential Reset:

   • Scope: Reset passwords for all user accounts that have logged into a compromised system since the estimated time of infection. This is critical. Emotet harvests credentials from memory and the Windows Credential Manager.
   • Also reset credentials for associated service accounts and consider resetting Kerberos tickets (KRBTGT) if domain admin accounts are suspected to be compromised.

3. C2 and Propagation Blocking:

   • Update network intrusion prevention system (IPS) and firewall rules to block communication to all identified Emotet C2 IPs and domains. Subscribe to threat intelligence feeds for Emotet IOCs.
   • At the email gateway, block file types commonly associated with Emotet: .doc, .docm, .xls, .xlsm, and password-protected .zip files, or subject them to stringent sandbox analysis.
   • Temporarily disable Windows Management Instrumentation (WMI) and PsExec services on non-compromised hosts if these are being used for lateral movement, or heavily restrict their use via network policies.

Eradication and Recovery

Follow the detailed, step-by-step instructions in the Emotet Removal Guide for per-system cleanup. The general process is:

1. Complete Removal: Use the removal guide to systematically terminate malicious processes, delete persistent registry entries, and remove all dropped files and scheduled tasks. This must be performed on every infected host.
2. Restore from Backups: For critically infected systems or where removal is uncertain, rebuild from known-clean, offline backups. Ensure backups predate the initial infection. Do not reconnect restored systems until the network is declared clean.
3. Verify Clean State:
   • Re-scan all remediated systems with updated anti-malware tools and a dedicated EDR scan.
   • Monitor network traffic from remediated hosts for several days for any residual C2 callbacks.
   • Conduct a hunt for IOCs across the entire environment to ensure no systems were missed.

Lessons Learned Checklist

After eradication, conduct a formal post-incident review. Answer these questions specific to Emotet:

• Initial Infection Vector: Was the malicious email delivered due to a gap in email filtering (missing macro detection, missing ZIP analysis)? Did it bypass detection because it was a novel template?
• User Action: Did the user enable macros? Is macro execution blocked by policy, or was the policy circumvented? Is additional user training required?
• Control Failures:
  • Did the EDR solution fail to alert on the malicious rundll32 or powershell execution? Were behavioral detections for process injection disabled or not tuned?
  • Did network monitoring fail to alert on connections to known-bad IPs due to outdated threat intelligence feeds?
  • Were application allowlisting or macro-blocking policies not applied consistently?
• Detection Gaps: How long was Emotet present before detection? Were its lateral movement techniques (WMI, PsExec, stolen creds) logged and were those logs being monitored by the SIEM platform?
• Improvement Plan:
  • Implement Group Policy to disable Office macros from the internet.
  • Enforce strong application allowlisting policies.
  • Enhance monitoring for suspicious use of living-off-the-land binaries (LOLBAS) like rundll32.exe and powershell.exe.
  • Review and test credential theft detection rules (e.g., LSASS access).
  • Update and test the incident response plan based on this experience.

For more information on this threat, see the Emotet Overview. To proactively identify infections, review the Emotet Detection Guide.