{"id":135,"date":"2022-07-01T19:08:54","date_gmt":"2022-07-01T19:08:54","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=135"},"modified":"2022-07-01T19:08:54","modified_gmt":"2022-07-01T19:08:54","slug":"beware-of-emotet","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2022\/07\/01\/beware-of-emotet\/","title":{"rendered":"Beware of Emotet"},"content":{"rendered":"<h1>The origin of Emotet<\/h1>\n<p><em>Emotet<\/em>, also known as <em>Geodo<\/em> and <em>Heodo<\/em>, is a trojan aimed at all types of users, from ordinary users to corporate employees. <em>Emotet<\/em> is mainly distributed via MalSpam email campaigns. This malware was discovered in 2014, and its main functionality was to steal bank credentials; that is, it started as a banking trojan; however, over time, it evolved into a powerful Botnet, used as <em>Malware-as-a-Service (MaaS)<\/em><sub>[1]<\/sub>, to be the gateway for other types of malware such as <em>Ryuk<\/em><sub>[2]<\/sub> ransomware<sub>[3]<\/sub><em>,<\/em> or other Trojans such as <em>Trickbot<\/em><sub>[4]<\/sub>, <em>QakBot<\/em><sub>[\/5]<\/sub> and <em>Dridex<\/em><sub>[6]<\/sub> or <em>Cobalt Strike<\/em><sub>[7]<\/sub> beacons.<\/p>\n<p>Based on various investigations, <em>Emotet<\/em> is attributed to the threat actors known as MUMMY SPIDER<sub>[8]<\/sub> (also identified as <em>TA542<\/em> or <em>Mealybug<\/em>), making it one of the most dangerous and most frequently distributed threats \u201c<em>In-the-wild<\/em><sub>[9]<\/sub>\u201d.<\/p>\n<p>Below is a timeline with an overview of <em>Emotet&#8217;s<\/em> evolution.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-392\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/timeline_en_emotet_blog_en.png\" alt=\"\" width=\"978\" height=\"1830\" \/><\/p>\n<p style=\"text-align: center;\">Figure 1 \u2013 Emotet timeline<\/p>\n<p>&nbsp;<\/p>\n<h1><strong>The Sophisticated Emotet Botnet and Epoch Sub Botnets<\/strong><\/h1>\n<p>As we mentioned before, <em>Emotet<\/em> evolved into a sophisticated <em>Botnet<\/em>, which comprises sub-groups or sub-botnets, called <strong><em>\u201cEpoch.\u201d <\/em><\/strong>Each <em>Epoch<\/em> has its C2 server infrastructure and distribution methods; this way of segmenting the Botnet can target different objectives with different payloads or act as redundant infrastructure<sub>[10]<\/sub>.<\/p>\n<p>As of this writing, five <em>Emotet<\/em> sub-botnets are known, from <strong><em>Epoch 1<\/em><\/strong> to <strong><em>Epoch 5<\/em><\/strong>. In recent research<sub>[11]<\/sub>, <strong>Epoch 1<\/strong>, <strong>Epoch 2<\/strong> and <strong>Epoch 3 <\/strong>were observed before the <em>Emotet<\/em> takedown in early 2021; <strong><em>Epoch 4<\/em><\/strong> and <strong><em>Epoch 5<\/em><\/strong> were introduced after its revival in late 2021.<\/p>\n<p>It is essential to mention that the <em>Emotet<\/em> subgroup can generally be identified by the public encryption keys contained in the C2 configuration of the samples. Although each one of the <em>Epoch&#8217;s Emotet<\/em> artifacts has its configuration data in different formats, they all store it in an encrypted &#8220;internal&#8221; <em>DLL<\/em> embedded in the <em>Emotet<\/em> executable payload.<\/p>\n<p>According to some research carried out<sub>[12]<\/sub><sub>,<\/sub><sub>[13]<\/sub>, the <em>Epoch<\/em> <em>1, 2<\/em>, and <em>3 <\/em>sub-botnets can be identified because they use an embedded RSA (Rivest-Shamir-Adleman)<sub>[14]<\/sub> public key to encrypt the standard encryption key <em>AES<\/em> <em>(Advanced Encryption Standard)<sub>[15] <\/sub><\/em>which is used to encrypt network traffic.<\/p>\n<p>On the other hand, the most recent sub-botnets <em>(Epoch 4 and Epoch 5)<\/em> use <em>Elliptic Curve Cryptography (ECC)<\/em> to perform asymmetric encryption and make use of an embedded Elliptic Curve Diffie-Hellman (ECDH<em>)<sub>[16]<\/sub> public-key identified as <\/em><strong>ECK1<\/strong> and used for encryption, and an <em>embedded Elliptic Curve Digital Signing Algorithm (ECDSA)<\/em><sub>[17]<\/sub> public key identified as <strong><em>ECS1<\/em><\/strong> to perform data verification.<\/p>\n<p>The way the <em>Emotet<\/em> Botnet is organized can make it difficult to track this threat, as research<sub>[18]<\/sub><sub>,<\/sub><sub>[19] <\/sub>has shown that bots that are part of <em>Emotet<\/em> can be moved from one <em>Epoch<\/em> to another, as well as being able to maintain the Botnet running in case an <em>Epoch<\/em> is removed or is undergoing maintenance.<\/p>\n<h1><strong>Main features of <em>Emotet<\/em><\/strong><\/h1>\n<p>As mentioned above, <em>Emotet<\/em> is distributed via <em>MalSpam<\/em> campaigns using Word or Excel documents, malicious links, password-protected .zip files, or, more recently, <em>.lnk<\/em><sub>[20]<\/sub> files for download.<\/p>\n<p>Phishing emails used to distribute <em>Emotet<\/em> can be simple or contain images of trademarks or logos of well-known companies with related urgency messages such as pending invoices or payments, authorizations, etc.<\/p>\n<p>On the other hand, since the discovery of <em>Emotet<\/em>, the use of different modules<sub>[21]<\/sub> has been identified, among which the following are mainly found<\/p>\n<ul>\n<li><em>The Main module<\/em>: can download other modules from a C2 server<\/li>\n<li><em>Spam module<\/em>: used to propagate <em>Emotet<\/em> by sending emails<\/li>\n<li><em>Credential Stealing Module<\/em>: used to steal credentials from web browsers and email clients using legitimate or malicious tools such as <em>Nirsoft<\/em> <em>Mail PassView<\/em>, <em>WebBrowser<\/em> <em>PassView<\/em>, and <em>NetPass<\/em>.<em>exe<\/em><\/li>\n<li><em>Spreader module<\/em>: used to enumerate network resources to try to spread to other computers, in addition to carrying out brute force attacks using an encrypted list embedded in the <em>Emotet<\/em> code; furthermore to copying to network folders where the trojan was accessed and configuring a service on the remote system to run the malicious file<\/li>\n<li><em>Email Harvesting Module<\/em>: used to exfiltrate email content from infected computers<\/li>\n<li><em>Windows address book theft module<\/em>: used to extract the list of names and addresses of each identified profile to share the information to the spam module later<\/li>\n<\/ul>\n<p>Even more, <em>Emotet<\/em> can deliver additional malware to infected computers, such as <em>Cobalt Strike<\/em> beacons or the <em>IceID<\/em><sub>[22]<\/sub>, <em>TrickBot<\/em> o <em>QakBot<\/em> banking trojans, which can deploy other types of threats such as ransomware.<\/p>\n<p>It is essential to mention that <em>Emotet<\/em> had a banking module, which was in charge of intercepting web browser traffic to banking institutions to steal the data sent by the victim, and a module to carry out <em>DDoS attacks<\/em>; however, based on public investigations<sub>[23]<\/sub>, these modules are no longer active in the latest versions of <em>Emotet<\/em>.<\/p>\n<h1><strong>Attack Flow<\/strong><\/h1>\n<p>As we have mentioned throughout the article, <em>Emotet<\/em> has different versions and <em>sub-botnets<\/em>. This threat is constantly evolving; the attack flow may vary; however, below is an overview diagram of a common <em>Emotet<\/em> attack.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-393\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/attack_flow_emotet_en.png\" alt=\"Attack flow \" width=\"1356\" height=\"772\" \/><\/p>\n<p style=\"text-align: center;\">Figure 2 \u2013 Attack Flow<\/p>\n<p>&nbsp;<\/p>\n<h1><strong>Key points that could help identify a potential Emotet phishing email<\/strong><\/h1>\n<p><em>Emotet<\/em> can be distributed using multiple pretexts in phishing emails; however, a few points to consider can help identify a potential <em>Emotet<\/em> campaign email.<\/p>\n<p><strong>Email subjects<\/strong><\/p>\n<ul>\n<li><em>&#8220;Payment Remittance Advice&#8221;<\/em><\/li>\n<li><em>&#8220;<\/em><em>Overdue invoice<\/em><em>&#8220;<\/em><\/li>\n<li><em>&#8220;Please see attached&#8221;<\/em><\/li>\n<li><em>&#8220;Click here to view a file&#8221;<\/em><\/li>\n<li><em>&#8220;I have attached this file for your review&#8221;<\/em><\/li>\n<li><em>&#8220;Your Invoice&#8221;<\/em><\/li>\n<li><em>&#8220;Payment Details&#8221;<\/em><\/li>\n<li><em>&#8220;Buona Pasqua, happy easter&#8221;<\/em><\/li>\n<li><em>&#8220;Informaci\u00f3n de pago de [Empresa X]&#8221;<\/em><\/li>\n<li><em>&#8220;Notificaci\u00f3n de pago&#8221;<\/em><\/li>\n<li><em>&#8220;Transacci\u00f3n de su factura&#8221;<\/em><\/li>\n<li><em>&#8220;Pago vencido&#8221;<\/em><\/li>\n<li><em>&#8220;Facturas pagadas&#8221;<\/em><\/li>\n<li><em>&#8220;Factura de venta&#8221;<\/em><\/li>\n<li><em>&#8220;Actualizaci\u00f3n de estado&#8221;<\/em><\/li>\n<li><em>&#8220;Documento necesario&#8221;<\/em><\/li>\n<li><em>&#8220;Nuevo pedido&#8221;<\/em><\/li>\n<li><em>&#8220;Recibo de su factura&#8221;<\/em><\/li>\n<li><em>&#8220;<\/em><em>Adjunto &#8230;<\/em><em> &#8220;<\/em><\/li>\n<li><em>&#8220;Perfecto!&#8221;<\/em><\/li>\n<li><em>&#8220;Se adjunta documentaci\u00f3n para la firma&#8221;<\/em><\/li>\n<li><em>&#8220;Seg\u00fan la conversaci\u00f3n mantenida te adjunto la informaci\u00f3n&#8221;<\/em><\/li>\n<\/ul>\n<p>It is important to mention that, although some subjects have been identified in <em>Emotet<\/em> campaigns, they are not the only ones, and even the emails may not have a subject. Another point to consider is how, based on our telemetry, <em>Emotet<\/em> has been observed to be distributed.<\/p>\n<ul>\n<li>Microsoft Word or Excel documents with embedded macros<\/li>\n<li>PDF with malicious Microsoft Word or Excel document download links<\/li>\n<li>PDF with ZIP file download links with Microsoft Word or Excel files<\/li>\n<li>Password-protected ZIP archives containing Microsoft Word or Excel files<\/li>\n<li>Malicious Microsoft Word or Excel document download URLs<\/li>\n<li>ZIP file download URL with Microsoft Word or Excel files<\/li>\n<\/ul>\n<p>During the last campaigns analyzed by SCILabs, we observed that the most frequent was the reception of Microsoft Word or Excel documents, which, by enabling the execution of Macros, the threat is executed and starts the chain of infection. Here are some email and document templates observed in SCILabs research.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-388\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/img_emotet_1.png\" alt=\"Emotet phishing\" width=\"1042\" height=\"818\" \/><\/p>\n<p style=\"text-align: center;\">Figure 3 &#8211; Emotet email templates\u00a0(I)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-387\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/img_emotet_2.png\" alt=\"Emotet II\" width=\"1367\" height=\"564\" \/><\/p>\n<p style=\"text-align: center;\">Figure 4 &#8211; Emotet email templates (II)<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-386\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/img_emotet_3.png\" alt=\"Emotet Word\" width=\"1102\" height=\"514\" \/><\/p>\n<p style=\"text-align: center;\">Figure 5 &#8211; Emotet Word template<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-385\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/img_emotet_4.png\" alt=\"Emotet Excel I\" width=\"1353\" height=\"346\" \/><\/p>\n<p style=\"text-align: center;\">Figure 6 &#8211; Emotet Exceltemplate (I)<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-384\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/img_emotet_5.png\" alt=\"Emotet Excel II\" width=\"1314\" height=\"265\" \/><\/p>\n<p style=\"text-align: center;\">Figure 7 &#8211; Emotet Excel template (II)<\/p>\n<p>SCILabs believes that due <em>to Microsoft&#8217;s<\/em> decision to disable <em>Microsoft Office<\/em> macros by default, attackers have chosen to use other techniques to distribute <em>Emotet<\/em>. As we mentioned before, we have begun to observe the distribution of this threat through documents of the <em>.lnk<\/em> type to execute <em>PowerShell<\/em> or <em>CMD<\/em> commands directly and downloads <em>Emotet<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-383\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/img_emotet_6.png\" alt=\"Emotet lnk\" width=\"708\" height=\"486\" \/><\/p>\n<p style=\"text-align: center;\">Figure 8 &#8211; Properties of a <em>.lnk<\/em> file with direct execution of <em>PowerShell<\/em><\/p>\n<p><strong>Why is Emotet so dangerous?<\/strong><\/p>\n<p><em>Emotet<\/em> is a threat that is constantly improving its capabilities, with a highly versatile infrastructure distributed all over the world, which makes it challenging to eradicate; in addition, as we mentioned before, <em>Emotet<\/em> operates as <em>Malware as a Service (MaaS),<\/em> which means that it is used to be the entry point for more dangerous threats like ransomware.<\/p>\n<p><em>Emotet<\/em> could be used by other more dangerous threats like the <strong><em>Conti<\/em><\/strong> or <strong><em>Ryuk<\/em><\/strong> ransomware families as an entry point.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-389\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2022\/06\/emotet_como_base_en_la_cadena_de_infeccion.png\" alt=\"Emotet Infecci\u00f3n\" width=\"1147\" height=\"814\" \/><\/p>\n<p style=\"text-align: center;\">Figure 9 &#8211; Emotet as a base in the infection chain<\/p>\n<h1><a name=\"_Toc80195004\"><\/a>Conclusion<\/h1>\n<p><em>Emotet<\/em> is a dangerous threat due to its modularity and extensive distributed infrastructure. The campaigns used to distribute this threat and its improvements in the distribution chain are designed to evade the most significant number of security solutions, as we can see by using techniques such as the execution of PowerShell commands through direct access files <strong><em>\u201c.lnk\u201d.<\/em><\/strong><\/p>\n<p>Based on our telemetry, SCILabs believes that <em>Emotet<\/em> will continue to be very active, especially in LATAM, in many cases due to the lack of awareness campaigns in organizations in the region and the lack of implementation of security solutions that are not only based on signatures for the timely detection of this type of threat but also behavior patterns based on machine learning functions.<\/p>\n<p>Another point to consider is the trust generated between email accounts to distribute the trojan because <em>Emotet<\/em> can steal victims&#8217; email accounts <em>(Business Email Compromise, BEC)<\/em> and use them to forward malware from the compromised account to the victim\u2019s contacts.<\/p>\n<p>Although <em>Emotet<\/em> is a well-known and historically analyzed threat, organizations must be aware of this type of threat and have the necessary measures in places, such as policies on the correct use of email, regular awareness campaigns, security solutions such as <em>EDR<\/em> in all the organization&#8217;s <em>EndPoints<\/em> and constant threat hunting activities to identify malware attacks on time and minimize the risk of more dangerous attacks through <em>Emotet<\/em>.<\/p>\n<h1>Recommendations<\/h1>\n<ul>\n<li>Change the passwords of email accounts you suspect have been used to send phishing emails.<\/li>\n<li>If possible, block emails with password-protected .zip file attachments in your anti-spam solution and only enable the exceptions as required.<\/li>\n<li>If you believe <em>Emotet<\/em> has victimized you, use the <em>EmoCheck<\/em><sub>[24]<\/sub> application to check activity on Windows systems as a supplemental aid.<\/li>\n<li>Check if your email or domain is in the <em>Emotet<\/em> spam database using the <em>HaveIBeenEmotet<\/em><sub>[25]<\/sub><\/li>\n<li>Enable multi-factor authentication for your personal and corporate email accounts and operational applications that allow it.<\/li>\n<li>Avoid using the same password for different websites or email providers; use strong passwords and update them regularly.<\/li>\n<li>Do so in a password management application when storing passwords, obtaining them from an official source.<\/li>\n<li>Carefully review the sender of the emails you receive to validate that it is not a spoofing of the name or email address of the sender; when in doubt, carry out a second validation, preferably by calling the sender by phone.<\/li>\n<li>When you need to access an application, page, or service, always do so from the organization&#8217;s official page or by entering the corresponding web address yourself.<\/li>\n<li>If the email contains a link attached, verify that the web address is legitimate to the related service. Generally, official pages begin with &#8220;HTTPS:\/\/,&#8221; which indicates that the transmission of information is secure. By clicking on the security locks that are usually located on the left side of the Internet browser&#8217;s address bar, you can check the validity of the digital certificate and obtain information about the identity of the site you are accessing.<\/li>\n<li>Do not download or open files from untrusted or official sources. Those files may contain malware or other harmful software that could allow an attacker to access your computer and any information you store or enter on it.<\/li>\n<li>Keep the software on your devices up to date. Install security updates for your operating system and all the applications you use, especially for your antivirus products or <em>EDR <\/em>solutions, your web browser, and your email client.<\/li>\n<li>Do not reply when you receive suspicious emails from unknown senders asking for personal or financial information, do not reply.<\/li>\n<li>Stay current on the most common techniques attackers use to distribute malware.<\/li>\n<li>Constantly run awareness campaigns at all levels of the organization about the social engineering techniques used by cybercriminals to distribute malware.<\/li>\n<li>Establish a process within your organization that allows all operational staff to know how and with whom to directly and immediately report any suspicious email or derived malicious activity.<\/li>\n<\/ul>\n<h1>IoCs<\/h1>\n<p>HXXP:\/\/FARSCHID.DE\/VERKAUFSBERATER_SERVICE\/OZRW36A2Y1CH2CLUZY\/ HXXP:\/\/77HOMOLOG.COM.BR\/DEV-JEALVES\/GP55WBYNXNP6\/ HXXP:\/\/GEOWF.GE\/TEMPLATES\/PJREA3IU3WG\/ HXXP:\/\/H63402X4.BEGET.TECH\/BIN\/WL0ENIE3BHELXV6V\/ HXXP:\/\/ECOARCH.COM.TW\/CGI-BIN\/E\/<br \/>\nHXXPS:\/\/GALAXY-CATERING.COM.VN\/GALXY\/FG1VVHLYJ\/<br \/>\nFARSCHID[.]DE<br \/>\n77HOMOLOG[.]COM[.]BR<br \/>\nGEOWF[.]GE<br \/>\nH63402X4[.]BEGET[.]TECH ECOARCH[.]COM[.]TW<br \/>\nGALAXY-CATERING[.]COM[.]VN<br \/>\n44CBB81D7EA274183675EBFEEC5498C244B99EB1<br \/>\n784C4D39CA9893630836A43310249EA2DF4E137A<br \/>\n502BE9F4649606E60E9C39D432891E83E077798C<br \/>\n3A4B4FE9F7A8C271A43230531A6FBD6ACDAD6CBF<br \/>\n3D2A06E24CD754FC6BB8F3CEF7360464F5DA259C<br \/>\nD037D66B881112A47EB88A7A3E843EFBAF9D2456<br \/>\nC39C0AB3E3818E745BE13B0D9448F1E58CA8299B<br \/>\n15980A3056105F71A6D8B8EEBDF2F7BA0E0CDD55<br \/>\nB677DF2DCE4A674FA63188A63E11F7831222A326<\/p>\n<h1>References<\/h1>\n<p>[1] https:\/\/success.trendmicro.com\/dcx\/s\/solution\/1118391-malware-awareness-emotet-resurgence<br \/>\n[2] https:\/\/www.cybereason.com\/blog\/research\/one-two-punch-emotet-trickbot-and-ryuk-steal-then-ransom-data<br \/>\n[3] https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-botnet-comeback-orchestrated-by-conti-ransomware-gang\/<br \/>\n[4] https:\/\/www.cybereason.com\/blog\/research\/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware<br \/>\n[5] https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-botnet-is-now-heavily-spreading-qakbot-malware\/<br \/>\n[6] https:\/\/nakedsecurity.sophos.com\/2017\/08\/10\/watch-out-for-emotet-the-trojan-thats-nearly-a-worm\/<br \/>\n[7] https:\/\/duo.com\/decipher\/emotet-shifts-gears-drops-cobalt-strikedirectly<br \/>\n[8] https:\/\/malpedia.caad.fkie.fraunhofer.de\/actor\/mummy_spider<br \/>\n[9] https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/in-the-wild<br \/>\n[10] https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-trojan-evolves-since-being-reawakend-here-is-what-we-know\/<br \/>\n[11] https:\/\/blogs.vmware.com\/security\/2022\/03\/emotet-c2-configuration-extraction-and-analysis.html<br \/>\n[12] https:\/\/intel471.com\/blog\/emotet-returns-december-2021<br \/>\n[13] https:\/\/blogs.vmware.com\/security\/2022\/03\/emotet-c2-configuration-extraction-and-analysis.html<br \/>\n[14] https:\/\/jryancanty.medium.com\/understanding-cryptography-with-rsa-74721350331f<br \/>\n[15] https:\/\/medium.com\/swlh\/an-introduction-to-the-advanced-encryption-standard-aes-d7b72cc8de97<br \/>\n[16] https:\/\/medium.com\/swlh\/understanding-ec-diffie-hellman-9c07be338d4a<br \/>\n[17] https:\/\/medium.com\/coinmonks\/ecdsa-the-art-of-cryptographic-signatures-d0bb254c8b96<br \/>\n[18] https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-trojan-evolves-since-being-reawakend-here-is-what-we-know\/<br \/>\n[19] https:\/\/blogs.vmware.com\/security\/2022\/03\/emotet-c2-configuration-extraction-and-analysis.html<br \/>\n[20] https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files\/<br \/>\n[21] https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/threat-actor-profile-ta542-banker-malware-distribution-service<br \/>\n[22] https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/evolution-emotet-trojan-distributor<br \/>\n[23] https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/threat-actor-profile-ta542-banker-malware-distribution-service<br \/>\n[24] https:\/\/github.com\/JPCERTCC\/EmoCheck<br \/>\n[25] https:\/\/www.haveibeenemotet.com\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The origin of Emotet Emotet, also known as Geodo and Heodo, is a trojan aimed at all types of users,<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[10,15],"class_list":["post-135","post","type-post","status-publish","format-standard","hentry","category-malware","tag-botnet","tag-malware"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=135"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/135\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}