Malspam spreading Emotet uses different techniques to distribute these Word documents. Screenshot of a Word document used to cause an Emotet infection in January 2021. The critical step in an Emotet infection chain is a Microsoft Word document with macros designed to infect a vulnerable Windows host. Emotet is commonly distributed through malicious spam (malspam) emails. To understand network traffic caused by Emotet, you must first understand the chain of events leading to an infection. If possible, we recommend you review these pcaps in a non-Windows environment like BSD, Linux or macOS. There is a risk of infection if using a Windows computer.
Warning: Some of the pcaps used for this tutorial contain Windows-based malware. You will need to access a GitHub repository with ZIP archives containing the pcaps used for this tutorial.
Note: These instructions assume you have customized Wireshark as described in our previous Wireshark tutorial about customizing the column display. Today’s Wireshark tutorial reviews recent Emotet activity and provides some helpful tips on identifying this malware based on traffic analysis. It has since evolved with additional functions such as a dropper, distributing other malware families like Gootkit, IcedID, Qakbot and Trickbot. Familiarity with Wireshark is necessary to understand this tutorial, which focuses on Wireshark version 3.x.Įmotet is an information-stealer first reported in 2014 as banking malware. This tutorial is designed for security professionals who investigate suspicious network activity and review packet captures (pcaps).
0 kommentar(er)
