MUMMY SPIDER  (Back to overview)

aka: TA542, Mummy Spider

MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture. MUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version. After a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot. MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate


Associated Families
win.emotet

References
1 http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1
1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/
1 https://adalogics.com/blog/the-state-of-advanced-code-injections
1 https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html
1 https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html
1 https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
1 https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc
1 https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/
1 https://feodotracker.abuse.ch/?filter=version_e
1 https://github.com/d00rt/emotet_research
1 https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol
1 https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/
1 https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/
1 https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/
1 https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69
1 https://paste.cryptolaemus.com
1 https://persianov.net/emotet-malware-analysis-part-1
1 https://persianov.net/emotet-malware-analysis-part-2
1 https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack
1 https://research.checkpoint.com/emotet-tricky-trojan-git-clones/
1 https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/
1 https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/
1 https://www.cert.pl/en/news/single/analysis-of-emotet-v4/
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
1 https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/
1 https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader
1 https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html
1 https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html
1 https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus
1 https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
1 https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/
1 https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html
1 https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
1 https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage
1 https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/
1 https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
1 https://www.us-cert.gov/ncas/alerts/TA18-201A
1 https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/

Credits: MISP Project