ETDA ThaiCERT
Report
Search
Home > List all groups > Mummy Spider, TA542

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Mummy Spider, TA542

NamesMummy Spider (CrowdStrike)
TA542 (Proofpoint)
ATK 104 (Thales)
Mealybug (Symantec)
Country[Unknown]
MotivationFinancial crime
First seen2014
Description(Crowdstrike) Mummy Spider is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, Mummy Spider swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.

Mummy Spider does not follow typical criminal behavioral patterns. In particular, Mummy Spider usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version.

After a 10 month hiatus, Mummy Spider returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot.

Mummy Spider advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operated solely for use by Mummy Spider or with a small trusted group of customers.

Emotet has been observed to distribute BokBot (Lunar Spider), Dridex (Indrik Spider), DoppelPaymer (Doppel Spider), Zeus Panda (Bamboo Spider, TA544) and Trickbot (Wizard Spider, Gold Blackburn), as well as QakBot.
ObservedSectors: Defense, Energy, Financial, Government, Healthcare, Manufacturing, Retail, Shipping and Logistics, Utilities, Technology.
Countries: Worldwide.
Tools usedEmotet.
Operations performedAug 2017While the earlier variants of EMOTET primarily targeted the banking sector, our Smart Protection Network (SPN) data reveals that this time, the malware isn’t being picky about the industries it chooses to attack. The affected companies come from different industries, including manufacturing, food and beverage, and healthcare. Again, it is possible that due to the nature of its distribution, EMOTET now has a wider scope.
<https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/>
Oct 2018Emotet Awakens With New Campaign of Mass Email Exfiltration
<https://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/>
Nov 2018According to our telemetry, the latest Emotet activity was launched on November 5, 2018, following a period of low activity. Figure 1 shows a spike in the Emotet detection rate in the beginning of November 2018, as seen in our telemetry data.
<https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/>
<https://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/>
Nov 2018Secret Service Investigates Breach at U.S. Govt IT Contractor
<https://krebsonsecurity.com/2019/09/secret-service-investigates-breach-at-u-s-govt-it-contractor/>
Jan 2019Between January 1, 2019, to May 1, 2019, threat actors conducted thousands of malicious email campaigns, hundreds of which were sent to Canadian organizations. While discussions of threats in this region often focus on “North America” generally or just the United States, nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences.
<https://www.proofpoint.com/us/threat-insight/post/beyond-north-america-threat-actors-target-canada-specifically>
Apr 2019Beginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine.
<https://cofense.com/emotet-gang-switches-highly-customized-templates-utilizing-stolen-email-content-victims/>
Sep 2019Emotet is back after a summer break
<https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html>
<https://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/>
Dec 2019The city of Frankfurt, Germany, became the latest victim of Emotet after an infection forced it to close its IT network. But the financial center wasn’t the only area that was targeted by Emotet, as there were also incidents that occurred in Gießen and Bad Homburg, a town and a city north of Frankfurt, respectively, as well as in Freiburg, a city in southwest Germany.
<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-attack-causes-shutdown-of-frankfurt-s-it-network>
Jan 2020Threat actor group TA542, the group that’s behind Emotet, is back from their Christmas holiday. Based on past activity and what we’re seeing in just three days, one of the world’s most disruptive threats is back to work and everyone around the world should take note and implement steps to protect themselves.
<https://www.proofpoint.com/us/corporate-blog/post/emotet-returns-after-holiday-break-major-campaigns>
<https://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html>
Jan 2020Pretending to be the Permanent Mission of Norway, the Emotet operators performed a targeted phishing attack against email addresses associated with users at the United Nations.
<https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/>
Jan 2020EMOTET Uses Corona Virus Outbreak in New Spam Campaign
<https://www.trendmicro.com/vinfo/th/threat-encyclopedia/spam/3682/emotet-uses-corona-virus-outbreak-in-new-spam-campaign>
Feb 2020Emotet Evolves With new Wi-Fi Spreader
<https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/>
Feb 2020Emotet SMiShing Uses Fake Bank Domains in Targeted Attacks, Payloads Hint at TrickBot Connection
<https://securityintelligence.com/posts/emotet-smishing-uses-fake-bank-domains-in-targeted-attacks-payloads-hint-at-trickbot-connection/>
Mar 2020Emotet Wi-Fi Spreader Upgraded
<https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/>
Jun 2020Emotet malware now steals your email attachments to attack contacts
<https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/>
Jul 2020It was never a question of “if” but “when”. After five months of absence, the dreaded Emotet has returned. Following several false alarms over the last few weeks, a spam campaign was first spotted on July 13 showing signs of a likely comeback.
<https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/>
Jul 2020Researchers tracking Emotet botnet noticed that the malware started to push QakBot banking trojan at an unusually high rate, replacing the longtime TrickBot payload.
<https://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/>
Aug 2020Emotet malware strikes U.S. businesses with COVID-19 spam
<https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/>
Aug 2020Emotet strikes Quebec’s Department of Justice
<https://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/>
Aug 2020Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails.
<https://us-cert.cisa.gov/ncas/alerts/aa20-280a>
Oct 2020On October 1, 2020, we observed thousands of Emotet email messages with the subject “Team Blue Take Action” sent to hundreds of organizations in the US. The message body is taken directly from a page on the Democratic National Committee's website, with the addition of a line requesting that the recipient open the attached document.
<https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures>
Oct 2020New Emotet attacks use fake Windows Update lures
<https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/>
Counter operationsJul 2020A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs
<https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/>
Information<https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/>
<https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf>
<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/>
<https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service>
<https://www.malwarebytes.com/emotet/>
<https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor>
<https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: Monty Spider
Next: Narwhal Spider

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key