ATK104 (aka: MUMMY SPIDER) is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo.

 

First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.

 

MUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version. After a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot.

 

MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operated solely for use by MUMMY SPIDER or with a small trusted group of customers.

 

The group is composed of competent personnel, and Emotet is regularly considered as one of the most threatening malware for businesses.

 

The group seems to have an interesting interaction with the ATK103 (TA505). TA505 is a financially motivated group that is active since 2014, seemingly of Russian origin. It is a significant part of the email threat landscape and is responsible of large malicious spam campaigns, mostly to distribute the Dridex and Trickbot banking trojan, the Locky and Jaff ransomwares, among others. TA505 use Necurs botnet to drive these campaigns. It is highly adaptable, often change its malwares and techniques, regularly use off-the-shelf malwares and operate on a massive scale.

 

Since March 2018, ATK103 was observed using FlawedAmmyy RAT, a variant of the leaked AmmyyAdmin 3 (Remote Administration Tool). The use of these tools can make us think that this actor is willing to switch from big spam campaigns to more targeted attacks.

 

First, TrickBot is probably the most distributed malware by Emotet, and has been distributed nearly every day since September 2018. The links were rather tenuous however, and TrickBot was just another malware dropped by Emotet until September 2019. In the beginning of June 2019, the group took a break until September 16, 2019. The group, as previously mentioned, came back with a new infrastructure zone (Epoch 3).

 

Since this day, every time that a TrickBot malware is deployed via Emotet (currently, nearly every day) its tag (an identifier that is added to every build of TrickBot) follows a specific pattern, while previous distribution tags were seemingly random. This hints to a bigger cooperation between the ATK103 group and Emotet. Moreover, on September 18, 2019 the group introduced a new loader. This loader, that is bigger, shares some code with the TrickBot loader.

 

This might mean that the group used the summer break they took to strengthen their relationships with ATK103. Indeed, deploying the group’s malware in a privileged way is one thing, but potentially sharing code is another.

 

On 27 January 2021 Europol announced that the infrastructure of the Emotet network had been neutralised through a multilateral police operation.