Professional Documents
Culture Documents
(SAMPLE) Hunting Emotet - Current Intelligence Report
(SAMPLE) Hunting Emotet - Current Intelligence Report
Hunting Emotet
Date of information 11/08/2018
Threat Analysis
Background
Emotet is an advanced, modular banking trojan that primarily functions as a downloader or
dropper of other banking trojans. Emotet operators are not selective about targeting a
specific industry or region and instead spread without discretion. The malware operators
appear more interested in leveraging large volumes of infection to generate profit.
Emotet (Intelligence Card) was originally identified as a new banking trojan in 2014 and is
often referred to as Geodo. The malware was the product of natural evolution from the
Feodo (sometimes called Cridex or Bugat) banking trojan, which spawned other offspring.
In the past 12 months, it evolved from a standalone threat into a distributor of other
trojans, with numerous large campaigns taking place over the summer of 2018. The
malware is unique in that it employs a litany of open source libraries and code, enough to
title a folder in its code directory as “Open Source.” A number of Emotet modules
encorporate utilities developed by Nirsoft to scrape and gather passwords on the victim
machine.
In the last year, Emotet has been acting as a spam-sending malware, that infects target
systems to then load other malware families onto the host. The infected hosts that
distribute spam and occasionally act as proxies for the command and control servers are a
decentralized network, making it difficult for defenders to block at their perimeter.
Victimology
Recorded Future found no distinct pattern in Emotet targeting, with 22 distinct industries
being found in victimology of the malware in the last year. Emotet operators have interest
in selling access to infected hosts or to the botnet at large to spread other malware, rather
than monetizing the infections themselves. Emotet’s distribution of other malware appears
to be more targeted geographically, based on the interest of those operators.
Affiliated and Associated Malware
Although Emotet can operate as a standalone banking trojan, its operators often lend its
spam sending and downloader capabilities to other malware families for distribution. The
following malware are commonly distributed via Emotet, according to Recorded Future
data. These trojans are listed in order of their co-occurrences with the Emotet malware
family.
ecorded Future
Emotet & Associated Malware, via R
TrickBot
Emotet has been consistently observed delivering the TrickBot (Intelligence Card) banking
trojan. Considered to be the successor to the infamous Dyre banking trojan (Intelligence
Card), TrickBot leverages multiple attack vectors including redirection attacks and
webinjects to attempt to steal information from financial institutions and initiate fraudulent
wire transfers. Operators of the Dyre banking trojan were previously associated with an
advanced threat campaign dubbed Carbanak that leveraged a variant of malware of the
same name to steal data from financial institutions. Over the past two years, the only group
of note that Recorded Future has observed utilizing TrickBot is the group of actors known
as TA505 (Intelligence Card). The group may have collaborated with Emotet operators to
distribute the banking trojans in tandem, according to reports released in July and August
2018 from Palo Alto and Cofense, respectively. Trickbot is continuing to be distributed with
Emotet, with the latest observation coming on November 6, 2018 by Malware Traffic
Analysis.
Zeus Panda Banker
Panda Banker (Intelligence Card), a v ariant of the Zeus banking trojan (Intelligence Card), is
delivered using Emotet. The attack appears in the form of a malspam phishing campaign
that uses weaponized Microsoft documents that deploy the payload. Zeus Panda used
Emotet distribution to target financial institutions, and video streaming services in Japan.
Other primary targets were organizations from United States and Canada.
IcedID
Researchers with IBM's X-Force team have d iscovered a new banking trojan, IcedID, which
they state became first active in September 2017. IcedID (Intelligence Card) possesses
functions similar to those from other well-known and dangerous banking trojans. IcedID
has been observed targeting diverse entities in or related to the US finance industry,
including banks, payroll divisions, and payment card providers. The malware has
additionally targeted mobile service providers, as well as webmail and e-commerce sites.
IcedID is spread via malicious spam, dropped by the Emotet trojan. An IcedID campaign
observed in late October 2017 used four C2 servers, two of them in Russia, one in
Amsterdam, and one in Canada. Combined with the malware's targeting history, we
suspect that IcedID's operators are located in Europe or North America, but at the time of
this writing have no other indicators to come to a more specific conclusion.
Qakbot
QakBot, sometimes called BASHLITE or QBot (Intelligence Card) is a malware which
primarily infects Linux systems in order to launch DDOS attacks by creating a botnets of
Internet of Things devices, according to Trend Micro reporting. The victims are mostly
residential users, but also gaming platforms and websites. The majority of the attacks are
UDP and TCP floods, although HTTP attacks are observed as well. The botnet has been
abused by the Lizard Squad threat actor group (Intelligence Card). The malware strain is
largely considered a precursor to the much more prolific Mirai malware.
Dridex
Dridex (I ntelligence Card) w
as first observed in July 2014, and a
ccording to Flashpoint
Intelligence, is considered the successors to GameOver ZeuS. Like other banking trojans,
Dridex utilizes a peer-to-peer architecture to evade detection or monitoring from law
enforcement. The trojan was most active between 2014 and 2015, prior to its heavy
distribution via Emotet in 2018.
AZORult
The AZORult trojan (Intelligence Card) is a common banking trojan, that harvests and
exfiltrates data from the compromised system. The malware is commonly peddled on dark
web forums, and was previously distributed by exploit kits or malvertising, but was
observed to be distributed in the Emotet-IcedID campaign in September 2018.
Technical Analysis
Emotet is a sophisticated malware, offering operators a number of evasion techniques, as
well as different methods of spreading, and a large number of capabilities to generate
revenue for criminal users. This section will look at tools used for delivery and lateral
movement to infect hosts, then will address modules of interest, followed by an
assessment of Emotet’s command and control communications. Finally, technical patterns
of infection and persistence locations will be discussed, so that defenders may be able to
identify lurking infections.
This technical information comes from Recorded Future behavioural analysis and
inspection of the samples, along with aggregated analysis from U S CERT, C
ERT Polska,
Barkly, Kryptos Logic, CheckPoint, B
romium, Fidelis Security, and Malwarebytes.
Delivery
Emotet is commonly delivered via malicious spam emails, although it maintains other
methods to introduce itself to a victim environment. The email can take multiple forms,
most commonly using an attached Word or Excel document to exploit vulnerabilities in
Microsoft Office to download Emotet. This includes documents that contain Powershell
commands, exploiting CVE-2017-11882 (Intelligence Card) via poisoned RTF documents, or
via an embedded link to a malicious URL. Carbon Black found a campaign from June 2018
that sent Word documents that used obfuscated VBScripts that invokes PowerShell
commands.
The email subjects often center around a requested payment or invoice or a delivery
notification for tracking shipments. These emails can be sent from spoofed addresses, but
are often not, relying on volume to generate new infections. The non-use of typosquatted
domains or email addresses allows Emotet to distance itself from being attached to specific
infrastructure.
The trojan can propagate laterally via the ETERNALBLUE exploit, which abuses SMB version
1 on an local network to drop and execute further versions of the malware. Additionally,
Emotet attempts to enumerate other hosts on the network, and brute force their domain
credentials for access. An infected host also becomes a part of the spam botnet that is
used to spread Emotet via email.
Emotet Infection Chain, via Barkly
ETERNALBLUE Propagation
Emotet uses the ETERNALBLUE tool, which is an SMB exploit affecting various Windows
operating systems from XP to Windows 7, along with deprecated versions of Windows
servers. The exploit injects shellcode into vulnerable systems, targeting machines by IP
address and sending the shellcode to the victim over SMB/445, according to a report from
Fidelis Security. Emotet abuses this exploit to operate as a worm across a local network, to
infect more victim hosts. The ETERNALBLUE module sends an SMB Echo request, and crafts
the exploit for delivery based on the target architecture. ETERNALBLUE then fingerprints
the host via its SMB response, and drops the backdoor on the host.
Network Password Scraper & SMB Worm Module
Emotet uses a list of basic credentials to bruteforce access to hosts on a local network,
again over SMB. This is supplemented by use of the NetPass.exe utility, according to Fidelis
Security, which is used to gather all passwords associated with the current user, including
those from network drives. Those credentials are then used to attempt to remotely login to
other hosts. If those connections fail, the module attempts to find writable share drives via
SMB that it can then use an infection vectors into hosts that have access to that shared
drive.
These additional modules are downloaded as obfuscated DLL’s, using a XOR cipher to hide
incriminating strings as the module is downloaded or scanned. Often, the modules are
based off of open source tools to scrape data from the victim’s machine, including email
data, passwords used in web browsing, and credentials used on the host for other
activities. These modules generally seem more interested in spreading Emotet to further
hosts, than gathering banking information to make a profit. This indicates that Emotet
operators have interest in selling access to infected hosts or to the botnet at large to
spread other malware, rather than monetizing the infections themselves.
Email Stealing Module
On October 31, 2018, researchers from Kryptos Logic found that the Emotet downloader
and banking trojan now has the ability to exfiltrate emails from victim systems. This is an
evolution of Emotet’s abuse of the Outlook Messaging API, which was used to pilfer lists of
the victim’s contacts. The module, contained in mapi32.dll, accesses
HKLM\Software\Clients\Mail\Microsoft Outlook. The only observed sample of this module
has an MD5 hash value of 6cd44f2d00b43d80c08922d99d51cce804a59a54.
Emotet Email Harvesting Mechanism, via Kryptos Logic
The upgraded malware accesses the Outlook registry key to scrape email addresses, email
subjects, and the contents of the email from the interpersonal message (IPM) root folder.
This data is then written to a temporary file and encoded into Base64. This information is
then exfiltrated to the Emotet C2 via HTTP on an API call from the WinINet API.
Emotet abuses the Nirsoft Mail PassView, a pseudo-legitimate utility which identify email
addresses, passwords and contact lists from common email clients, including Outlook, but
also Gmail, Hotmail and Thunderbird. This is still used to scrape email clients other than
Outlook, to supplement their spam sending capability.
Spam Module
The spam sending module of Emotet relies on the email stealing and harvesting modules
to create lists of further targets for sending spam. The module pulls in local data to
supplement data sent from the command and control that includes the message template,
subject line, a list of recipients, and list of hijacked accounts, which are used for the spam
distribution. The spam is not sent directly from the local host, but from a repository of
previously scraped email accounts that are remotely logged into to send the spam emails.
Browser Password Stealer & Banking Module
Emotet has used WebBrowserPassView, another password recovery tool made by Nirsoft,
that captures passwords stored by Chrome, Internet Explorer, Firefox, Safari, and Opera.
These target a variety of services for data mining, including bank account and email
information, but also social media and other common login data. This module contains
similar functions to the Graftor browser password stealer (Intelligence Card), which also
abuses WebBrowserPassView.
Example of WebBrowserPassView, via C
heckPoint
Previous samples of Emotet invoked a banking module, which intercepts network traffic
from the browser to steal banking details entered by the user, used in combination with
the stolen browser passwords. This module operated as a man-in-the-browser attack,
sniffing network activity to scrape passwords related to banking activity. CERT Polska found
this module was occasionally used to automatically steal funds from victimized bank
accounts using Automated Transfer Systems (ATS).
Module File Name File Hash
The data in the cookie header is constructed using Google’s Protobuf, which includes the
encrypted RSA key for the command and control, followed by a hash of the data being sent,
then followed by the encrypted data itself. Unfortunately, this elaborate encryption schema
and message structure make it difficult to detect network traffic of Emotet infections. If
able, Recorded Future recommends monitoring for HTTP traffic that does not involve a
domain name, or referrer, and can filter those by large cookie headers to potentially
determine a victim in their environment.
However, despite Emotet’s intensive and clandestine communications, the use of the
ETERNALBLUE exploit may aid defenders in identifying infected hosts if they begin
exhibiting behavior to enumerate other hosts or sending SMB echo requests to other hosts
on the NAT. This method of detection may well provide a better early warning for
defenders, as later network activity does its best to not stand out in network traffic logs.
Persistence Locations
File Locations
Emotet t ypically drops files into the AppData\Local or A ppData\Roaming directories. These
files are also either randomly named or disguised with names mimicking media
executables, such as w mplayer.exe. Emotet attempts to gain administrative privileges in the
Windows system root directories, allowing the malware to run in disguise as a Windows
service. Researchers from TrendMicro note that Emotet drops its files into
AppDataLocal\Microsoft\Windows or A ppData\Roaming if the trojan gains administrative
privileges, and into the S ystem folder if it cannot escalate privileges.
Examples of the dropped file paths:
C:\Users\<username>\AppData\Local\Microsoft\Windows\shedaudio.exe
C:\Users\<username>\AppData\Roaming\Macromedia\Flash
Player\macromedia\bin\flashplayer.exe
The faked services often use the descriptions of the real services the mimic; however,
Emotet has yet to list provide a publisher. The lack of publisher, and odd timestamps may
assist operators in identifying Emotet-created services. Operators can identify created
services via Windows event logs, searching for event ID 7045.
In behavioural analysis of recent samples of Emotet, Recorded Future found the following
directories were created:
directory_created: [
C:\Users\<username>\AppData\Local\Microsoft\Windows\Caches
]
Registry Modifications
Emotet creates a registry key to gain persistence on the victim host, which allows the
malware to be executed upon startup. Recently, these keys have been placed in the folder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\, while a subkey is
generated if the malware has gained administrative access. The subkey is typically located
in H
KLM\SYSTEM\ControlSet001\services\. Defenders can assess the maliciousness of any files
that are configured to execute upon startup, with a time-based analysis, and looking for
anomalies or files that stand out. Registry modifications can be tracked in Windows event
logs under event ID 4657.
Further examples of registry keys created by Emotet:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled Tasks
While Emotet does not currently use scheduled tasks to achieve persistence on the host,
many of the malware it drops (Trickbot, Dridex, etc.) do use it as a persistence method.
Identifying these infections may lead to discovery of an Emotet infection.
Operators can hunt for newly scheduled tasks in Windows event logs for instances of event
ID 4698. Alternatively, the tools Autoruns and Task Scheduler can also be used on each
host that is being inspected.
Behavioural Analysis
In behavioural analysis of recent samples of Emotet Recorded Future found the following
registry keys were created:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player
NSS\\3.0\\Events\\{083EFA34-5B9E-4BD6-8696-ED706D80114F}\\{3695FB67-53B6-4D5C-B45C-1D6
BB3C3C485}\\Reason
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDetectedUrl
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action
Center\\Checks\\{945a8954-c147-4acd-923f-40c45405a658}.check.42\\CheckSetting
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDecisionTime
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player
NSS\\3.0\\Events\\{767B37BD-21F1-4A4C-BE06-6D89DB7CCABE}\\{3695FB67-53B6-4D5C-B45C-1D
6BB3C3C485}\\Scope
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player
NSS\\3.0\\Events\\{083EFA34-5B9E-4BD6-8696-ED706D80114F}\\{3695FB67-53B6-4D5C-B45C-1D6
BB3C3C485}\\ID
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player
NSS\\3.0\\Events\\{767B37BD-21F1-4A4C-BE06-6D89DB7CCABE}\\{3695FB67-53B6-4D5C-B45C-1D
6BB3C3C485}\\Reason
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadNetworkName
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadDecisionTime
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadDecisionReason
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player
NSS\\3.0\\Events\\{767B37BD-21F1-4A4C-BE06-6D89DB7CCABE}\\{3695FB67-53B6-4D5C-B45C-1D
6BB3C3C485}\\ID
HKEY_CURRENT_USER\\Local Settings\\MuiCache\\33\\52C64B7E\\LanguageList
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player
NSS\\3.0\\Events\\{767B37BD-21F1-4A4C-BE06-6D89DB7CCABE}\\{3695FB67-53B6-4D5C-B45C-1D
6BB3C3C485}\\Data
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player
NSS\\3.0\\Events\\{083EFA34-5B9E-4BD6-8696-ED706D80114F}\\{3695FB67-53B6-4D5C-B45C-1D6
BB3C3C485}\\Scope
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDecision
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Media Player
NSS\\3.0\\Events\\{083EFA34-5B9E-4BD6-8696-ED706D80114F}\\{3695FB67-53B6-4D5C-B45C-1D6
BB3C3C485}\\Data
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadDecision
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDecisionReason
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
The same samples deleted the following registry keys:
HKEY_CURRENT_USER\\System\\CurrentControlSet\\Control\\Network\\ShowWirelessConnecting
OnStart
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\52-54-00-26-ad-7a\\WpadDetectedUrl
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\Wpad\\{02B68A4B-B854-4981-A220-4267CF5CCD65}\\WpadDetectedUrl
Additional directories, commands and mutexes:
command_line: [
C:\Windows\SysWOW64\nlawatch.exe
\C:\Program Files\Windows Media Player\wmpnscfg.exe\
]
mutex: [
Global\\MEC7B5BB7
Global\\IEC7B5BB7
]
directory_created: [
C:\Users\<username>\AppData\Local\Microsoft\Windows\Caches
]
Outlook
Recorded Future assesses Emotet is an advanced, modular banking trojan that primarily
functions as a downloader or dropper of other banking trojans. E motet commonly abuses
legitimate or native Windows tools to gather information, incorporating utilities developed
by Nirsoft, in an effort to make its behavior difficult to detect.
Emotet has recently been acting as a spam sending malware, that infects target systems to
then load other malware families onto the host. E motet operators are not selective about
targeting a specific industry or region, instead spreading without discretion. The malware
operators appear more interested in spawning further Emotet infections in large volumes,
rather than monetizing their current victims, to generate profit. T he infected hosts that
distribute spam and occasionally act as proxies for the command and control servers are a
decentralized network, making it difficult for defenders to block at their perimeter.
import "pe"
rule Emotet_Certificate {
meta:
description = "Detects a compromised certificate abused by Emotet"
Author = "Insikt Group, Recorded Future"
date = "2018-11-01"
hash = "919368A0286FDAD494A16388C83A571E6B9C285A"
condition:
uint16(0) == 0x5a4d and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "thawte SHA256 Code Signing CA" and
pe.signatures[i].serial == "38:6B:C7:CB:6D:B4:03:1A:6C:DC:2D:67:07:13:B6:1A"
)
}
__________________________________________
rule Emotet
{
meta:
author = "kevoreilly"
description = "Emotet Payload"
cape_type = "Emotet Payload"
strings:
$snippet1 = {FF 15 ?? ?? ?? ?? 83 C4 0C 68 40 00 00 F0 6A 18}
$snippet2 = {6A 13 68 01 00 01 00 FF 15 ?? ?? ?? ?? 85 C0}
$snippet3 = {83 3D ?? ?? ?? ?? 00 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 74 0A 51
E8 ?? ?? ?? ?? 83 C4 04 C3 33 C0 C3}
$snippet4 = {33 C0 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ??
?? A3 ?? ?? ?? ?? 39 05 ?? ?? ?? ?? 74 1D 8D 49 00 40 A3 ?? ?? ?? ?? 83 3C C5 ?? ?? ?? ?? 00 75 F0 51 E8 ??
?? ?? ?? 83 C4 04 C3}
condition:
//check for MZ Signature at offset 0
uint16(0) == 0x5A4D and (($snippet1) and ($snippet2)) or ($snippet3) or ($snippet4)
}
__________________________________________
rule emotet_vbinject {
strings:
// data from the overlay
$overlay = { BC4F626B1602B4C72F272F597BB633B1 }
$pdb = {
433A5C55736572735C4D5C4465736B746F705C737475627372635C42475C52656C656173655C42
472E70646200 }
// various signatures used in vbinject samples to denote beginning/end of payload executable
__________________________________________
rule emotet4_spam : spambot
{
meta:
author="mak"
module="emotet"
strings:
$login="LOGIN" fullword
$startls="STARTTLS" fullword
$mailfrom="MAIL FROM:"
condition:
all of them and emotet4_basic
}