Emotet is a banking Trojan, designed for stealing banking information, email accounts and automatically siphoning money from victims’ bank accounts. It is known to be leveraging victims’ contact lists and email accounts to spread virally.
The currently active Emotet campaign is very aggressive. Dozens of unique payloads of the core bot have been identified. At the moment there are hundreds of domains used for spreading Emotet, possibly delivering the largest ongoing mass phishing campaign in 2017 so far.
This post examines the evolution of Emotet, which started out as a simple malware, but over the years its developers added more and more evasive techniques. Minerva Labs has analyzed the Emotet campaign to discover that recent payload variants are highly effective at bypassing anti-virus products. Yet by simply creating three empty files, you can block Emotet entirely and immunize the endpoint.
Emotet process checks the endpoint to proceed its execution
The empty files that when created on the endpoint will prevent Emotet
Emotet: An Evolving Threat
Emotet haunts us back from 2014, evolving and developing each year to incorporate new abilities and behavior. What helped Emotet stand out from other banking trojans during its early years was its ability to intercept network activity to steal information by injecting a malicious DLL into sensitive processes.
Later that year a new version of Emotet was found, which began to use technology that stole money from victims' bank accounts by initiating automated transfers (ATS). This variant was more modular, and contained different modules that implemented even more malicious capabilities.
In this version, developers of Emotet did not attack users in the Russian-speaking countries, possibly trying to avoid the attention of law enforcement in Russia.
Emotet reappeared in January 2015. This time, the authors of this malware enhanced the original variant with multiple evasion techniques:
- Key elements of the malware were decrypted in allocated memory.
- If Emotet spotted that it is running in a virtual machine ,it contacts a set of fake C2 servers. These servers are not real and are used only to mislead investigators. (A similar tactic was implemented roughly at the same time by Andromeda\Gamarue.) According to Kaspersky, some of the process names are “vboxservice.exe”, “vmacthlp.exe”, “vmtoolsd.exe”, and “vboxtray.exe”.
2017 was a very interesting year for Emotet. It did a second comeback and added more and more tactics and modules since late April. Key changes that took place include:
- Sandbox evasion: In order to avoid sandbox detctionURLs are stored in an encrypted list which makes it harder for the sandbox to analyze and parse the url, so the sandbox won’t find the url and won’t be able to download the Emotet sample.
- Spreading via credential bruteforce: new variants use more ways to spread – added the ability to brute force Active Directory domain accounts with a dictionary attack.
- Spreading via exploits: Emotet was the first to endorse the ETERNALBLUE\DOUBLEPULSAR exploit combo as part of an organized “traditional” cybercrime campaign. Integrating it enabled Emotet to infect networks as if it was a worm, virally spreading from patient zero to the entire organization.
- Communication method with C2: encrypted information about the victim transferred within a base64 encoded cookie, instead of a POST request to a path on the server derived from information about the victim. Also, Emotet uses tricks to confuse analysts, such as replying with “404: page not found”, even though the page contains the encrypted replies.
- New modules: Newer versions now steal browser and mail client credentials.
- Obfuscated code: Emotet’s level of obfuscation was greatly improvedand added ‘junk’ data to slow down researchers. Moreover, the malware hid the functions it wanted to load (import table) in an array of hashes so it would be used only in run time.
- Victim machine information collection: Emotet collects information about the machine, such as process names, and based on this decides how to act.
- Encryption: another change is moving to a different encryption algorithm. In previous releases, communication was encrypted using RC4. In its fourth version, Emotet switched to a more robust 128-bit AES in CBC mode.
- C2 protocol: Emotet uses “protobuf” – communication protocol by Google, and added an additional type of encoding, which makes it impossible to parse with the default parsers.
Late 2017 Emotet Wave
Last month a new Emotet variant overwhelmed the web infecting targets using malicious email messages that prompt the user to open a link leading to a Word document:
Note that unlike other campaigns, the document is not attached to the email and, instead, is hosted on a remote web server. This is probably to bypass security solutions that test email attachments for malicious content.
The malicious document that the victim is tricked into downloading looks like many other campaigns in that genre, asking the user to enable macro execution using basic social engineering:
If the victim enables macros, the document executes a batch script:
At runtime, the last row executes a fileless PowerShell command with encoded payload.
The payload decodes to the following string:
The latest version demonstrates how Emotet was improved in a single week to bypass security products: While the earlier variant used a PowerShell script that explicitly included the instruction “iex” to invoke expression that executes an encrypted script, the later variant obfuscated it.
In the first variant “iex” was written explicitly:
The later variant was changed to bypass security products:
env.public is the string:
This new variant cleverly selects the 14th (‘I’) and the 6th letter (‘e’) and concatenates it with a hard-coded ‘x’ to get the same “iex” without having it in the script explicitly. This clever yet simple solution is a great example of the quick way in which the cybercriminals behind Emotet react once they realize their tool is detected by security products.
In its last stage of the infection, the Emotet dropperdecrypts the obfuscated string and invokes it:
The script iterates over the list five compromised websites in order to download the executable payload from one of them. Once the bot successfully starts, the script terminates.
Preventing Emotet with Three Files
The latest version of Emotet (Oct-Nov 2017) is armed with even more evasiveness – a bunch of new techniques that are meant to hide the sample from sandboxes and antivirus products. For example, the presence of the following sandbox-related files is tested:
- Files under the folder “C:\a”
- Files under “C:\123” and “C:\”
If Emotet finds all three files of the first cluster or all four files from the second cluster, it will stop its execution to avoid being analyzed within the corresponding sandbox.
In addition, Emotet is also looking for a lengthy list of sandbox related users and hostnames. It will also avoid running if it discovers any of the following Windows user names or computer names:
- John Doe
A human-friendly decompilation of the evasion routine can be seen in a public Joe-sandbox analysis report:
Scale and Statistics
A partial list of over 700 domains associated with recent Emotet activity is available in the IOC section of this post. Emotet uses these domains are for three different purposes:
- Serving Emotet dropper Office document
- When the user clicks on the link in the phishing email those sites will serve the infected document.
- Compromised WordPress websites
- Serving Emotet executable Paylod
- This servers store the malware itself, downloaded by the dropper
- Also running on top of exploited websites
- C2 Servers
- Gathering info and sending orders to Emotet post-installation
A full list of the domains is available in the following repository: https://github.com/MinervaLabsResearch/BlogPosts/blob/master/Emotet/Domains.txt
Examining the evolution of Emotet shows how malware authors take care to disguise their malware and hide it from antivirus products, researchers and sandboxes.
It has evolved from malware that comes with local configuration files and fully predetermined infection logic, to a modular design that operates according to the responses from C2 servers. In addition, Emotet has changed in the way it captures the information – from storing that stolen information on the endpoint’s file system, to a fileless behavior that sends the data in an encrypted way to the C2 server through carefully crafted packets without writing it to the disk.
Every year the malware became more sophisticated, staying up to date with new attack techniques, such as the move to malicious PowerShell, and becoming increasingly evasive.
You want to have an Emotet free endpoint? Just create the following files:
If you find it impractical to generate these files in your organization, learn how Minerva’s Anti-Evasion Platform accomplishes this by carefully simulating the artifacts that keep malware away. Minerva Labs can prevent Emotet and other evasive infections at scale with no manual involvement.