Since the middle of July, McAfee has observed new updates of the Emotet, a Trojan that was first discovered in 2014. This malware harvests banking credentials. Early variants used Outlook contact harvesting to spread via malicious spam.
The latest variants act as loaders and use several mechanisms to spread over the network and send spam email. They also use techniques to bypass antimalware products and avoid detection. Initial infection vectors are emails containing a link to download a malicious Office document. Once a system is infected, Emotet collects the computer name and running process information, which are encrypted and sent to a control server via a Post request.
Emotet updates itself with the latest version from the server, and attempts to download additional malware, such as Dridex (banking malware). The banking malware is designed to harvest banking credentials by installing a malicious component into the web browser. It also uses evasion techniques such as “atom bombing” to inject malicious code.
The following illustration shows how Emotet works:
The initial infection vector of Emotet is a malicious Office document containing an obfuscated macro that runs a PowerShell script to download the payload.
Additional information can be found here:
Details of our analyzed sample.
The malware uses several mechanisms to stay persistent and undetected. It unpacks itself directly into memory and drops malicious files in the system. Emotet acts as a loader and can enable several modules. During our analysis, we saw the following:
- Worm module via brute-force attack to spread over the network.
- Dropping malware.
- Sending spam with compromised emails to spread around the world.
- Updating main file to bypass antimalware signatures.
These modules are enabled by the control server and allow the attackers to perform malicious actions on infected machines.
The malware contains an icon that can be identified on infected machines. We saw several updates to the icon during the campaign:
Emotet malware icons.
Once the malware is running, it is unpacked several times into memory. This process allows the malware to bypass antimalware detection before runtime. The following screenshot shows the unpacking process.
Unpacking at runtime.
The malware changes its name to avoid detection once it has infected a system. In this case the malware used certtask.exe. Each infected machine could have a different name.
Emotet uses several mechanisms to stay persistent, allowing it to run after each reboot. It also creates a service to run the malicious file. Early variants created scheduled tasks.
Emotet employs a control server to communicate with infected machines and send the stolen credentials:
Control server connection.
The malware updates itself by sending a Post request and showing a 404 error from the server to fool analysts.
A Post request.
The control server address changed throughout the campaign.
We found that Emotet uses a worm module to spread on the network. It brute-force attacks an account to break the password and copy itself on a network share.
A brute-force attack. The malware attempts to connect to specific users.
Emotet spreads by email from compromised accounts. The attackers can remotely activate the spam module, which dynamically uses the credentials to send email:
The sample arrives packed and runs several processes to unpack its content. By tracking the VirtualAlloc API, we can follow the dump of an unpacked version into memory.
Dumping the unpacked executable into memory.
The dumped executable is a file that runs without an import address table to avoid static analysis. All the functions are resolved dynamically when the sample runs.
Dynamic API resolution.
The sample creates a mutex as an infection marker to detect if the machine is already infected.
Creating a mutex to match the filename emo.bin.
The malware uses a different mutex, generated with the filename during execution, to avoid any possible vaccine. The mutex is always the same if the filename does not change.
The following example shows a different mutex name with a different filename:
Creating a mutex to match the filename emoo2.exe.
To detect any debugging, Emotet employs the undocumented function NtSetInformationProcess:
Emotet creates a suspended process to unpack. If the debugger is detected, the malware terminates the suspended process; otherwise it continues the execution and infects the system.
Emotet has evolved to take advantage of several evasions, persistence, and spreading techniques. It also downloads additional malware to harvest banking credentials and take other actions.
The spreading techniques on the local network seem to have come from lessons learned from the WannaCry and (Not)Petya outbreaks to increase the rates of infection. We can expect to see more weaponized lateral movements in the future.
The author thanks @tehsyntx and @_remixed for their help with this analysis.
Indicators of Compromise
- %appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- <Randomname>.LNK. file in the startup folder
- HKLM\System\CurrentControlSet\Services “RandomNumbers”
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “RandomNames” with value c:\users\admin\appdata\roaming\<random>\<legitfile>.exe
- 22.214.171.124 Canada
- 126.96.36.199 Germany
- 188.8.131.52 Germany
- 184.108.40.206 Germany
- 220.127.116.11 Germany
- 18.104.22.168 Germany
- 22.214.171.124 Germany
- 126.96.36.199 Germany
- 188.8.131.52 France
- 184.108.40.206 France
- 220.127.116.11 France
- 18.104.22.168 France
- 22.214.171.124 France
- 126.96.36.199 United Kingdom
- 188.8.131.52 Italy
- 184.108.40.206 Netherlands
- 220.127.116.11 Netherlands
- 18.104.22.168 Poland
- 22.214.171.124 Thailand
- 126.96.36.199 United States
- 188.8.131.52 United States
- 184.108.40.206 United States
- 220.127.116.11 United States
- 18.104.22.168 United States
- 22.214.171.124 United States
- 126.96.36.199 United States
- 188.8.131.52 United States
- 184.108.40.206 United States
- 220.127.116.11 United States
- 18.104.22.168 United States
- 22.214.171.124 United States
- 126.96.36.199 United States