Over the past six months, the infamous Emotet botnet has shown almost no activity, and now it is distributing malicious spam. Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.
The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and loads into memory. It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.
See: https://redskyalliance.org/xindustry/this-may-be-the-end-of-emotet
The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps. The results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.
Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:
- 2014 - Money transfer, mail spam, DDoS, and address book stealing modules.
- 2015 - Evasion functionality.
- 2016 - Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
- 2017 - A spreader and address book stealer module.
- 2021 - XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.
- 2022 - Some features remained the same, but this year also brought several updates
This tendency proves that Emotet is not going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.
After almost half a year of “vacation,” the Emotet botnet has returned even stronger. Here is what you need to know about a new 2022 version:
- It drops IcedID, a modular banking trojan.
- The malware loads XMRig, a miner that steals wallet data.
- The trojan has binary changes.
- Emotet bypasses detection using a 64-bit code base.
A new version uses new commands:
- Invoke rundll32.exe with a random named DLL, and the export PluginInit
- Emotet's goal is to get credentials from Google Chrome and other browsers.
- It's also targeted to use the SMB protocol to collect company data.
Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:
- The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.
- With its long development story, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.
For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:
eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho
Later, in the first quarter of 2020, Emotet started to create specific key into the registry it writes into the key:HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER value with the length 8 symbols (letters and characters).
Suricata rules[1] always identify this malware, but detection systems often continue beyond the first wave because rules need to update. Another way to detect this banker was its malicious documents crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules[2]. Emotet has not demonstrated full functionality and consistent follow-on payload delivery.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] Suricata rules are the defacto method for sharing and matching threat intelligence against network traffic. This rule consists of several components: The networks and traffic type of matching the signature against ("alert HTTP $HOME_NET any -> $EXTERNAL_NET any")
[2] YARA rules are used to classify and identify malware samples by creating descriptions of malware families based on textual or binary patterns.
Comments