Emotet Trojan Acts as Loader, Spreads Automatically

Since the middle of July, McAfee has observed new updates of the Emotet, a Trojan that was first discovered in 2014. This malware harvests banking credentials. Early variants used Outlook contact harvesting to spread via malicious spam.

The latest variants act as loaders and use several mechanisms to spread over the network and send spam email. They also use techniques to bypass antimalware products and avoid detection. Initial infection vectors are emails containing a link to download a malicious Office document. Once a system is infected, Emotet collects the computer name and running process information, which are encrypted and sent to a control server via a Post request.

Emotet updates itself with the latest version from the server, and attempts to download additional malware, such as Dridex (banking malware). The banking malware is designed to harvest banking credentials by installing a malicious component into the web browser. It also uses evasion techniques such as “atom bombing” to inject malicious code.

The following illustration shows how Emotet works:

Analysis

The initial infection vector of Emotet is a malicious Office document containing an obfuscated macro that runs a PowerShell script to download the payload.

Additional information can be found here:

Details of our analyzed sample.

The malware uses several mechanisms to stay persistent and undetected. It unpacks itself directly into memory and drops malicious files in the system. Emotet acts as a loader and can enable several modules. During our analysis, we saw the following:

Worm module via brute-force attack to spread over the network.
Dropping malware.
Sending spam with compromised emails to spread around the world.
Updating main file to bypass antimalware signatures.

These modules are enabled by the control server and allow the attackers to perform malicious actions on infected machines.

The malware contains an icon that can be identified on infected machines. We saw several updates to the icon during the campaign:

Emotet malware icons.

Once the malware is running, it is unpacked several times into memory. This process allows the malware to bypass antimalware detection before runtime. The following screenshot shows the unpacking process.

Unpacking at runtime.

The malware changes its name to avoid detection once it has infected a system. In this case the malware used certtask.exe. Each infected machine could have a different name.

Emotet uses several mechanisms to stay persistent, allowing it to run after each reboot. It also creates a service to run the malicious file. Early variants created scheduled tasks.

Run key.

Emotet employs a control server to communicate with infected machines and send the stolen credentials:

Control server connection.

The malware updates itself by sending a Post request and showing a 404 error from the server to fool analysts.

A Post request.

The control server address changed throughout the campaign.

Worm module

We found that Emotet uses a worm module to spread on the network. It brute-force attacks an account to break the password and copy itself on a network share.

A brute-force attack. The malware attempts to connect to specific users.

Spam module

Emotet spreads by email from compromised accounts. The attackers can remotely activate the spam module, which dynamically uses the credentials to send email:

Spam module.

Evasion tricks

The sample arrives packed and runs several processes to unpack its content. By tracking the VirtualAlloc API, we can follow the dump of an unpacked version into memory.

Dumping the unpacked executable into memory.

The dumped executable is a file that runs without an import address table to avoid static analysis. All the functions are resolved dynamically when the sample runs.

Dynamic API resolution.

The sample creates a mutex as an infection marker to detect if the machine is already infected.

Creating a mutex to match the filename emo.bin.

The malware uses a different mutex, generated with the filename during execution, to avoid any possible vaccine. The mutex is always the same if the filename does not change.

The following example shows a different mutex name with a different filename:

Creating a mutex to match the filename emoo2.exe.

To detect any debugging, Emotet employs the undocumented function NtSetInformationProcess:

Emotet creates a suspended process to unpack. If the debugger is detected, the malware terminates the suspended process; otherwise it continues the execution and infects the system.

Conclusion

Emotet has evolved to take advantage of several evasions, persistence, and spreading techniques. It also downloads additional malware to harvest banking credentials and take other actions.

The spreading techniques on the local network seem to have come from lessons learned from the WannaCry and (Not)Petya outbreaks to increase the rates of infection. We can expect to see more weaponized lateral movements in the future.

The author thanks @tehsyntx and @_remixed for their help with this analysis.

Indicators of Compromise

Persistence

C:\Windows\System32\<randomnumber>\
C:\Windows\System32\tasks\<randomname>
C:\Windows\\<randomname>
C:\users\<myusers>\appdata\roaming\<random>
%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
<Randomname>.LNK. file in the startup folder

Registry keys

HKLM\System\CurrentControlSet\Services “RandomNumbers”
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “RandomNames” with value c:\users\admin\appdata\roaming\<random>\<legitfile>.exe

IP addresses

81.62.54 Canada
106.1.205 Germany
254.40.5 Germany
23.244.244 Germany
160.15.198 Germany
160.178.17 Germany
188.40.189 Germany
86.91.232 Germany
134.140.21 France
196.73.150 France
121.121.72 France
187.103.156 France
210.206.25 France
79.132.214 United Kingdom
110.224.51 Italy
166.175.18 Netherlands
138.200.249 Netherlands
191.233.221 Poland
150.19.63 Thailand
21.183.63 United States
81.128.131 United States
230.145.224 United States
21.113.151 United States
3.75.246 United States
218.156.113 United States
31.0.39 United States
253.164.249 United States
81.212.79 United States
83.223.34 United States
243.126.142 United States
210.245.164 United States
43.168.206 United States
243.159.58
241.222.53

Hashes

741f04a17426cf07922b5fcc8ea561fb
12c8365a75dd78a4f01abcce80fbabd6
1e8fb9592c540b3d08d6a11625c11f29
9ae00902d729c271587178d1cbc0e22e
eb93ca04522bfe16e8c2a96bd43828b4
2c2046617bb3c1d9ad98650bc17100c9
03c66f518dd64e123dd79b68b0eb6a24
6c58a58c0d1d27d35e72579ab7dcdf2e
a3227b853fa657cf1a66b4ebed869f5b
56c709681b3c88e22538bcad11c5ebc6
a7ae7df15f40aa0698896284cf6b283b
158b0960e5024cd3ded8224bd1674c1f
5f40e4ddf7ecc2b7c1f02f03b5a6f766
1e8fb9592c540b3d08d6a11625c11f29
03c66f518dd64e123dd79b68b0eb6a24
a3227b853fa657cf1a66b4ebed869f5b
f459a5750fea85db0b21b6fcf6b64687
b3745eb2919d1441baf59a1278a1d199

The post Emotet Trojan Acts as Loader, Spreads Automatically appeared first on McAfee Blogs.