Dec 06 2017

Emotet Downloader Trojan Returns in Force

During the past couple of days, we have seen an increase in activity from Emotet. This Trojan downloader spreads by emails that lure victims into downloading a Word document, which contains macros that after executing employ PowerShell to download a malicious payload.

We have observed Emotet downloading a variety of payloads, including ransomware, Dridex, Trickbot, Pinkslipbot, and other banking Trojans.

During a wave of attacks in early December we discovered a campaign spreading the ransomware family HydraCrypt. The sample we received had a compilation date of December 5.

The initial Word documents were downloaded from a number of URLs; some examples follow:

  • hxxp://URL/DOC/Invoice/
  • hxxp://URL/scan/New-invoice-[Number]/
  • hxxp://URL /scan/New-invoice- Number]/
  • hxxp://URL /LLC/New-invoice- Number]/

The document topics are crafted to entice users to open them because they appear to impact our finances or official documentation.

  • Invoice
  • Paypal
  • Rechnung (with or without a number)
  • Dokumente vom Notar

The documents have typical characteristics used by Emotet attackers. When a user opens the document, it claims the file is protected and asks the victim to enable the content, which launches the code hidden in the macros.

In analyzing the macros, we see heavily obfuscated code to make detection difficult and cover up the real purpose of the document:

The macro code uses a mix of command, wmic, and PowerShell to copy itself to disk, create a service, and contact its control server for a download URL.

Emotet collects information about the victim’s computer, for example running processes, and sends encrypted data to the control server using a POST request:

The specific user-agent strings used in these requests:

  • Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
    .NETCLR3.5.30729;.NETCLR3.0.30729;MediaCenterPC6.0;.NET4.0C;.NET4.0E)
  • Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
    .NETCLR3.5.30729;.NETCLR3.0.30729;MediaCenterPC6.0;InfoPath.3)
  • Mozilla/5.0(WindowsNT6.1;WOW64;rv:39.0)Gecko/20100101Firefox/38.0•Mozilla/5.0
    (compatible;MSIE8.0;WindowsNT5.1;SLCC1;.NETCLR1.1.4322)

The payload samples are downloaded to %Windir%\System32 using a random name, either in GUID format or a five-digit random name.

The control servers and URLs hosting the malicious documents are covered within McAfee Global Threat Intelligence, with which we provide coverage for the samples detected. The McAfee Advanced Threat Research team proactively monitors any new developments regarding Emotet.

Detection

The new variants of Emotet are detected by McAfee DAT files as Emotet-FEJ!<Partial Hash> since December 3. Real Protection technology within McAfee Endpoint Security Adaptive Threat Protection provides zero-day detection of these new variants as Real Protect-SS!<Partial Hash>.

The post Emotet Downloader Trojan Returns in Force appeared first on McAfee Blogs.

Sep 01 2017

Emotet Trojan Acts as Loader, Spreads Automatically

Since the middle of July, McAfee has observed new updates of the Emotet, a Trojan that was first discovered in 2014. This malware harvests banking credentials. Early variants used Outlook contact harvesting to spread via malicious spam.

The latest variants act as loaders and use several mechanisms to spread over the network and send spam email. They also use techniques to bypass antimalware products and avoid detection. Initial infection vectors are emails containing a link to download a malicious Office document. Once a system is infected, Emotet collects the computer name and running process information, which are encrypted and sent to a control server via a Post request.

Emotet updates itself with the latest version from the server, and attempts to download additional malware, such as Dridex (banking malware). The banking malware is designed to harvest banking credentials by installing a malicious component into the web browser. It also uses evasion techniques such as “atom bombing” to inject malicious code.

The following illustration shows how Emotet works:

Analysis

The initial infection vector of Emotet is a malicious Office document containing an obfuscated macro that runs a PowerShell script to download the payload.

Additional information can be found here:

Details of our analyzed sample.

The malware uses several mechanisms to stay persistent and undetected. It unpacks itself directly into memory and drops malicious files in the system. Emotet acts as a loader and can enable several modules. During our analysis, we saw the following:

  • Worm module via brute-force attack to spread over the network.
  • Dropping malware.
  • Sending spam with compromised emails to spread around the world.
  • Updating main file to bypass antimalware signatures.

These modules are enabled by the control server and allow the attackers to perform malicious actions on infected machines.

The malware contains an icon that can be identified on infected machines. We saw several updates to the icon during the campaign:

Emotet malware icons.

Once the malware is running, it is unpacked several times into memory. This process allows the malware to bypass antimalware detection before runtime. The following screenshot shows the unpacking process.

Unpacking at runtime.

The malware changes its name to avoid detection once it has infected a system. In this case the malware used certtask.exe. Each infected machine could have a different name.

Emotet uses several mechanisms to stay persistent, allowing it to run after each reboot. It also creates a service to run the malicious file. Early variants created scheduled tasks.

Run key.

Emotet employs a control server to communicate with infected machines and send the stolen credentials:

Control server connection.

The malware updates itself by sending a Post request and showing a 404 error from the server to fool analysts.

A Post request.

The control server address changed throughout the campaign.

 

Worm module

We found that Emotet uses a worm module to spread on the network. It brute-force attacks an account to break the password and copy itself on a network share.

A brute-force attack. The malware attempts to connect to specific users.

 

Spam module

Emotet spreads by email from compromised accounts. The attackers can remotely activate the spam module, which dynamically uses the credentials to send email:

 

Spam module.

 

Evasion tricks

The sample arrives packed and runs several processes to unpack its content. By tracking the VirtualAlloc API, we can follow the dump of an unpacked version into memory.

Dumping the unpacked executable into memory.

The dumped executable is a file that runs without an import address table to avoid static analysis. All the functions are resolved dynamically when the sample runs.

Dynamic API resolution.

The sample creates a mutex as an infection marker to detect if the machine is already infected.

Creating a mutex to match the filename emo.bin.

The malware uses a different mutex, generated with the filename during execution, to avoid any possible vaccine. The mutex is always the same if the filename does not change.

The following example shows a different mutex name with a different filename:

Creating a mutex to match the filename emoo2.exe.

To detect any debugging, Emotet employs the undocumented function NtSetInformationProcess:

Emotet creates a suspended process to unpack. If the debugger is detected, the malware terminates the suspended process; otherwise it continues the execution and infects the system.

 

Conclusion

Emotet has evolved to take advantage of several evasions, persistence, and spreading techniques. It also downloads additional malware to harvest banking credentials and take other actions.

The spreading techniques on the local network seem to have come from lessons learned from the WannaCry and (Not)Petya outbreaks to increase the rates of infection. We can expect to see more weaponized lateral movements in the future.

The author thanks @tehsyntx and @_remixed for their help with this analysis.

 

Indicators of Compromise

Persistence

  • C:\Windows\System32\<randomnumber>\
  • C:\Windows\System32\tasks\<randomname>
  • C:\Windows\\<randomname>
  • C:\users\<myusers>\appdata\roaming\<random>
  • %appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • <Randomname>.LNK. file in the startup folder

Registry keys

  • HKLM\System\CurrentControlSet\Services “RandomNumbers”
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “RandomNames” with value c:\users\admin\appdata\roaming\<random>\<legitfile>.exe

IP addresses

  • 81.62.54 Canada
  • 106.1.205 Germany
  • 254.40.5 Germany
  • 23.244.244 Germany
  • 160.15.198 Germany
  • 160.178.17 Germany
  • 188.40.189 Germany
  • 86.91.232 Germany
  • 134.140.21 France
  • 196.73.150 France
  • 121.121.72 France
  • 187.103.156 France
  • 210.206.25 France
  • 79.132.214 United Kingdom
  • 110.224.51 Italy
  • 166.175.18 Netherlands
  • 138.200.249 Netherlands
  • 191.233.221 Poland
  • 150.19.63 Thailand
  • 21.183.63 United States
  • 81.128.131 United States
  • 230.145.224 United States
  • 21.113.151 United States
  • 3.75.246 United States
  • 218.156.113 United States
  • 31.0.39 United States
  • 253.164.249 United States
  • 81.212.79 United States
  • 83.223.34 United States
  • 243.126.142 United States
  • 210.245.164 United States
  • 43.168.206 United States
  • 243.159.58
  • 241.222.53

Hashes

  • 741f04a17426cf07922b5fcc8ea561fb
  • 12c8365a75dd78a4f01abcce80fbabd6
  • 1e8fb9592c540b3d08d6a11625c11f29
  • 9ae00902d729c271587178d1cbc0e22e
  • eb93ca04522bfe16e8c2a96bd43828b4
  • 2c2046617bb3c1d9ad98650bc17100c9
  • 03c66f518dd64e123dd79b68b0eb6a24
  • 6c58a58c0d1d27d35e72579ab7dcdf2e
  • a3227b853fa657cf1a66b4ebed869f5b
  • 56c709681b3c88e22538bcad11c5ebc6
  • a7ae7df15f40aa0698896284cf6b283b
  • 158b0960e5024cd3ded8224bd1674c1f
  • 5f40e4ddf7ecc2b7c1f02f03b5a6f766
  • 1e8fb9592c540b3d08d6a11625c11f29
  • 03c66f518dd64e123dd79b68b0eb6a24
  • a3227b853fa657cf1a66b4ebed869f5b
  • f459a5750fea85db0b21b6fcf6b64687
  • b3745eb2919d1441baf59a1278a1d199

The post Emotet Trojan Acts as Loader, Spreads Automatically appeared first on McAfee Blogs.

Mar 24 2016

Stealthy malware targeting air-gapped PCs leaves no trace of infection

(credit: John Lester)

Researchers have discovered highly stealthy malware that can infect computers not connected to the Internet and leaves no evidence on the computers it compromises.

USB Thief gets its name because it spreads on USB thumb and hard drives and steals huge volumes of data once it has taken hold. Unlike previously discovered USB-born malware, it uses a series of novel techniques to bind itself to its host drive to ensure it can't easily be copied and analyzed. It uses a multi-staged encryption scheme that derives its key from the device ID of the USB drive. A chain of loader files also contains a list of file names that are unique to every instance of the malware. Some of the file names are based on the precise file content and the time the file was created. As a result, the malware won't execute if the files are moved to a drive other than the one chosen by the original developers.

"In addition to the interesting concept of self-protecting multi-stage malware, the (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer," Tomáš Gardoň, a malware analyst with antivirus provider Eset, wrote in a blog post published Wednesday. "After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload."

Read 8 remaining paragraphs | Comments

Dec 14 2015

Pupy – Open-Source Remote Administration Tool AKA RAT

Pupy is an open-source remote administration tool (RAT), that is cross platform and has an embedded Python interpreter, allowing its modules to load Python packages from memory and transparently access remote Python objects. Pupy can communicate using different transports and have a bunch of cool features & modules. On Windows, Pupy uses...

Read the full post at darknet.org.uk