Emotet - Forever

Emotet, as stated by many threat research group claims to be a Banking Trojan; ever evolving since their entry into threat world. Although Emotet is said to be active since 2013, it was first detected in 2014. Ever since until now (August 2020) they are continuously evolving. The first traces of malware is through a surreptitious MitB (Man-in-the-Browser) attack where the Trojan collects and steals credential information stored on a browser. The second traces were more common where the malware infects into user’s machines by way of a macro virus through a malicious attachment. Initial targets were banking organization trying to steal credentials from infected hosts thereby naming it a “Banking Trojan”.

The so-called “Banking Trojan” had many iterations, where macros attachments then changed to malicious link in an email. They also include many new features to evade Antivirus and gain Persistence. One of the notable change include the malware becoming a Loader malware. Loader malwares are usually first phase of Exploitation where the malware gains access to multiple systems and then attract the second loader or payload to execute. The second payload could be either Emotet’s own modules or sell the botnet to a threat group to deploy their malwares. This led to the Infrastructure as a service (IaaS) and Malware a Service (MaaS) in the threat world.

Overtime, Emotet kept evolving as with their targets. Their targets now include individuals, companies, government organization across the world. Their latest source of infection is through malspam campaigns. Getting access to a user’s account and then scrapping their contacts and sending them malspam emails with attachments and URLS. If an infected victim is found connected to a network, they perform activities to extend their targets. They move laterally and spread across systems connected to the network.

The infection chain of a sample campaign is shown below.                                                                       
8669838091?profile=original                                                                

Source: US-CERT

Step1: (Initial Access and Execution)

The infection sources are first identified and a number of spam emails with a malicious attachment claiming to be from a known source or a delivery invoice copy is sent.

The victim on receiving the document trusts the source and enables macros to view the attachment

This downloads the Emotet malware onto the victim machine.

Step2: (Persistence and Defense Evasion)

The malware creates and modifies registry entries on the victim machine to enable persistence on the machine even when it reboots.

They also hooks into running process to evade detection from a standard Antivirus solution.

Step3:  (Discovery)

Once the malware has gained access to a system, it sends its system related information to the Command and Control (C2) Server and further get an instruction set delivered from the C2 owned by the attacker.

Step4: (Lateral Movement and Collection)

                Now that the attacker has gained access and persistence on a machine, he then tries to enumerate        the network to identify possible new victims. This enable lateral movement of the malware usually                performed using SMB

Step5: (Exfiltration and C2)

                Emotet has the following capabilities;

  • It can deploy its own modules like,

NetPass.exe – Recovers all passwords stored with the current user login which includes files stored on a connected external harddrive.

Outlook scraper – retrieves all email address and names from the victims outlook to phish other users  

WebBrowserPassView – Captures password stored in a browser module on the victim machine

Mail PassView – Retrieves all password from all mail accounts client which includes Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.

Credential enumerator – This component enumerates the network resources to find writable share drives using Server Message Block (SMB) and tries to Brute Force accounts for possible access. This includes admin accounts on the network. If successful, Emotet will have access to entire network.

  • Emotet can also sell its botnet to a different threat group to deploy their final payload which can include Wiper Malwares or Ransomwares.
  • Emotet group can also rent their infrastructure to a different threat group as a IaaS (Infrastructure as a Service) module or a Malware as a Service (MaaS) module

Whilst Emotet has been ever evolving it has become a tedious task for a defender to identify possible intrusion with Emotet having iterations, changing tactics, infrastructure, modules, loaders and evading detections. It will always been a one to be there on your watch-list.

While, I haven’t iteration much of the technical details on this write-up, my next will have information for technical groups which include tactical and indicators ever used by Emotet.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform