During August and September 2018, GTIC researchers observed an increase and continuous use of Emotet malware used in malicious email campaigns (malspam). Although the reason behind this shift is unknown, GTIC researchers speculate the cost effective availability of Emotet, and its multi-functional capabilities to help disseminate other malware, has caused malicious actors to actively use Mealybug’s malware.


What is Emotet?

If you were unaware, Emotet is malware that can have different uses depending on the goal of the malicious actors. Emotet has been attributed by Symantec to a cyber-crime group named Mealybug, who has been active since 2014. Emotet has the capabilities to commit data theft, spy on network traffic, and act as a downloader for other malware. Since 2017, Emotet has either been used as a banking trojan or used to download and spread other banking Trojans such as Trickbot. Banking trojans are malware specifically used to obtain confidential information about customers and clients using online banking and payment systems in the financial sector.


Emotet is typically disseminated through malspam branded as receipts, shipping and package notification, “past-due” invoices and more. The malspam attachment is usually a Microsoft Word or Excel document embedded with VBA macros, which if executed will download Emotet.


Once installed, Emotet often performs several follow-on activities including:


Key Features:

  • Sandbox evasion
  • Spreading via credential bruteforce and exploiting vulnerabilities
  • Establishing encrypted C2 communication
  • Use of NetPass.exe, WebBrowserPassView and Mail PassView for credential theft
  • Persistence via implementing run keys in the registry and startup folder
  • Leveraging browser infostealer module

Numbers don't lie

As expressed, GTIC researchers encounter Emotet malspam almost daily since August 2018. As noted by a tweet from Windows Defender Security Intelligence, “300k spam emails in 3 hrs.” indicates not only is Emotet observed daily, but can spike dramatically in email volume. According to a blog by Malwarebytes, Emotet has steadily increased since April 2018, peaking at a little over 35,000 detections in a single day. GTIC researchers believe this to be a combination of favoritism by threat actors leveraging Emotet as a downloader from Mealybug because of its vast capabilities. If done efficiently, threat actors have high chances of infecting systems with the final malware, which if a banking trojan, could harvest a significant amount of confidential information.


Latest campaign

The most recent Emotet activity analyzed by GTIC researchers, as of the writing of this blog post, occurred October 4th, 2018. Sent in the typical fashion of an invoice themed email, a Word document was attached containing eleven VBA macros which compile the following PowerShell command.


Figure 1: This image shows the PowerShell command compiled by the VBA macros in the email attachment.


As shown, attempts to install a packed Emotet from several domains is attempted. According to passive DNS results, each of these domains was registered under their respective IP on the same day of the campaign, which is common for malspam campaigns.


Once installed, Emotet unpacks itself and is renamed as ‘searchatsd.exe’. Self-execution occurs in which the following actions take place in the following order.


  • Persistence – Create run key ‘searchatsd’
  • Connects to C2 at 197.87.130[.]229:8080
  • Connects to FTP server at 98.191.228[.]168:990 
  • Check public IP address at 107.182/34[.]241:50000/whoami.php

 

Figure 2. C2 traffic after Emotet installation

As detailed above, Emotet contains several sandbox evasion capabilities. Below is a list of these found during analysis.


  • Checks for kernel debuggers
  • Contains functionality to enumerate running services            
  • Contains long sleeps (>= 3 min)           
  • Enumerates the file system     
  • Found large amount of non-executed APIs     
  • May sleep (evasive loops) to hinder dynamic analysis

How to mitigate malspam

Malware delivered via email, especially Emotet, is hard to mitigate when simply relying on the security awareness and safe-practices of employees. End-point and Anti-Virus (AV) are typically good at detecting most commodity malware, therefore ensuring signatures are up-to-date is important. A defense-in-depth approach is always recommended by NTT Security as it helps establish multiple layers of security using best practicesAn effective and tested incident response plan is crucial to mitigating impact of a cyber intrusion if one were to occur. Lastly, eing proactive with patches management is a must.


Snort signatures


2018959

2016538

2014520

10002851


Technical indicators


Email attachment hashes

c71411a18062bfbcbd41f06a22be2bbc (MD5)

9d043f8fb7f2de841bb51889b53e6a2e21d14c94 (SHA1)

923e42850767d5cc97ce4f0c620eff2489694f2939812060f6db458b39ad822e (SHA256)

 

Emotet hashes


ea4e0e51424ff37925af5cd264594dec (MD5)

9ac2052fa8367547f1bb34e8a9b491273a141e21 (SHA1)

e3b41c0d0834c0d5b121012fe9219529afaed899420d99bd3dba11f2c0a8810b (SHA256)

 

C2 IPs

197.87.130[.]229:8080

98.191.228[.]168:990


Other IPs 


216.137.249[.]154

106.243.65[.]250:443


Domains

bantulproperty[.]com

ars[.]party

ballparkbroadcasting[.]com

dni-p[.]ru

cl-travel[.]ru


Emotet download URLs


hxxp://bantulproperty[.]com/uXf

hxxp://ars[.]party/QXVb

hxxp://ballparkbroadcasting[.]com/XQ16Oniy

hxxp://dni-p[.]ru/C

hxxp://cl-travel[.]ru/fn

 

References:

https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor

https://blog.malwarebytes.com/cybercrime/2018/09/emotet-rise-heavy-spam-campaign/

https://twitter.com/WDSecurity/status/1042198523867885568