Malware Analysis - Emotet Resurgence and Evolution

In recent months, Kroll’s Cyber Risk practice has observed a resurgence of cyberattacks involving the Emotet malware. Emotet is a variant of the banking Trojan family, with polymorphic characteristics, able to evade traditional antivirus (AV) products and signature-based detection.

Kroll’s observations are supported by open- and closed-source reporting that have noted a significant expansion in Emotet’s functionality. As polymorphic malware, Emotet connects to a command-and-control server (C2) once it has successfully infected its victim, both to retrieve instructions for subsequent malicious activities and exfiltrate stolen data. According to a September 2019 FBI Flash Alert, Emotet has recently been observed trying to connect to 214 C2 IP addresses as opposed to the approximately 10 IP addresses it previously employed. Additionally, it has stopped communicating with these known 10 IP addresses. The alert states that these developments indicate “cyber actors made modifications or updates to Emotet malware or infrastructure.”

Emotet is a multi-threat malware that in addition to targeting banking credentials, also predominantly serves as a highly efficient gateway for secondary and tertiary malware to enter a victim’s environment. Typical malware for which Emotet acts as a stage 1 downloader and path includes TrickBot, QakBot, PowerShell Empire framework, ransomware, etc. As such, Emotet is wreaking significant financial, operational and reputational harm on organizations across all industry sectors.

Attack Vector

Attack Vector Emotet is most often delivered via email with an infected Word document or PDF attachment, or malicious link to a document or file hosted elsewhere. Kroll has observed actors hosting documents in legitimate SharePoint or OneDrive sites of other compromised victims to increase believability that the file is authentic.

Targeted Data

Kroll is aware of the following data-scraping capabilities by Emotet:

• Active Directory (Windows Logon) username and password credentials
• Credentials entered by users on banking websites
• Contents of locally stored emails

The email focus is critical as actors have been highly successfully in spreading Emotet by spoofing previously infected victims. The combination of valid email addresses and recent conversation threads makes it easier for socially engineered messages to get through email filters.

Startup and Persistence¹

• Emotet persists through the Windows Registry or scheduled tasks and has been known to inject into the "explorer.exe" process.
• Emotet artifacts are typically found in arbitrary paths located off the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence between system reboots and attempted cleaning are typically maintained through Scheduled Tasks or via registry keys.* 
• Typically, infected documents are not flagged by traditional AV because their opening simply triggers a download of an innocuous-looking file from a website or IP address on the open internet. These domains and IPs are generally freshly registered, and shift often to avoid traditional detection and blocking at scale.
• Kroll has observed clients with Emotet infections going back six months; when the infection was finally cleaned and remediated, the actor(s) began malspamming both their users and business clients with the previously stolen legitimate email threads. The entire cycle begins to repeat itself with varying degrees of success depending on the security improvements implemented by the client.

Functionality

• Emotet collects sensitive information, including system name, location and operating system version, and connects to a remote C2 server.*
• Once Emotet establishes a connection with the C2 server, it reports a successful new infection, receives configuration data, downloads and runs additional payloads, receives instructions, and exfiltrates acquired/stolen data to the C2 server.*
• Emotet creates randomly named files in the system root directories that are run as Windows services.* When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares, stolen windows credentials, Server Message Block (SMB)  shares and system vulnerabilities that are exploitable depending on patch strength and levels within an organization.
• Emotet aims to saturate victim networks with the ability for attackers to gain unauthorized remote access capabilities to steal additional information. Some infected victims become part of a larger botnet, some are used for malspam campaigns, and others are used to stage and push ransomware as a final attack against the corporate infrastructure. 
• Kroll has also observed actor groups moving to deploy ransomware after network saturation to
  • cover their tracks and
  • further monetize their intrusion through ransomware payments after having stolen stored web browser credentials and email threads from hundreds of internal users. 

Preemptive Recommendations

• Deploy a diversified defense that blends employee education and awareness training with next-generation endpoint threat monitoring and response capabilities.
• Prioritize staff training and cyber security awareness initiatives on risks of business email compromise, including phishing, spear phishing, whaling, clicking on links in emails, and other forms of social engineering. 
• Supplement annual cyber security training with tabletop exercises that involve IT security teams, corporate staff, internal and external legal counsel, and a third-party incident response firm.
• Because the malware relies heavily on social engineering to propagate, consider making social engineering exercises part of technical penetration testing programs to gauge training effectiveness. 
• Ensure antivirus solutions are current and complement them with sophisticated endpoint detection and response capabilities like Kroll’s CyberDetectER® Endpoint.

Sources:
¹ Characteristics presented in this analysis regarding Startup & Persistence and Functionality marked with an asterisk (*) are directly sourced from the Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Awareness System Alert TA18-201A - Emotet Malware.