Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

31 views

Published on

RootedCON https://www.rootedcon.com
Marzo/March 5-7 2020 Madrid (Spain)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

  1. 1. VICTOR ACIN March 2020 EMOTET IS DEAD, LONG LIVE EMOTET
  2. 2. 1. Myself 2. Emotet 1. The malware 2. The infrastructure 3. Kill chain 4. Spam analysis 3. Acting as a Loader 4. Conclusions TABLE OF CONTENT EMOTET_ROOTEDCON 2020 2
  3. 3. Victor Acin Threat Analyst at Blueliv • Background in ethical hacking • Currently RE Team Lead 1. MYSELF EMOTET_ROOTEDCON 2020 3
  4. 4. EMOTET – THE MALWARE
  5. 5. 5 Appeared ~2012-2013 Feodo family Wasn’t considered a significant threat until later Notable for: • Using configuration file with targeted banks • Injecting DLLs into processes for monitoring • Distributed via spam messages 2. EMOTET EMOTET_ROOTEDCON 2020
  6. 6. Since its origins, Emotet has come a long way: • Switch from Banking Trojan to spammer/loader • Developed into modular Trojan One of the most prolific malwares of all time US Government estimates up to $1 million in remediation costs per incident 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 6
  7. 7. 7 2.1 THE MALWARE Notable features: • Multiple modules available • Use of Heaven's Gate • Multiple persistence mechanisms • Encrypted communications • protobuf • VM detection • Hash- based import resolution EMOTET_ROOTEDCON 2020
  8. 8. Modules: • NirSoft tools, harvesting module • Steal information from browsers, email clients • Extract information to be reused in spam campaigns • Spam module • Port forwarding • Network spreading module • Includes WIFI, network resources 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 8
  9. 9. 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 9
  10. 10. Modules: • NirSoft tools, harvesting module • Steal information from browsers, email clients • Extract information to be reused in spam campaigns • Spam module • Port forwarding • Network spreading module • Includes WIFI, network resources 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 10
  11. 11. Hash-based import resolution • Good for stealthiness • Peculiar algorithm choice • sdbm: Non cryptographic hash 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 11
  12. 12. Hash-based import resolution • Good for stealthiness • Peculiar algorithm choice • sdbm: Non cryptographic hash 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 12
  13. 13. Persistence mechanisms • Create a new service • Registry RUN key as fallback 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 13
  14. 14. 14 2.1 THE MALWARE Use of Heaven's Gate technique • Used perform x64 syscalls process from x32 • Needed by Emotet for email harvesting • Disrupts analysis • Most debuggers don't have support EMOTET_ROOTEDCON 2020
  15. 15. 15 2.1 THE MALWARE Use of Heaven's Gate technique • Used to inject to a x64 process from x32 • Needed by Emotet for email harvesting • Disrupts analysis • Most debuggers don't have support EMOTET_ROOTEDCON 2020
  16. 16. EMOTET – KILL CHAIN
  17. 17. Everything starts with an email and an attachment... (or sometimes a link) 2.2 KILL CHAIN EMOTET_ROOTEDCON 2020 17
  18. 18. 18 2.2 KILL CHAIN EMOTET_ROOTEDCON 2020 • Typically the document contains a vba macro which will spawn a powershell and execute the payload
  19. 19. 2.2 KILL CHAIN EMOTET_ROOTEDCON 2020 19
  20. 20. 2.2 KILL CHAIN Some of the macros will instead use wscript to execute a JavaScript payload instead, with a similar purpose. • Some organizations have disabled powershell execution EMOTET_ROOTEDCON 2020 20
  21. 21. 2.2 KILL CHAIN The payload will contact a (typically) compromised server, and it will download the actual Emotet binary: EMOTET_ROOTEDCON 2020 21
  22. 22. 2.2 KILL CHAIN The payload will contact a (typically) compromised server, and it will download the actual Emotet binary: EMOTET_ROOTEDCON 2020 22
  23. 23. 2.2 KILL CHAIN The binary contains a list of hardcoded IPs, and the necessary encryption keys to communicate with the C2 1. After being executed, it will call home 1. If not using the most recent Emotet the server will provide an updated sample 2. If using the most recent version, it will return the modules EMOTET_ROOTEDCON 2020 23
  24. 24. 2.2 KILL CHAIN The modules are executed using different techniques depending on the module… …but we will not get into that in this talk. Depending on the campaign, Emotet will then deploy the next payload; Trickbot, Dridex, Pandabanker, etc. EMOTET_ROOTEDCON 2020 24
  25. 25. EMOTET – THE INFRASTRUCTURE
  26. 26. Emotet infrastructure has mainly three components: • Compromised servers • Drops first stage • Regular C2 servers • Module-specific C2 servers 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 26
  27. 27. Encrypted communications (C2 servers) 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 27 EMOTET DATA PACKET (RESPONSE) RSA_SIGNATURE(MESSAGE) AES_ENCRYPT(MESSAGE) SHA1(MESSAGE) PROTOBUF_ENCODE(ACTUAL DATA) EMOTET DATA PACKET (REQUEST) BASE64 (PAYLOAD) RSA_ENCRYPT(AES KEY) AES_ENCRYPT(MESSAGE) SHA1(MESSAGE) PROTOBUF_ENCODE(ACTUAL DATA)
  28. 28. Protobuf: • Protocol Buffers by Google • Data serializer Emotet uses modified version. If you want to play around with this... https://d00rt.github.io/emotet_netw work_protocol/ 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 28
  29. 29. The request itself has changed a lot over time: • Changes in response code • Changes in request type POST->GET • Different path generation • Based on serial number of infected bot • Based on keyword list • Data embedded in POST DATA, cookie... 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 29
  30. 30. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 30
  31. 31. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 31
  32. 32. The infrastructure is also constantly changing • Compromised servers • RSA keys used • C2 available And apparently, subdivided in different infrastructures 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 32
  33. 33. TRENDMICRO identified two different infrastructures in Nov 2018: • Different RSA keys • Different C2 combinations • Grouped by compilation time (EPOCH) 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 33 https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities- infrastructure/
  34. 34. 34 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 Even before then, the research group Cryptolaemus was already sharing Emotet IOCs • Different infrastructures • Divided by Epoch • At least a month before blogpost
  35. 35. With time, identifying the Epochs has become more difficult: • Three infrastructures instead of two • Identified based on: • C2 relationship • RSA key (unique per Epoch) • Document dropper creation time 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 35
  36. 36. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 36 Lets try to draw something as well!
  37. 37. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 37
  38. 38. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 38
  39. 39. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 39 >=8 RSA nodes 2 RSA nodes 1 RSA node is White
  40. 40. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 40
  41. 41. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 41
  42. 42. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 42 First rule of TI: • No one has visibility over absolutely everything • We're missing data too Tracking Emotet is not that easy • Many factors to take into account • Server responses may vary by country, time of day • Protocol changes affects emulator effectivity
  43. 43. EMOTET – SPAM
  44. 44. 2.4 SPAM The success of Emotet is driven by: • Quality of spam sent • Sheer volume of spam the botnet is capable of producing EMOTET_ROOTEDCON 2020 44
  45. 45. 2.4 SPAM Spam quality: • Even when using "generic" spam messages, these are tailored for the targeted countries EMOTET_ROOTEDCON 2020 45
  46. 46. 2.4 SPAM Spam quality: • Even when using "generic" spam messages, these are tailored for the targeted countries EMOTET_ROOTEDCON 2020 46
  47. 47. 2.4 SPAM EMOTET_ROOTEDCON 2020 47
  48. 48. 2.4 SPAM EMOTET_ROOTEDCON 2020 48 Spam quality: • Replying to existing emails
  49. 49. 2.4 SPAM EMOTET_ROOTEDCON 2020 49
  50. 50. 2.4 SPAM Volume: • Distributed samples • Emails sent EMOTET_ROOTEDCON 2020 50
  51. 51. 2.4 SPAM EMOTET_ROOTEDCON 2020 51 Volume: • Distributed samples • Emails sent
  52. 52. 52 2.4 SPAM Spam by topic (based on subject): EMOTET_ROOTEDCON 2020 Topic Subject Name Name of the victim No subject No subject Response Reply-related subject Finance Invoices, budgeting Info Information-related subject Spam Literal spam subject Work Job offers, workplace
  53. 53. 2.4 SPAM Spam by language (top 9) EMOTET_ROOTEDCON 2020 53 Language Emails English 772435 Italian 298895 German 281624 Spanish 214543 Korean 86879 Portuguese 66133 Japanese 63563 Romanian 39538 Catalan 38289
  54. 54. 2.4 SPAM Spam by domain recipient (top 9) EMOTET_ROOTEDCON 2020 54 domain count gmail.com 124442 hotmail.com 72160 libero.it 54088 NPS.K12.NJ.US 48091 liconsa.gob.mx 46686 dyauto.kr 37668 yahoo.com 35803 emirates.net.ae 17076 comcast.net 16878
  55. 55. 2.4 SPAM EMOTET_ROOTEDCON 2020 55
  56. 56. 2.4 SPAM Spam by domain recipient EMOTET_ROOTEDCON 2020 56 Domain #Email marriottluxurybrands.com 16691 powerlinksworld.com 16389 yahoo.es 15492 daimler.com 12320 indeedemail.com 12168 arsial.it 12051 amarasanctuary.com 11559
  57. 57. 2.4 SPAM The Emotet gang has also taken advantage of other events or public figures such as: • Climate-change related emails mentioning Greta Thunberg • Coronavirus EMOTET_ROOTEDCON 2020 57 Image source: Proofpoint
  58. 58. 2.4 SPAM Renting/side-gig with sextortion emails: • Claiming to have videos of someone "satisfying" themselves • Threaten to send to all contacts • Get infected with Emotet anyway.. EMOTET_ROOTEDCON 2020 58
  59. 59. ACTING AS A LOADER
  60. 60. 3. ACTING AS A LOADER EMOTET_ROOTEDCON 2020 60
  61. 61. 3. ACTING AS A LOADER Emotet’s main objective is to act as a loader. It has been seen distributing many different types of malware, but some of the most relevant today are: • Dridex • Trickbot • Pandabanker EMOTET_ROOTEDCON 2020 61
  62. 62. 3. ACTING AS A LOADER Many of these also combine themselves with ransomware, creating a d evastating combination for many companies • Triple threat: Emotet + Trickbot + Ryuk Image Credit: Cybereason EMOTET_ROOTEDCON 2020 62
  63. 63. 4. ACTING AS A LOADER There have been some reported incidents: • Berlin High Court (Kammergericht) • Frankfurt (preemtive shutdown) • Prosegur • Cadena Ser But many happen under the radar EMOTET_ROOTEDCON 2020 63
  64. 64. 4. ACTING AS A LOADER New trends in ransomware: • Maze • Doppelpaymer • Nemty EMOTET_ROOTEDCON 2020 64
  65. 65. CONCLUSIONS
  66. 66. 5. CONCLUSIONS Emotet will keep growing its assets: • Ramping up distribution • Better spam campaigns New tendencias in ransomware • More groups will join the leak-threat EMOTET_ROOTEDCON 2020 66
  67. 67. 5. CONCLUSIONS Next steps: • Contacting cryptolaemus about data discrepancy • Keep investigating Emotet gang Educate users on this threat: • Spam techniques used • Infection vectors Learn about their TT&P EMOTET_ROOTEDCON 2020 67
  68. 68. 5. CONCLUSIONS EMOTET_ROOTEDCON 2020 68 https://community.blueliv.c om

×