Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

VICTOR ACIN
March 2020
EMOTET IS DEAD,
LONG LIVE EMOTET

1. Myself
2. Emotet
1. The malware
2. The infrastructure
3. Kill chain
4. Spam analysis
3. Acting as a Loader
4. Conclusions
TABLE OF CONTENT
EMOTET_ROOTEDCON 2020
2

Victor Acin
Threat Analyst at Blueliv
• Background in ethical hacking
• Currently RE Team Lead
1. MYSELF
3

5
Appeared ~2012-2013
Feodo family
Wasn’t considered a significant
threat until later
Notable for:
• Using configuration file with
targeted banks
• Injecting DLLs into processes
for monitoring
• Distributed via spam
messages
2. EMOTET

Since its origins, Emotet has come a long way:
• Switch from Banking Trojan to spammer/loader
• Developed into modular Trojan
One of the most prolific malwares of all time
US Government estimates up to $1 million in remediation costs
per incident
2.1 THE MALWARE
6

7
2.1 THE MALWARE
Notable features:
• Multiple modules available
• Use of Heaven's Gate
• Multiple persistence
mechanisms
• Encrypted communications
• protobuf
• VM detection
• Hash-
based import resolution

Modules:
• NirSoft tools, harvesting module
• Steal information from browsers, email clients
• Extract information to be reused in spam campaigns
• Spam module
• Port forwarding
• Network spreading module
• Includes WIFI, network resources
2.1 THE MALWARE
8

2.1 THE MALWARE
9

Modules:
• NirSoft tools, harvesting module
• Steal information from browsers, email clients
• Extract information to be reused in spam campaigns
• Spam module
• Port forwarding
• Network spreading module
• Includes WIFI, network resources
2.1 THE MALWARE
10

Hash-based import resolution
• Good for stealthiness
• Peculiar algorithm choice
• sdbm: Non cryptographic hash
2.1 THE MALWARE
11

Hash-based import resolution
• Good for stealthiness
• Peculiar algorithm choice
• sdbm: Non cryptographic hash
2.1 THE MALWARE
12

Persistence mechanisms
• Create a new service
• Registry RUN key as fallback
2.1 THE MALWARE
13

14
2.1 THE MALWARE
Use of Heaven's Gate
technique
• Used perform x64
syscalls process from x32
• Needed by Emotet for
email harvesting
• Disrupts analysis
• Most debuggers don't
have support

15
2.1 THE MALWARE
Use of Heaven's Gate
technique
• Used to inject to a x64
process from x32
• Needed by Emotet for
email harvesting
• Disrupts analysis
• Most debuggers don't
have support

Everything starts with an email and an attachment... (or
sometimes a link)
2.2 KILL CHAIN
17

18
2.2 KILL CHAIN
• Typically the document
contains a vba macro
which will spawn a
powershell and execute
the payload

2.2 KILL CHAIN
19

2.2 KILL CHAIN
Some of the macros will instead
use wscript to execute a
JavaScript payload instead, with
a similar purpose.
• Some organizations have
disabled powershell
execution
20

2.2 KILL CHAIN
The payload will contact a (typically) compromised server, and it will
download the actual Emotet binary:
21

2.2 KILL CHAIN
The payload will contact a (typically) compromised server, and it
will download the actual Emotet binary:
22

2.2 KILL CHAIN
The binary contains a list of
hardcoded IPs, and the
necessary encryption keys to
communicate with the C2
1. After being executed, it will
call home
1. If not using the most recent
Emotet the server will provide
an updated sample
2. If using the most recent
version, it will return the
modules
23

2.2 KILL CHAIN
The modules are executed using different techniques depending
on the module…
…but we will not get into that in this talk.
Depending on the campaign, Emotet will then deploy the next
payload; Trickbot, Dridex, Pandabanker, etc.
24

Emotet infrastructure has mainly three
components:
• Compromised servers
• Drops first stage
• Regular C2 servers
• Module-specific C2 servers
2.3 THE INFRASTRUCTURE
26

Encrypted communications (C2 servers)
27
EMOTET DATA PACKET (RESPONSE)
RSA_SIGNATURE(MESSAGE)
AES_ENCRYPT(MESSAGE)
SHA1(MESSAGE)
PROTOBUF_ENCODE(ACTUAL DATA)
EMOTET DATA PACKET (REQUEST)
BASE64 (PAYLOAD)
RSA_ENCRYPT(AES KEY)
AES_ENCRYPT(MESSAGE)
SHA1(MESSAGE)
PROTOBUF_ENCODE(ACTUAL DATA)

Protobuf:
• Protocol Buffers by Google
• Data serializer
Emotet uses modified version. If
you want to play around with this...
https://d00rt.github.io/emotet_netw
work_protocol/
28

The request itself has changed a lot over time:
• Changes in response code
• Changes in request type POST->GET
• Different path generation
• Based on serial number of infected bot
• Based on keyword list
• Data embedded in POST DATA, cookie...
29

30

31

The infrastructure is also constantly
changing
• Compromised servers
• RSA keys used
• C2 available
And apparently, subdivided in different
infrastructures
32

TRENDMICRO identified two different
infrastructures in Nov 2018:
• Different RSA keys
• Different C2 combinations
• Grouped by compilation time (EPOCH)
33
https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-
infrastructure/

34
2.3 THE
INFRASTRUCTURE
Even before then, the research
group Cryptolaemus was
already sharing Emotet IOCs
• Different infrastructures
• Divided by Epoch
• At least a month before
blogpost

With time, identifying the Epochs has
become more difficult:
• Three infrastructures instead of two
• Identified based on:
• C2 relationship
• RSA key (unique per Epoch)
• Document dropper creation time
35

36
Lets try to draw something as well!

37

38

39
>=8 RSA nodes
2 RSA nodes
1 RSA node is
White

40

41

42
First rule of TI:
• No one has visibility over absolutely everything
• We're missing data too
Tracking Emotet is not that easy
• Many factors to take into account
• Server responses may vary by country, time of day
• Protocol changes affects emulator effectivity

2.4 SPAM
The success of Emotet is driven by:
• Quality of spam sent
• Sheer volume of spam the botnet is capable of
producing
44

2.4 SPAM
Spam quality:
• Even when using "generic"
spam messages, these are
tailored for the targeted
countries
45

2.4 SPAM
Spam quality:
• Even when using "generic"
spam messages, these are
tailored for the targeted
countries
46

2.4 SPAM
47

2.4 SPAM
48
Spam quality:
• Replying to existing
emails

2.4 SPAM
49

2.4 SPAM
Volume:
• Distributed samples
• Emails sent
50

2.4 SPAM
51
Volume:
• Distributed samples
• Emails sent

52
2.4 SPAM
Spam by topic (based on subject):
Topic Subject
Name Name of the victim
No subject No subject
Response Reply-related subject
Finance Invoices, budgeting
Info Information-related subject
Spam Literal spam subject
Work Job offers, workplace

2.4 SPAM
Spam by language
(top 9)
53
Language Emails
English 772435
Italian 298895
German 281624
Spanish 214543
Korean 86879
Portuguese 66133
Japanese 63563
Romanian 39538
Catalan 38289

2.4 SPAM
Spam by domain recipient
(top 9)
54
domain count
gmail.com 124442
hotmail.com 72160
libero.it 54088
NPS.K12.NJ.US 48091
liconsa.gob.mx 46686
dyauto.kr 37668
yahoo.com 35803
emirates.net.ae 17076
comcast.net 16878

2.4 SPAM
55

2.4 SPAM
Spam by domain recipient
56
Domain #Email
marriottluxurybrands.com 16691
powerlinksworld.com 16389
yahoo.es 15492
daimler.com 12320
indeedemail.com 12168
arsial.it 12051
amarasanctuary.com 11559

2.4 SPAM
The Emotet gang has also taken
advantage of other events or public
figures such as:
• Climate-change related emails
mentioning Greta Thunberg
• Coronavirus
57
Image source: Proofpoint

2.4 SPAM
Renting/side-gig with
sextortion emails:
• Claiming to have
videos of someone
"satisfying" themselves
• Threaten to send to all
contacts
• Get infected
with Emotet anyway..
58

3. ACTING AS A LOADER
60

Emotet’s main objective is to act as a loader.
It has been seen distributing many different types of
malware, but some of the most relevant today are:
• Dridex
• Trickbot
• Pandabanker
61

Many of these also combine themselves with ransomware, creating a d
evastating combination for many companies
• Triple threat: Emotet + Trickbot + Ryuk
Image Credit: Cybereason
62

There have been some reported incidents:
• Berlin High Court (Kammergericht)
• Frankfurt (preemtive shutdown)
• Prosegur
• Cadena Ser
But many happen under the radar
63

New trends in ransomware:
• Maze
• Doppelpaymer
• Nemty
64

5. CONCLUSIONS
Emotet will keep growing its assets:
• Ramping up distribution
• Better spam campaigns
New tendencias in ransomware
• More groups will join the leak-threat
66

5. CONCLUSIONS
Next steps:
• Contacting cryptolaemus about data discrepancy
• Keep investigating Emotet gang
Educate users on this threat:
• Spam techniques used
• Infection vectors
Learn about their TT&P
67

5. CONCLUSIONS
68
https://community.blueliv.c
om

Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

Similar to Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin (20)

More from RootedCON

More from RootedCON (20)

Recently uploaded

Recently uploaded (20)

Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

Editor's Notes