DiscoSEC

Emotet, recognized as one of the most notorious and persistent malware families in recent history, has re-emerged with notable alterations to its tactics, techniques, and procedures following a period of dormancy between late 2022 and March 2023.

This report aims to provide a comprehensive perspective on Emotet's activities and recent developments, offering cybersecurity professionals crucial insights needed to effectively counter this highly versatile and modular malware.

Humble Beginnings and Attribution

Initially surfacing as a relatively straightforward banking Trojan, Emotet primarily targeted financial institutions in Germany and Austria. This early version aimed to exfiltrate financial data by intercepting online banking sessions through man-in-the-browser (MITB) tactics. As Emotet continued to expand its capabilities and evolve, security researchers were able to attribute the malware's development to the threat group known as TA542, Mealybug, or MUMMY SPIDER. This group is thought to have ties to Russian-speaking threat actors; however, conclusive attribution to a specific nation remains uncertain.

By 2017, TA542 initiated an affiliate program, allowing other threat actors access to their robust malspam botnet and command-and-control infrastructure. Functioning as a Malware-as-a-Service platform, TA542 became the first group observed distributing the IcedID banking Trojan.

Since that time, Emotet has served as a delivery mechanism for various malware, including Trickbot, Qakbot, Gootkit as well as the Ryuk and Conti ransomware strains.

Technical Analysis of Recent Activity

TA542 presents a considerable threat to an extensive range of targets, encompassing small businesses, multinational corporations, and governmental agencies across Europe, the United States, and the APAC region. As the group broadens its focus in malspam botnet operations, it rapidly refines its modus operandi to excel in diverse environments while incorporating new capabilities.

In March 2023, security researchers observed a resurgence of Emotet malspam campaigns after a period of dormancy. These renewed campaigns were found to employ the previously identified "Red Dawn" template in conjunction with fraudulent invoice and U.S. tax-themed malspam.

A notable example of the latest U.S. tax-themed malspam campaign involves Emotet leveraging the W-9 form as a lure, enticing victims to download malicious Office documents. These emails are designed to impersonate communications from an "Inspector" at the Internal Revenue Service, with the sender's name displayed as "IRS Online Center."

During the early stages of this campaign in March, the emails featured a ZIP archive named "W-9 form.zip," which contained a highly obfuscated 500 MB Word document. This document was specifically designed to evade antivirus detection. However, as Microsoft implemented macro-blocking by default in their Office Suite, TA542 quickly adapted its tactics.

In response to Microsoft's security measures, TA542 shifted to using Microsoft OneNote documents embedded with VBScript files to install Emotet. This strategic adaptation demonstrates the group's persistence and resourcefulness in evading security controls and maintaining the effectiveness of their malspam campaigns.

The attached OneNote documents, often incorporating "W9" in their filenames, exhibit a comparable approach to previously observed techniques in Microsoft Word and Excel documents. These files prompt users to click a button to access the complete contents, a tactic consistent with earlier Emotet strategies.

In this particular attack chain, the OneNote file conceals a malicious Windows Script File (WSF) beneath the "View" button. When the target clicks the button, Wscript.exe is invoked to execute the embedded VBScript.

Upon deobfuscation, the VBScript functions as a downloader, facilitating the retrieval of the Emotet binary payload from what is likely a compromised website in the form of a .zip file. This downloader component demonstrates the adaptability and sophistication of Emotet malware campaigns, which are designed to bypass security controls and remain undetected.

The payload is typically encrypted and concealed within the .zip file, further complicating detection efforts by security solutions. Once downloaded, the payload is decrypted and extracted, revealing the Emotet binary in the form of a .DLL file.

Once the Emotet payload is downloaded, decrypted, and extracted as a DLL, the malware uses the "regsvr32.exe" utility to execute the DLL, which subsequently launches the malicious payload. This technique is known as "DLL side-loading" and is a common method used by threat actors to bypass typical security measures.

When the .DLL is executed, Emotet will communicate with its C2 infrastructure and communicate details about the newly compromised system.

Post Exploitation and Additional Payloads

To establish persistence on an infected system, Emotet will create an AutoStart registry key pointing to the binary located. This persistence enables the malware to maintain its presence and continue its malicious activities, such as exfiltrating sensitive information or deploying additional payloads.

Emotet's typical data exfiltration process involves collecting data, such as contacts, emails, and credentials, from the infected machine. The acquired emails and contacts are subsequently utilized by the malspam botnet to expand its target base. This includes the injection of malspam into existing email chains, further propagating the malware.

Security researchers have recently (Q4 2022-2023) seen Emotet drop the following additional payloads.

• Cobalt Strike (for lateral movement)

• Quantum ransomware

• BlackCat ransomware

Defending against Emotet in 2023

Defending against the Emotet campaign requires a layered approach due to it's rapidly evolving nature. It continues to be one of the most notorious malware families in recent history and continues to present an ingoing challenge for defenders.

Effectively defending against Emotet and its recent campaigns requires a multi-layered approach that encompasses the following strategies:

• User Awareness and Training: Establish a robust Security Awareness Program within your organization, as it serves as the first line of defense against email-based attacks. Emphasize the importance of recognizing phishing emails, malicious tactics, and other social engineering techniques employed by TA542.

• Email Filtering and Spam Protection: Implement strong email filtering and spam protection measures to minimize the probability of Emotet-related malspam reaching users' inboxes. Be vigilant for emails containing large files or attachments, as these have been commonly associated with previous campaigns.

• Scripting Monitoring and Restriction: Closely monitor the usage of PowerShell and other scripting languages within your organization, imposing execution restrictions where necessary. Emotet is known to exploit these tools during the infection process, so limiting their usage can help mitigate potential threats.

• Application Whitelisting: Employ application whitelisting solutions to control which applications are permitted to execute on your organization's systems. This precaution can help prevent unauthorized or malicious applications, such as Emotet and its associated payloads, from running on endpoints.

Indicators of Compromise

ac8f0db9fd6a91a765aeeed5eafd7a19ad2e37362f6d3468a386ee8a9f4dc7e5 erkaradyator[.]com[.]tr sachininternational[.]com ardena[.]pro panel[.]chatzy[.]in hospedagemdesites[.]ws esentai-gourmet[.]kz 188[.]132[.]217[.]107 209[.]126[.]85[.]32

I've discovered some excellent sites in the last few months that have helped me develop my information security knowledge and learn new ones. This month, I'm paying particular attention to reverse engineering malware.

In addition to learning plans and exercises, I've discovered some excellent resources that are all free.

begin.re - Reverse Engineering For Beginners

An online workshop called Begin.RE was developed by Ophir Harpaz, a security researcher at Guardicore. This online class was inspired by a lesson on fundamental security principles that took place at the Microsoft R&D Center in April 2018.

The website offers a combination of required reading and information-digesting exercises. The x86 architecture is the course's primary focus, and it does an excellent job of teaching the basics required to understand how to reverse engineer malware.

It also covers IDA fundamentals (I personally use Ghidra)

The last portion of this course and what it leads up to is a challenge to hack Microsoft's classic game Minesweeper and have the program print where all the mines are upon start.

This challenge looks very fun, and I'll dedicate a post to solving it in the near future.

Reverse Engineering 101 by Malware Unicorn

The great Malware Unicorn has great workshops focusing on reverse engineering. The workshops are very detailed and walk you through setting up VMs dedicated to reverse engineering malware. By providing pre-configured VirtualBox VMs, she has made navigating the process of setting up these VMs extremely easy.

The workshop is focused on x86 architecture and details reverse engineering techniques across the entire attack lifecycle of a typical malware infection. Link

Including triage analysis along with static and dynamic analysis really helps contribute to understanding the concepts and provides a real-world example of how malware analysis fits into the incident response cycle.

She has also provided a second course when you are finished with 101 that goes more into detail about evasion techniques and identifying encryption used by malware.

The Malware Museum

The Malware Museum is one of my favorite resources. It focuses on malware distributed during the 1980s and 1990s, and all destructive properties have been removed. What I love about this period of malware history are the colorful animations included. This is more of a fun resource than something purely focused on study. Thank you Mikko. Link

CNIT 126: Practical Malware Analysis by Sam Bowne

CNIT 126 is a mock college course (which I love) that focuses on teaching how to analyze malware using Ghidra. What's great about courses in this format is that it includes discussion boards, schedules, and lecture notes. Link

The course is designed to teach the basics of malware types and go into static and dynamic analysis. There is just such great information included in the course that I know the majority of my time will be focused on this resource.

Thanks for reading and following my Journey

This exercise is from the wonderful Malware-Traffic-Analysis.net and is aptly named BURNINCANDLE.

SCENARIO:

LAN segment data:

LAN segment range: 10.0.19.0/24 (10.0.19.0 through 10.0.19.255)

Domain: burnincandle.com

Domain controller: 10.0.19.9 - BURNINCANDLE-DC

LAN segment gateway: 10.0.19.1

LAN segment broadcast address: 10.0.19.255

TASK:

1. Write an incident report based on the PCAP

Executive Summary:

Some time on 3-21-2022 our user Patrick.Zimmerman clicked on a malicious document and enabled macros. At 20:58 UTC the infection of Patrick's endpoint DESKTOP-5QS3D5D started to reach out to ICEDID related C2 infrastructure to start the next phase of the Quantum Locker ransomware.

Indicators of Compromise:

antnosience[.]com

suncoastpinball[.]com

seaskysafe[.]com

otectagain[.]top

dilimoretast[.]com

filebin[.]net

situla.bitbit[.]net

bupdater[.]com

My Analysis:

I started by running through the PCAP file through Security Onion using the so-pcap-import command:

Once successfully imported into SecurityOnion it gives us this beautiful output:

If we move to the Alerts tab of SecurityOnion and expand the time range to include the range of the PCAP exercise we can see four alerts:

If I were to do this without Suricata rules, then the most likely place I would start would be the network logs of the infected machine. Has this machine reached out to any suspicious domains? By suspicious I mean connections that fall outside of normal user behavior.

Thankfully, we have threat intelligence and finding the needle in a haystack is much easier.

I want to take a look at these *.top domains and determine if there is any open-source intel related to those domains:

From the details of the alert we get two things we can search for:

• 188[.]166[.]154[.]118

• oceriesfornot[.]top

What I usually do with Indicators of Compromise is run them through VirusTotal and when doing that I'm interested in a few things:

First is of course the Security Vendor Analysis: https://www.virustotal.com/gui/ip-address/188.166.154.118/detection

Although most of the virus engines show it as "Clean" this minority is enough for me to keep on this path.

In the relations tab there are IOCs we can also collect to further protect our environment when we move to the eradication and remediation phase.

The last thing I'm most interested in is the community tab. This is where a lot of researchers post automated rule matches and threat research that include the IOC we are searching:

From these four comments I've gotten a lot of leads:

• Our user is infected with ICEID's Quantum Locker Ransomware (We already knew this from our Alerts)

• Avertium and Cyberreason have threat intelligence related to our user's predicament

• This isn't a false positive

• This is a part of an exercise by MalwareTrafficAnalysis (haha)

Now we need to research who or what is an ICEID? What is a Quantum Locker?????

Dancing with the LUNAR SPIDER:

Most threat intelligence about ICEID reference this article released by IBM's Security Intelligence organization: https://securityintelligence.com/posts/breaking-the-ice-a-deep-dive-into-the-icedid-banking-trojans-new-major-version-release/

Crowdstrike calls the operators of this malware LunarSpider

I'm going to pull some interesting quotes from this article:

Did our user open a malicious Microsoft Office Document from their email? That's has been the trend from eCrime actors for several years.

Next I want to see all traffic to the IP addresses 188[.]166[.]154[.]XXX

There are some not great things going on here(C2 activities):

1. Our victim reaches out to this malicious domain through an ephemeral port

2. This remote IP replies back

3. We see some more communication and the evidence of a IcedID Request Cookie

Here is the decoded cookie:

Next I want to take a look at the IDS signature alerts by Zeek:

Using VirusTotal, we can check some of the destination IPs that our victim is communicating heavily with:

This 157[.]245[.]142.[66]resolves to more LunarSpider related C2 domains and will also be included in our eradication and remediation steps:

antnosience[.]com otectagain[.]top

Continued we see more traffic from our victim machine to the IP address 91[.]192[.]16[.]181

Throwing that into virus total gives us more C2 domains related to IcedID and a researcher has created a graph that enumerates even more IP addresses related to this infection:

The next group of IDS alerts I'm interested in are the SMB related alerts:

Within these alerts we can see staging:

It looks like these series of SMB mapping entries are the victim machine gathering details about the victim machine.

Through these SMB mapping entries we can see the opening of files related to the:

• Computer Name

• Time Zone

• Current Security Policies

• GPO Settings

Each time the smb resources are accessed we can see a call back to the malicious domain

antnoscience[.]com

The pattern can be seen here:

We see the victim machine continue communication with the C2 domain: otectagain[.]top

To make this easier and to make sure we collect all malicious domains this infected machine connected to I'm going to run this Wireshark capture through a packet analyzer. Through common sense and threat intelligence it doesn't take too long to find suspicious domains in this list:

-----------------------------------

antnosience[.]com

v10.events.data.microsoft.com

suncoastpinball[.]com

wpad.burnincandle.com

wpad.mshome.net

settings-win.data.microsoft.com

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.burnincandle.com

checkappexec.microsoft.com

burnincandle-dc.burnincandle.com

dns.msftncsi.com

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mshome.net

_ldap._tcp.dc._msdcs.mshome.net

client.wns.windows.com

BURNINCANDLE-DC.burnincandle.com

ctldl.windowsupdate.com

_ldap._tcp.Default-First-Site-Name._sites.burnincandle.com

api.msn.com

www.bing.com

fp-vp-nocache.azureedge.net

fp-vs-nocache.azureedge.net

t-ring.msedge.net

fp-vp.azureedge.net

teams-ring.msedge.net

spo-ring.msedge.net

filebin[.]net

situla.bitbit[.]net

bupdater.com

r3.i.lencr.org

x1.c.lencr.org

DESKTOP-LR77S6E.burnincandle.com

nexusrules.officeapps.live.com

msedge.api.cdp.microsoft.com

config.edge.skype.com

seaskysafe[.]com

otectagain[.]top

dilimoretast[.]com

login.microsoftonline.com

arc.msn.com

licensing.mp.microsoft.com

storecatalogrevocation.storequality.microsoft.com

Running each of these suspicious domains through VirusTotal fits the pattern of IceID infections.

-----------------------------------

Next I'm interested in a GET request to our malicious domain otectagain[.]top

I ran into a bit of a wall with this one, after getting the SHA256 of "index.gzip"

Thanks to a post by BinaryDefense it is now clear that this isn't actually a gzip file and the gzip header (\x1f\x8B header) is just a masquerade.

Thanks BinaryDefense for this amazing graph:

Since we have no host forensic logs to determine how our user got the malicious payload or further network logs to determine how far lateral movement has progressed we can start to write our executive summary.

I am confident:

• Our user most likely received an email with a malicious document attached

• The user opened the malicious document and allowed macros starting the infection chain

• Network traffic confirms the execution of the initial payload was successful and C2 traffic is setting up the next stage of the Quantum Locker Ransomware

Thanks for reading.