New features of the botnet and how to recognize them

One of the most dangerous and notorious threats is back. In January 2021, global officials shut down the botnet. Law enforcement agencies have sent a destructive update to the Emotet executables. And it looked like the end of the Trojan horse story.

But the malware kept surprising.

On November 1st, 2021, it was reported that TrickBot no longer works on its own and is shipping Emotet. And ANY.RUN, along with industry peers, was among the first to notice the emergence of Emotet’s malicious documents.

Emotet botnet malware
First malicious Emotet documents

And this February we can see a very active wave with crooks performing numerous attacks and reaching the top of the leaderboard. If you are interested in this topic or researching malware, you can take the special help of ANY.RUN, the interactive cyber threat detection and analysis sandbox.

Let’s check out the changes of the new version that this intrusive malware has brought this time.

Emotet story

Emotet is a sophisticated, ever-evolving modular botnet. In 2014, the malware was just a trivial banking Trojan. Since then it has acquired various features, modules and campaigns:

  • 2014. Modules for money transfers, email spam, DDoS and address book theft.
  • 2015. Dodge function.
  • 2016. Mail spam, RIG 4.0 exploit kit, delivery of more trojans.
  • 2017. A spreader and address book stealer module.

The polymorphic nature and numerous modules allow Emotet to evade detection. The team behind the malware is constantly changing their tactics, techniques, and procedures to break the existing detection rules. It downloads additional payloads with numerous steps to remain in infected system. Its behavior makes it almost impossible to get rid of malware. It spreads quickly, creates erroneous indicators and adapts to attackers’ needs.

And on November 14, 2021, Emotet was reborn with a new version.

Why was Emotet reborn?

There have been several breaks throughout Emotet’s history. But after global police operations in January 2021, we were ready for it to be over for good. Joint enforcement arrested several gang members, took over servers and destroyed backups.

Despite this, the botnet became even more robust. It is adept at evasion techniques and uses multiple ways to compromise networks, making it as dangerous as it used to be.

It was tracked that Trickbot tried to download a dynamic link library (DLL) onto the system. And the DLLs turned out to be Emotet, and later researchers confirmed the fact.

In 2021, after the comeback, Emotet topped the top 3 uploads in the ANY.RUN sandbox. Even after such a long break, it still became popular. All Emotet trends statistics are available in the Malware Trends Tracker and the numbers are based on the public filings.

Top Malware Uploads in the Last Week

No wonder, now that operations are back on track, EVERYONE. RUN’s database is getting fast 3 thousand malicious samples per week. And it’s becoming increasingly clear that you need to be prepared for these types of attacks at all times.

What new features has Emotet acquired?

The Trojan is already a serious threat to any business. Knowing all malware updates can help to avoid such threat and be careful. Let’s examine what features a new version brings and how it differs from the previous ones.

templates

The Emotet campaigns start with a malspam email that contains malicious Office documents (Microsoft Office documents used as a weapon) or hyperlinks attached to the phishing email, which is widely distributed and victims get it tricked into opening malicious attachments. The armed Microsoft Office document has a VBA code and an AutoOpen macro for its execution. The Emotet group lures its victims into enabling the macros and this is the only user interaction required to launch the attack. This user interaction allows sandbox testing and verification to be bypassed.

Emotet proliferates using malicious email campaigns, which usually consist of Office documents. And the malware gets very creative with templates of its maldocs. The botnet constantly changes them: it imitates program updates, messages, files. And the content embeds the obfuscated VBA macro and creates various execution chains. The authors behind the malware trick users into enabling macros to launch the attack.

And a new version also has a twist. In the summer of 2020, Emotet used a document with an Office 365 message. The image remains unchanged, but is converted to XLS format. Also, in this new version, hexadecimal and octal formats have been used for the first time to represent the IP address from which the second stage was downloaded. A later technique was changed again and crooks don’t use the HEX encoded IP to download the payload.

Emotet templates in February

New Techniques

Emotet continues to raise the bar as a polymorph creature by learning new techniques. The latest malware version has come up with some minor changes in tactics: it uses MSHTA again. In general, Macro 4.0 uses Excel to run either CMD, Wscript or Powershell, which starts another process like MSHTA or one mentioned above that downloads the main payload and runs it from rundll32.

The botnet is keen to mask malicious strings and content such as URLs, IPs, commands, or even shellcodes. But sometimes you can get the list of URLs and IPs from the file’s script. You can definitely find it yourself in ANY. Static Discovering by RUN – just try it!

Emotet botnet malware
URL list from Emotet’s fake PNG file

companion

We know that Emotet usually drops other malware to make the infection worse. In November, the botnet was found to have delivered the Trickbot banking Trojan to the compromised hosts.

Currently we can see that Emotet is working with Cobalt Strike. It is a C2 framework also used by penetration testers and criminals. Having Cobalt Strike in the scenario means the time between initial infection and a ransomware attack is significantly reduced.

A list of Cobalt Strike IOCs from Emotet infections

process tree

The execution chain also received some modifications. In most cases we can notice a CMD child process, a PowerShell and Rundll32, and various examples prove that authors prefer to mix processes and constantly change their order. The main goal behind this is to avoid detection by rule sets that identify a threat from an application’s child processes.

Emotet process tree

command line

Emotet switched from EXE files to DLL a long time ago, so the main payload ran under Rundll32. Extensive use of Powershell and CMD remains unchanged:

Emotet botnet malware
Emotet command line

How to recognize and protect against Emotet?

If you need a quick and convenient way to get complete information about the Emotet sample, use modern tools. ANY.RUN Interactive Sandbox allows to monitor processes in real time and get all necessary data immediately.

Suricata rulesets successfully identify various malicious programs, including Emotet. In addition, with the Fake-Net function to reveal C2 links of a malicious sample. This feature also helps in collecting malware IOCs.

Emotet samples come and go, and it’s hard to keep up with them. We therefore encourage you to view daily updated samples in our public submissions.

Emotet proves to be a beast among the most dangerous cyber threats in the wild. The malware improves its functionality and works to evade detection. It is therefore essential to rely on effective tools such as ANY.RUN.

Have fun hunting malware!

New Technology Era

Leave a Reply

Your email address will not be published. Required fields are marked *