Emotet

Emotet is one of the most dangerous trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Type
Trojan
Origin
ex-USSR
First seen
1 June, 2014
Last seen
19 February, 2020
Also known as
Heodo
Geodo
Global rank
1
Week rank
1
Month rank
1
IOCs
4720

What is Emotet Trojan?

Emotet is an extremely sophisticated and destructive Trojan used to download and install other malware. First recorded in 2014 it was classified as a banking trojan, but Emotet has gained advanced capabilities over the course of its lifetime and evolved into an entire malware distribution service.

So what makes Emotet virus so dangerous? Emotet can act like a worm and spread using local networks, which makes it extremely hard to clean-up. In addition to this, the Trojan has advanced persistence and anti-evasion mechanics, such as the ability to detect sandboxes and virtual machines with an option to generate false indicators to throw researches off. On top of that, the Trojan has a polymorphic design – meaning that it can change its code to bypass signature-based detection, making this cyber defense strategy useless against its’ attacks. If that wasn’t enough, Emotet can receive updates from the control server, performing this operation as if an operating system update is being installed. This allows the Trojan to drop additional malware onto the infected machine stealthily. It should also be noted that Emotet trojan has a modular design which makes it possible to adapt this malware to various tasks and customize it for every particular campaign, giving the attackers the maximum flexibility. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.

General description of Emotet

The first version of Emotet malware which was spotted in the wild all the way back in 2014 was designed to steal banking credentials by intercepting internet traffic and was much more basic than the beast of a Trojan which we know today. When Emotet was first spotted in the wild, the malware targeted mainly banks from Germany and Austria using only its native information stealing toolset.

Version two followed shortly after, this time carrying several additional modules such as a money transfer, mail spam, DDoS and address book stealing modules. The third iteration of Emotet was released in 2015, this time focusing on upgrading the anti-evasion functionality of the malware and introducing banks from Switzerland into the list of potential victims.

The next overhaul of the Emotet malware followed in December 2016, changing the attack vector of the virus. At the beginning of its lifetime Version 4 heavily relied on the RIG 4.0 exploit kit to make its way into the victims' computers later switching primarily to mail spam. The same iteration of the malware also marked the moment when the primary use case of the malware started shifting from using its own banking module to dropping other Trojans onto infected machines.

Speaking of modules, Emotet malware can perform a large number of malicious activities that vary depending on the modules used in a particular campaign. Most versions of the virus included a spam module which can be used to continue the spread of the malware by sending out a series of malicious emails from the infected machine. Another normally included module is the one used for credential stealing, allowing Emotet to steal sensitive information from web browsers and mail clients.

Starting from 2017, Emotet trojan began coming equipped with a spreader module, allowing the malware to infect all machines connected via a local network. The virus also gained the address book stealer module – this one is interesting. It analyzes the relationship between email senders and receivers and uses the collected information to enhance the effectiveness of subsequent campaigns originating from the users’ PC, allowing to target friends, family members and colleagues of the victim with personalized spam emails.

Not only does Emotet malware provide flexible functionality through the use of modules and has several anti-evasion functions, but it also puts a heavy emphasis on persistence. To ensure that the malware stays in the infected machine, it injects into running processes, often targeting the Explorer.exe. In addition to that, the malware uses Scheduled Tasks and makes registry keys changes.

It should be noted that the Trojan we are reviewing today is extremely destructive and its attacks can have several consequences, such as loss of private data, inability to operate the infected PC up to its complete disability and financial losses associated with restoring the infrastructure damaged by the malware. In fact, one company was forced to spend an excess of one million dollars to deal with the aftermath of an Emotet attack.

Emotet malware analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of Emotet, allowing to examine the behavior of this malware in a lot of detail.

emotet execution process tree

Figure 1: Displays the processes list generated by the ANY.RUN malware hunting service

text report of the Emotet analysis

Figure 2: Even more information about the execution of Emotet can be found in customizable text reports generated by ANY.RUN

Emotet execution process

Considering that the primary way in which the Emotet trojan is distributed is malicious email spam campaigns, the first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user actions. Downloaded files contain malicious VBA code which runs after a document has been opened. One of the possible options of the infection process is when the VBA code utilizes WMI to launch a Powershell script which downloads the payload – a malicious executable file from the web server. Notably, the Powershell script is encoded. Emotet makes steps to maintain a presence in the infected system - it copies itself into %AppData% subfolders and changes the autorun value in the registry. Through all infection process, the malware sends information to and from a server. As the last execution step, Emotet waits for commands from C2 servers.

Prevention of Emotet attacks

To minimize the risk of Emotet virus infection and potential destruction if such infection does occur, users are advised to follow a set of standard best practices, such as not downloading files from suspicious emails and keeping an updated version of antivirus on the machine at all times.

For organizations, it is advised to restrict inbound SMB communication between client systems in order to prevent Emotet from spreading from one machine to another within the local network, provide security training for personnel and instruct employees about the danger of mail spam as well as take all possible precautions to filter out potentially malicious emails at firewall.

How does Emotet spread?

The main distribution method of Emotet malware is malicious email campaigns. The trojan uses it’s address book stealer module to pull the contacts from the email account of its victim and send itself to found contacts from the hijacked account.

Bearing in mind that potential victims are receiving an email from somebody they know and trust, Emotet has a very high chance of a successful attack. The received email usually contains a link to a malicious URL that downloads the malware when clicked. However, email spam is not the only distribution Method that this malware utilizes. It may also take advantage of certain Windows vulnerabilities, thus the malware can make it’s way into a machine completely “silently”, without the user ever knowing about it.

How to collect Emotet’s IOCs using ANY.RUN?

In your analysis of Emotet malware will be useful our feature "Fake Net". It intercepts HTTP requests and returns 404 error, forcing malware to reveal its C2 links.

To turn it on in "Advanced mode" of the "New task" window check the box next to the "Fake net" in the "Network" section.

fake net emotet Figure 3: Run Emotet sample with turn on "Fake net" feature

Conclusion

Emotet malware is one of the most sophisticated and destructive trojans that are currently active. Since its first introduction all the way back in 2014, the malware has underground a substantial evolution gaining a lot of anti-evasion features, obtaining worm-like functionality and even changing the main focus from information stealing to installing other trojans onto infected machines. Thanks to the ability to spread to adjacent systems, Emotet can easily infect all machines in a single network, making dealing with the consequences of an attack a true nightmare. The situation is further worsened by the fact that the malware is equipped with a series of anti-evasion tricks that make analyzing it quite difficult. As a result, the process of developing countermeasures is much more complicated in comparison to more simple and straightforward trojans.

Thankfully, modern online hunting services like ANY.RUN are equipped with equally advanced research functions and allows professionals to study cyber threats with maximum efficiency, helping researchers to battle elusive malware like Emotet.

IOCs

IP addresses
61.204.119.188
136.243.250.34
187.156.77.88
64.184.36.98
45.79.223.161
189.173.177.96
51.159.23.217
103.38.12.139
195.159.28.229
105.224.171.102
46.21.105.59
185.94.252.27
181.171.118.19
46.101.123.139
128.199.78.227
104.236.217.164
45.55.83.204
187.162.62.135
181.231.72.200
172.221.229.86
Hashes
b162b782faa006191b529af5487e649fb0de768a93597fa53ac7e7e2670eb227
b51605ff003b91939342432aabc1e52f7f604c0da6f9fe85c5e85d5b34e7bae2
173658ed572d2b068a69956a7dab8ad096c83d38cd4c6b66fb10b1ddac830867
e7716d2c42b38f70fd10c23dc952ebd2c9a54104cf5bd769a0a9cf9d678e6557
efbf9f222ec5b53dc7974b2cc4cb67952f405cd41eff0865ff3c7a96979c1d79
fc828bd6d60d3072548be8c6c2d671caa3bc9b889d7a8dc38c938442bf3f6d4e
22f46e04a96f83a0b66d8748de3bd1f0e879651880e86b5e254f8db00f8a267e
884f4ec6d085144cb4dd8fa221aca74c1092c7cf8ce3654e7e88cf40378b2dba
4ebe60b05162d6264ec0034d02e3ab01e062510a0f4344abbdc17524242d9a73
78f60c37f86820c62f862e01c4099407b613af254474e70c1385fdeeff33af0e
93198dee8a8fd1576af750d7a89dcbc56d21aebfd5ae632660f7b65d3558842b
7520ad18fcd16e91c8534d583cb0a7c874316407a4aa057b481e4588ab1f9e8c
b757f658232b6812c7672194b847ca33d7e4a6ba167fe4a14aa83d4c3fad034b
5d2a5548b81389ad9b1b0a673c72b6591061bfb8d51b20b61bd61ea1a0df33e6
9c37d344796ec28d503c95e9af7674c0b8533d7ea68257a277841c77ec8cc6da
61d948e858bcc709d1d1f03f7a5fddd33a63e528baba8a76f8f0c3affccd44ea
b808a1a201abcc896740e6a8d3e1b56abc1dfff5c157d5783196c98feeabb030
296eaa259a54be5d31891551ce658ca99ba8eec1346035944386ee118431249f
1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
1ec6af525be6aa76a123a058bd97074e677271f26ee8a54e4fc740347cfa9e92
Domains
elx01.knas.systems
pinkstyle.org
adonis-medicine.at
isns.net
coasterqueen.com
majul.com
www.ebluenetworks.com
nilotechecycling.com
www.modsoft.net
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
qxq.ddns.net
gearnova.com
studiored.com
www.josebernalte.com
www.drive-software.com
www.collegedj.net
intersearchmedia.com
www.intersearchmedia.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More