Emotet Re-emerges with Help from TrickBot
Last updated on: December 21, 2022
Emotet has recently reemerged after being taken down less than a year ago by global law enforcement as coordinated by Europol and Eurojust. The takedown was achieved after law enforcement compromised a command-and-control system, and then pushed a specially crafted update to Emotet agents that leveraged the botnet to remove itself.
Now Emotet is being resurrected with the help of TrickBot. BleepingComputer.com published two reports documenting this resurgence through both phishing campaigns and a fake Adobe Windows Installer.
Background Information about TrickBot
TrickBot is a modular trojan that has mainly been used as a banking trojan in the United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in September 2016 and appears to be a successor to Dyre.
Qualys Malware Lab Analysis
This trojan typically arrives via spam, phishing, exploitation of a vulnerability, or (prior to Emotet’s takedown) a pre-loaded Emotet infection.
The malware makes a copy of itself in
C:\ProgramData\ with additional files written to
%AppData%\roaming\<random name> which acts as the main staging folder for this infection.
TrickBot then relaunches itself using UAC bypass techniques. It uses the CMSTPLUA COM interface to elevate its privileges and bypass AppLocker or other application control defenses. Further, it launches several instances of cmd.exe and runs commands to disable Windows security measures like Real Time Monitoring, Behavior Monitoring, BlockAtFirstSeen, IOVA Protection, Privacy Mode, Intrusion Prevention System, Script Scanning, and WinDefend Service.
The malware drops a settings.ini configuration file. It is encoded using a charset. All the modules and configuration are AES CBC_MODE encrypted and XORed using the
botkey present in a settings.ini file.
This settings.ini file contains the command-and-control Infrastructure information and instruction for modules to run in the campaign. TrickBot uses
<gtag> to identify the group ID used for the campaign and
<clientid> for the client.
The malware then establishes persistence by creating a scheduled task at startup. The task will execute malware.exe which spawns svchost.exe to inject its code.
Once the victim’s environment has been staged, TrickBot fetches modules as DLLs from C&C servers as per the config file, and then reflectively injects them into the svchost.exe process. All DLLs export the same functions: Control, Release, FreeBuffer, and Start. TrickBot uses HTTP/HTTPS GET and POST requests to download modules and exfiltrate data to the C2 server.
After collection, the data is sent back to the C&C server using HTTP POST requests with customized Content-Disposition headers to identify the content of the data.
Background Information about Emotet
The following are our narrative findings before the reemergence of Emotet.
Emotet is an advanced polymorphic trojan that first emerged in 2014. Emotet has evolved and advanced its capabilities over time. It is among the most destructive trojans found in the wild today. It is often used as a dropper for TrickBot, Ryuk ransomware, and other well-known malware.
Qualys Malware Labs Analysis
The initial infection vector of Emotet is a malicious email campaign. Emotet also has an email stealing module which extracts contacts from the victim’s email application, and then emails itself to them.
Once the malicious link is opened, a MS Office Word attachment gets downloaded. Generally, this file contains a malicious macro that runs and executes encoded PowerShell commands. In earlier versions of Emotet, a .pdf file was downloaded.
Newer document versions will schedule the execution of PowerShell via WMI. This breaks up the process tree by detaching it from Microsoft Office processes. PowerShell downloads the payload for the next stage and executes it. Once a second stage binary executes, it establishes simple persistence using Windows Registry autorun keys and begins to spread to other hosts.
Emotet has self-spreading capabilities, using brute force with enriched password lists to move via Windows Administrative Shares. Once an Emotet binary obtains credentials, it copies itself to the ADMIN$ of another network host.
Execution on the host is scheduled using the creation of a service over Server Message Block (SMB). The malware then continues to spread and perform activities such as collecting email addresses from the victim’s systems for further distribution. Once fully deployed within the targeted enterprise networks, Emotet downloads and executes additional malware.
Latest Findings for Emotet
Qualys evaluated a sample with the following SHA:
Our analysts noted the following current behavior:
admin mode: syswow64 or system32:- creates randomname folder and renames dll with randomname and extension (syswow64\abcdfg\bjdsdf.byk) executed by rundll32 non admin mode: appdata\local: - create random name folder and renames dll with randomname and extension (appdata\local\abcdfg\baddk.byk) executed by rundll32
C&C communication structure:
BotID FilenameHash BotVersion Const_100000 WinVersion SessionID ModuleIDs
The main change to Emotet is how it encrypts. It was changed from RSA to Elliptic Curve Cryptography (ECC).
It can handle seven commands from C&C communication. It drops modules to the same location as the current Emotet binary.
- Update – Dump file and execute with rundll32.exe filename,Control_RunDLL base64
- Load Dll into the memory and execute at entry point (spam module and other modules loading)
- Drop executable and execute (TrickBot and other malware)
- Drop executable and execute in active session
- Load Dll into the memory and execute entry point and export DllRegisterServer
- Drop dll and execute regsvr32.exe -s filename
- Drop dll and execute rundll32.exe filename Control_RunDll
Public_keys include the following:
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg== -----END PUBLIC KEY----- -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA== -----END PUBLIC KEY-----
22.214.171.124:443, 126.96.36.199:80, 188.8.131.52:8080, 184.108.40.206:8080, 220.127.116.11:7080, 18.104.22.168:8080, 22.214.171.124:8080, 126.96.36.199:8080, 188.8.131.52:443, 184.108.40.206:443, 220.127.116.11:8080, 18.104.22.168:8080, 22.214.171.124:80, 126.96.36.199:443, 188.8.131.52:8080, 184.108.40.206:443, 220.127.116.11:8080, 18.104.22.168:8080, 22.214.171.124:443, 126.96.36.199:443, 10.203.212.2:8080, 188.8.131.52:173, 184.108.40.206:1579, 220.127.116.11:713, 18.104.22.168:8080, 22.214.171.124:8080, 126.96.36.199:443, 188.8.131.52:8080, 184.108.40.206:8080, 220.127.116.11:8080, 18.104.22.168:61767, 22.214.171.124:8080, 126.96.36.199:7080, 188.8.131.52:49953, 184.108.40.206:36390, 220.127.116.11:11844, 18.104.22.168:10362, 22.214.171.124:31175, 126.96.36.199:29524, 188.8.131.52:46077, 184.108.40.206:8080, 220.127.116.11:50709, 18.104.22.168:46220, 22.214.171.124:29156, 126.96.36.199:56281, 188.8.131.52:8080, 184.108.40.206:8080, 220.127.116.11:443, 18.104.22.168:20454, 22.214.171.124:8790, 126.96.36.199:80, 188.8.131.52:7080, 184.108.40.206:8080, 220.127.116.11:31704, 18.104.22.168:25912, 22.214.171.124:30680, 126.96.36.199:64568, 188.8.131.52:8947, 184.108.40.206:8080, 220.127.116.11:8080, 18.104.22.168:26511, 22.214.171.124:8080, 126.96.36.199:42953, 188.8.131.52:80, 184.108.40.206:443, 220.127.116.11:443
MITRE ATT&CK Mapping for TrickBot
|Technique ID||Technique Name||Use Case|
|T1547.001||Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder||TrickBot establishes persistence in the Windows Startup folder.|
|T1059.003||Command and Scripting Interpreter: Windows Command Shell||TrickBot uses macros in Excel documents to download and deploy its payload on to the user’s machine.|
|T1056.004||Input Capture: Credential API Hooking||TrickBot uses the CredEnumerateA API to capture RDP credentials.|
|T1112||Modify Registry||TrickBot can modify the registry.|
|T1053.005||Scheduled Task/Job: Scheduled Task||TrickBot creates a scheduled task called “Malware” on the system to maintain persistence.|
|T1071.001||Application Layer Protocol: Web Protocols||TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic, and various configuration files.|
|T1055.012||Process Injection: Process Hollowing||TrickBot injects into the svchost.exe process|
More at https://attack.mitre.org/software/S0266/
Vulnerabilities Associated with TrickBot
|91360||Microsoft Windows SMBv1 and NBT Remote Code Execution|
|91504||Windows SMB Remote Code Execution Vulnerability|
MITRE ATT&CK Mapping for Emotet
|Technique ID||Technique Name||Use Case|
|T1059.001||Command and Scripting Interpreter: PowerShell||Macro enabled Doc uses PowerShell script to download further stages|
|T1059.003||Command and Scripting Interpreter: Windows Command Shell||Macro enabled Doc uses Windows Command Line script to download further stages|
|T1047||Windows Management Instrumentation||Macro enabled doc to execute PowerShell using WMI|
|T1087.003||Account Discovery: Email Account||Emotet leverages a module that can scrape email addresses from Outlook|
|T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||Emotet maintains persistence by adding the downloaded payload to the Run key|
|T1112.002||Remote Services: SMB/Windows Admin Shares||Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced|
Detection & Mitigation of a Emotet Attack
Keep an eye out for attack code. Be sure to monitor for any evidence of privilege escalation, impaired defenses, or data exfiltration techniques as described above. To determine whether your organization has been impacted by malicious code, check client-facing devices and applications for any signs of unauthorized access. To identify potential data exfiltration, look for unusual patterns of outbound traffic.
Qualys Multi-Vector EDR has integrated protection capabilities to deliver holistic security to endpoints for ransomware attacks. Anti-Malware proactively protects endpoints against known threats. EDR augments detection by capturing endpoint activity and telemetry to detect and respond to unknown zero-day threats and living-off-the-land attacks.
When a symptom of a compromise or attack is discovered, Qualys EDR provides in-depth visibility and contextual enrichment for incident responders and threat hunters. This gives them a complete picture of the endpoint, thus enabling root cause analysis. Qualys Multi-Vector EDR provides detection, protection, and response capabilities using a variety of capabilities: real-time anti-malware technology, anti-exploit memory protection, endpoint telemetry, and correlations that identify suspicious and malicious behavior. These capabilities incorporate industry-leading threat intelligence and Mitre ATT&CK tactics and techniques.