Emotet Re-emerges with Help from TrickBot

Aubrey Perin

Last updated on: December 21, 2022

Emotet has recently reemerged after being taken down less than a year ago by global law enforcement as coordinated by Europol and Eurojust. The takedown was achieved after law enforcement compromised a command-and-control system, and then pushed a specially crafted update to Emotet agents that leveraged the botnet to remove itself.

Now Emotet is being resurrected with the help of TrickBot. BleepingComputer.com published two reports documenting this resurgence through both phishing campaigns and a fake Adobe Windows Installer.

Background Information about TrickBot

Summary

TrickBot is a modular trojan that has mainly been used as a banking trojan in the United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in September 2016 and appears to be a successor to Dyre.

Qualys Malware Lab Analysis

This trojan typically arrives via spam, phishing, exploitation of a vulnerability, or (prior to Emotet’s takedown) a pre-loaded Emotet infection.

The malware makes a copy of itself in C:\ProgramData\ with additional files written to %AppData%\roaming\<random name> which acts as the main staging folder for this infection.

TrickBot then relaunches itself using UAC bypass techniques. It uses the CMSTPLUA COM interface to elevate its privileges and bypass AppLocker or other application control defenses. Further, it launches several instances of cmd.exe and runs commands to disable Windows security measures like Real Time Monitoring, Behavior Monitoring, BlockAtFirstSeen, IOVA Protection, Privacy Mode, Intrusion Prevention System, Script Scanning, and WinDefend Service.

The malware drops a settings.ini configuration file. It is encoded using a charset. All the modules and configuration are AES CBC_MODE encrypted and XORed using the botkey present in a settings.ini file.

This settings.ini file contains the command-and-control Infrastructure information and instruction for modules to run in the campaign. TrickBot uses <gtag> to identify the group ID used for the campaign and <clientid> for the client.

The malware then establishes persistence by creating a scheduled task at startup. The task will execute malware.exe which spawns svchost.exe to inject its code.

Once the victim’s environment has been staged, TrickBot fetches modules as DLLs from C&C servers as per the config file, and then reflectively injects them into the svchost.exe process. All DLLs export the same functions: Control, Release, FreeBuffer, and Start. TrickBot uses HTTP/HTTPS GET and POST requests to download modules and exfiltrate data to the C2 server.

After collection, the data is sent back to the C&C server using HTTP POST requests with customized Content-Disposition headers to identify the content of the data.

Background Information about Emotet

The following are our narrative findings before the reemergence of Emotet.

Summary 

Emotet is an advanced polymorphic trojan that first emerged in 2014. Emotet has evolved and advanced its capabilities over time. It is among the most destructive trojans found in the wild today. It is often used as a dropper for TrickBot, Ryuk ransomware, and other well-known malware.

Qualys Malware Labs Analysis

The initial infection vector of Emotet is a malicious email campaign. Emotet also has an email stealing module which extracts contacts from the victim’s email application, and then emails itself to them.

Once the malicious link is opened, a MS Office Word attachment gets downloaded. Generally, this file contains a malicious macro that runs and executes encoded PowerShell commands. In earlier versions of Emotet, a .pdf file was downloaded.

Newer document versions will schedule the execution of PowerShell via WMI. This breaks up the process tree by detaching it from Microsoft Office processes. PowerShell downloads the payload for the next stage and executes it. Once a second stage binary executes, it establishes simple persistence using Windows Registry autorun keys and begins to spread to other hosts.

Emotet has self-spreading capabilities, using brute force with enriched password lists to move via Windows Administrative Shares. Once an Emotet binary obtains credentials, it copies itself to the ADMIN$ of another network host.

Execution on the host is scheduled using the creation of a service over Server Message Block (SMB). The malware then continues to spread and perform activities such as collecting email addresses from the victim’s systems for further distribution. Once fully deployed within the targeted enterprise networks, Emotet downloads and executes additional malware.

Latest Findings for Emotet

Qualys evaluated a sample with the following SHA:

694cc1f7a8d4f5a5b62d11b7fda8300004e3d16d3120e9aa31cc27f2bbd55bd3

Our analysts noted the following current behavior:

admin mode: syswow64 or system32:- creates randomname folder and 
renames dll with randomname and extension 
(syswow64\abcdfg\bjdsdf.byk) executed by rundll32
non admin mode: appdata\local: - create random name folder and 
renames dll with randomname and extension 
(appdata\local\abcdfg\baddk.byk) executed by rundll32

C&C communication structure:

BotID
FilenameHash
BotVersion
Const_100000
WinVersion
SessionID
ModuleIDs

The main change to Emotet is how it encrypts. It was changed from RSA to Elliptic Curve Cryptography (ECC).

It can handle seven commands from C&C communication. It drops modules to the same location as the current Emotet binary.

  1. Update – Dump file and execute with rundll32.exe filename,Control_RunDLL base64
  2. Load Dll into the memory and execute at entry point (spam module and other modules loading)
  3. Drop executable and execute (TrickBot and other malware)
  4. Drop executable and execute in active session
  5. Load Dll into the memory and execute entry point and export DllRegisterServer
  6. Drop dll and execute regsvr32.exe -s filename
  7. Drop dll and execute rundll32.exe filename Control_RunDll

ECC Keys:

Public_keys include the following:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
-----END PUBLIC KEY-----

Associated Servers:

51.178.61.60:443, 168.197.250.14:80, 45.79.33.48:8080, 196.44.98.190:8080, 177.72.80.14:7080, 51.210.242.234:8080, 185.148.169.10:8080, 142.4.219.173:8080, 78.47.204.80:443, 78.46.73.125:443, 37.44.244.177:8080, 37.59.209.141:8080, 191.252.103.16:80, 54.38.242.185:443, 85.214.67.203:8080, 54.37.228.122:443, 207.148.81.119:8080, 195.77.239.39:8080, 66.42.57.149:443, 195.154.146.35:443, 10.203.212.2:8080, 100.252.55.25:173, 101.23.118.131:1579, 102.189.218.130:713, 102.26.120.6:8080, 103.26.120.6:8080, 103.75.201.2:443, 103.8.26.102:8080, 103.8.26.103:8080, 104.251.214.46:8080, 107.172.19.26:61767, 116.125.93.188:8080, 117.163.34.4:7080, 118.180.151.70:49953, 118.188.178.105:36390, 120.228.160.111:11844, 124.192.27.242:10362, 125.185.54.181:31175, 126.59.158.238:29524, 132.101.120.13:46077, 132.217.57.210:8080, 133.63.78.5:50709, 135.113.153.0:46220, 135.113.18.3:29156, 136.56.167.8:56281, 138.185.72.26:8080, 142.4.219.173:8080, 146.188.116.6:443, 157.103.250.213:20454, 161.225.230.20:8790, 168.197.250.14:80, 177.72.80.14:7080, 178.79.147.66:8080, 18.216.230.75:31704, 180.200.38.218:25912, 180.55.215.4:30680, 181.50.169.208:64568, 182.197.86.148:8947, 185.148.169.10:8080, 185.184.25.237:8080, 188.211.144.253:26511, 188.93.125.116:8080, 189.30.93.0:42953, 191.252.103.16:80, 93.236.16.5:443, 94.177.248.64:443

MITRE ATT&CK Mapping for TrickBot

Technique IDTechnique NameUse Case
T1547.001Boot or Logon AutoStart Execution: Registry Run Keys / Startup FolderTrickBot establishes persistence in the Windows Startup folder.
T1059.003Command and Scripting Interpreter: Windows Command ShellTrickBot uses macros in Excel documents to download and deploy its payload on to the user’s machine.
T1056.004Input Capture: Credential API HookingTrickBot uses the CredEnumerateA API to capture RDP credentials.
T1112Modify RegistryTrickBot can modify the registry.
T1053.005Scheduled Task/Job: Scheduled TaskTrickBot creates a scheduled task called “Malware” on the system to maintain persistence.
T1071.001Application Layer Protocol: Web ProtocolsTrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic, and various configuration files.
T1055.012Process Injection: Process HollowingTrickBot injects into the svchost.exe process

More at https://attack.mitre.org/software/S0266/

Vulnerabilities Associated with TrickBot

CVEQIDDescription
CVE-2017-0144,
CVE-2017-0147
91360Microsoft Windows SMBv1 and NBT Remote Code Execution
CVE-2019-0630,
CVE-2019- 0633
91504Windows SMB Remote Code Execution Vulnerability

MITRE ATT&CK Mapping for Emotet

Technique ID Technique Name Use Case
T1059.001Command and Scripting Interpreter: PowerShellMacro enabled Doc uses PowerShell script to download further stages
T1059.003 Command and Scripting Interpreter: Windows Command Shell Macro enabled Doc uses Windows Command Line script to download further stages
T1047Windows Management InstrumentationMacro enabled doc to execute PowerShell using WMI
T1087.003Account Discovery: Email AccountEmotet leverages a module that can scrape email addresses from Outlook
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderEmotet maintains persistence by adding the downloaded payload to the Run key
T1112.002Remote Services: SMB/Windows Admin SharesEmotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced

Detection & Mitigation of a Emotet Attack

Keep an eye out for attack code. Be sure to monitor for any evidence of privilege escalation, impaired defenses, or data exfiltration techniques as described above. To determine whether your organization has been impacted by malicious code, check client-facing devices and applications for any signs of unauthorized access. To identify potential data exfiltration, look for unusual patterns of outbound traffic.

Qualys Multi-Vector EDR has integrated protection capabilities to deliver holistic security to endpoints for ransomware attacks. Anti-Malware proactively protects endpoints against known threats. EDR augments detection by capturing endpoint activity and telemetry to detect and respond to unknown zero-day threats and living-off-the-land attacks.

When a symptom of a compromise or attack is discovered, Qualys EDR provides in-depth visibility and contextual enrichment for incident responders and threat hunters. This gives them a complete picture of the endpoint, thus enabling root cause analysis. Qualys Multi-Vector EDR provides detection, protection, and response capabilities using a variety of capabilities: real-time anti-malware technology, anti-exploit memory protection, endpoint telemetry, and correlations that identify suspicious and malicious behavior. These capabilities incorporate industry-leading threat intelligence and Mitre ATT&CK tactics and techniques.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *