5. 5
Appeared ~2012-2013
Feodo family
Wasn’t considered a significant
threat until later
Notable for:
• Using configuration file with
targeted banks
• Injecting DLLs into processes
for monitoring
• Distributed via spam
messages
2. EMOTET
EMOTET_ROOTEDCON 2020
6. Since its origins, Emotet has come a long way:
• Switch from Banking Trojan to spammer/loader
• Developed into modular Trojan
One of the most prolific malwares of all time
US Government estimates up to $1 million in remediation costs
per incident
2.1 THE MALWARE
EMOTET_ROOTEDCON 2020
6
7. 7
2.1 THE MALWARE
Notable features:
• Multiple modules available
• Use of Heaven's Gate
• Multiple persistence
mechanisms
• Encrypted communications
• protobuf
• VM detection
• Hash-
based import resolution
EMOTET_ROOTEDCON 2020
8. Modules:
• NirSoft tools, harvesting module
• Steal information from browsers, email clients
• Extract information to be reused in spam campaigns
• Spam module
• Port forwarding
• Network spreading module
• Includes WIFI, network resources
2.1 THE MALWARE
EMOTET_ROOTEDCON 2020
8
10. Modules:
• NirSoft tools, harvesting module
• Steal information from browsers, email clients
• Extract information to be reused in spam campaigns
• Spam module
• Port forwarding
• Network spreading module
• Includes WIFI, network resources
2.1 THE MALWARE
EMOTET_ROOTEDCON 2020
10
11. Hash-based import resolution
• Good for stealthiness
• Peculiar algorithm choice
• sdbm: Non cryptographic hash
2.1 THE MALWARE
EMOTET_ROOTEDCON 2020
11
12. Hash-based import resolution
• Good for stealthiness
• Peculiar algorithm choice
• sdbm: Non cryptographic hash
2.1 THE MALWARE
EMOTET_ROOTEDCON 2020
12
14. 14
2.1 THE MALWARE
Use of Heaven's Gate
technique
• Used perform x64
syscalls process from x32
• Needed by Emotet for
email harvesting
• Disrupts analysis
• Most debuggers don't
have support
EMOTET_ROOTEDCON 2020
15. 15
2.1 THE MALWARE
Use of Heaven's Gate
technique
• Used to inject to a x64
process from x32
• Needed by Emotet for
email harvesting
• Disrupts analysis
• Most debuggers don't
have support
EMOTET_ROOTEDCON 2020
20. 2.2 KILL CHAIN
Some of the macros will instead
use wscript to execute a
JavaScript payload instead, with
a similar purpose.
• Some organizations have
disabled powershell
execution
EMOTET_ROOTEDCON 2020
20
21. 2.2 KILL CHAIN
The payload will contact a (typically) compromised server, and it will
download the actual Emotet binary:
EMOTET_ROOTEDCON 2020
21
22. 2.2 KILL CHAIN
The payload will contact a (typically) compromised server, and it
will download the actual Emotet binary:
EMOTET_ROOTEDCON 2020
22
23. 2.2 KILL CHAIN
The binary contains a list of
hardcoded IPs, and the
necessary encryption keys to
communicate with the C2
1. After being executed, it will
call home
1. If not using the most recent
Emotet the server will provide
an updated sample
2. If using the most recent
version, it will return the
modules
EMOTET_ROOTEDCON 2020
23
24. 2.2 KILL CHAIN
The modules are executed using different techniques depending
on the module…
…but we will not get into that in this talk.
Depending on the campaign, Emotet will then deploy the next
payload; Trickbot, Dridex, Pandabanker, etc.
EMOTET_ROOTEDCON 2020
24
28. Protobuf:
• Protocol Buffers by Google
• Data serializer
Emotet uses modified version. If
you want to play around with this...
https://d00rt.github.io/emotet_netw
work_protocol/
2.3 THE INFRASTRUCTURE
EMOTET_ROOTEDCON 2020
28
29. The request itself has changed a lot over time:
• Changes in response code
• Changes in request type POST->GET
• Different path generation
• Based on serial number of infected bot
• Based on keyword list
• Data embedded in POST DATA, cookie...
2.3 THE INFRASTRUCTURE
EMOTET_ROOTEDCON 2020
29
32. The infrastructure is also constantly
changing
• Compromised servers
• RSA keys used
• C2 available
And apparently, subdivided in different
infrastructures
2.3 THE INFRASTRUCTURE
EMOTET_ROOTEDCON 2020
32
33. TRENDMICRO identified two different
infrastructures in Nov 2018:
• Different RSA keys
• Different C2 combinations
• Grouped by compilation time (EPOCH)
2.3 THE INFRASTRUCTURE
EMOTET_ROOTEDCON 2020
33
https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-
infrastructure/
34. 34
2.3 THE
INFRASTRUCTURE
EMOTET_ROOTEDCON 2020
Even before then, the research
group Cryptolaemus was
already sharing Emotet IOCs
• Different infrastructures
• Divided by Epoch
• At least a month before
blogpost
35. With time, identifying the Epochs has
become more difficult:
• Three infrastructures instead of two
• Identified based on:
• C2 relationship
• RSA key (unique per Epoch)
• Document dropper creation time
2.3 THE INFRASTRUCTURE
EMOTET_ROOTEDCON 2020
35
42. 2.3 THE INFRASTRUCTURE
EMOTET_ROOTEDCON 2020
42
First rule of TI:
• No one has visibility over absolutely everything
• We're missing data too
Tracking Emotet is not that easy
• Many factors to take into account
• Server responses may vary by country, time of day
• Protocol changes affects emulator effectivity
44. 2.4 SPAM
The success of Emotet is driven by:
• Quality of spam sent
• Sheer volume of spam the botnet is capable of
producing
EMOTET_ROOTEDCON 2020
44
45. 2.4 SPAM
Spam quality:
• Even when using "generic"
spam messages, these are
tailored for the targeted
countries
EMOTET_ROOTEDCON 2020
45
46. 2.4 SPAM
Spam quality:
• Even when using "generic"
spam messages, these are
tailored for the targeted
countries
EMOTET_ROOTEDCON 2020
46
52. 52
2.4 SPAM
Spam by topic (based on subject):
EMOTET_ROOTEDCON 2020
Topic Subject
Name Name of the victim
No subject No subject
Response Reply-related subject
Finance Invoices, budgeting
Info Information-related subject
Spam Literal spam subject
Work Job offers, workplace
53. 2.4 SPAM
Spam by language
(top 9)
EMOTET_ROOTEDCON 2020
53
Language Emails
English 772435
Italian 298895
German 281624
Spanish 214543
Korean 86879
Portuguese 66133
Japanese 63563
Romanian 39538
Catalan 38289
57. 2.4 SPAM
The Emotet gang has also taken
advantage of other events or public
figures such as:
• Climate-change related emails
mentioning Greta Thunberg
• Coronavirus
EMOTET_ROOTEDCON 2020
57
Image source: Proofpoint
58. 2.4 SPAM
Renting/side-gig with
sextortion emails:
• Claiming to have
videos of someone
"satisfying" themselves
• Threaten to send to all
contacts
• Get infected
with Emotet anyway..
EMOTET_ROOTEDCON 2020
58
61. 3. ACTING AS A LOADER
Emotet’s main objective is to act as a loader.
It has been seen distributing many different types of
malware, but some of the most relevant today are:
• Dridex
• Trickbot
• Pandabanker
EMOTET_ROOTEDCON 2020
61
62. 3. ACTING AS A LOADER
Many of these also combine themselves with ransomware, creating a d
evastating combination for many companies
• Triple threat: Emotet + Trickbot + Ryuk
Image Credit: Cybereason
EMOTET_ROOTEDCON 2020
62
63. 4. ACTING AS A LOADER
There have been some reported incidents:
• Berlin High Court (Kammergericht)
• Frankfurt (preemtive shutdown)
• Prosegur
• Cadena Ser
But many happen under the radar
EMOTET_ROOTEDCON 2020
63
64. 4. ACTING AS A LOADER
New trends in ransomware:
• Maze
• Doppelpaymer
• Nemty
EMOTET_ROOTEDCON 2020
64
66. 5. CONCLUSIONS
Emotet will keep growing its assets:
• Ramping up distribution
• Better spam campaigns
New tendencias in ransomware
• More groups will join the leak-threat
EMOTET_ROOTEDCON 2020
66
67. 5. CONCLUSIONS
Next steps:
• Contacting cryptolaemus about data discrepancy
• Keep investigating Emotet gang
Educate users on this threat:
• Spam techniques used
• Infection vectors
Learn about their TT&P
EMOTET_ROOTEDCON 2020
67