CyberWire Daily - Emotet reemerges and becomes one of most prolific threat groups out there. [Research Saturday]
Episode Date: January 9, 2021Deep Instinct's Shimon Oren joins us to talk about his team's research on "Why Emotet's latest wave is harder to catch than ever before - Part 2." Emotet appears to have reemerged more evasive than be...fore, this time with a payload delivered from a loader that security tools aren’t equipped to handle. Emotet, the largest malware botnet today, started in 2014 and continues to be one of the most challenging threats in today’s landscape. This botnet causes huge damage by spreading ransomware and info stealers to its infected systems. Recently, a rise in the number of Emotet infections was observed in France, Japan, and New Zealand. The high number of infections shows the effectiveness of the Emotet malware at staying undetected. Shimon joins us to discuss how Deep Instinct investigated the payload that was encrypted inside the loader, analyzes the next steps in the infection process, and discovers the techniques used to make this malware difficult to analyze. The original blog post and updated post on the research can be found here: Emotet Analysis: Why Emotet’s Latest Wave is Harder to Catch than Ever Before Why Emotet's latest wave is harder to catch than ever before - Part 2 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Emotet has been around for several years now, but we can definitely say that in the last
12 to 18 months, it's really become one of the most prolific threat groups out there.
That's Shimon Orin.
He's VP of Research and Deep Learning at Deep Instinct.
The research we're discussing today is titled
Why Emotet's Latest Wave is Harder to Catch Than Ever Before.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
in ransomware attacks and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com security.
So what led to you all taking on this research here?
What sparked your interest that you started this effort?
Well, what sparked our interest is, again, first and foremost, the fact that Emotet constitutes such a significant part
of the current threat landscape.
And over a year now, the fact that it's one of the malware families
and malware campaigns we see most trying to attack the customers,
which we protect.
And in general, just a very, very active campaign group.
But other than that, what really interests us in Emotest
from a pure professional standpoint is the fact that it's
a very, very successful, so to speak, or for lack of a better word,
it's a very, very successful malware campaign.
It's very evasive.
It's quite sophisticated, both from a technical standpoint,
or I'd say even more so from a modus operandi standpoint,
the way they operate as a group,
and the way they go about carrying on their operations.
Well, let's walk through your research together here.
You all began with some data samples,
which you grouped into different categories?
Yes, I mean, that's pretty much what we set out with.
What we've seen in the, I'd say,
in the second half of the summer of this year
is a new and quite expansive attack wave.
In general, at this point, I think it's worth mentioning
that Emotet works in waves.
And that's part of that interesting modus operandi
that I just mentioned.
Unlike other malware campaigns that have a certain period,
it could be rather short.
In some cases, if it's more successful,
it can be a bit longer.
But usually they have a defined and rather specific period in time
in which they're active.
Emotet has been quite different in that it comes and goes in waves.
There are periods of very, very high activity
where literally hundreds of thousands of variants are created
and hundreds of thousands of variants are created and hundreds of thousands of targets are targeted
and unfortunately in some cases infected.
And then that's followed by varying periods,
but usually longer periods than the periods of activity,
but longer periods of just going completely under the radar
and almost without any kind of new targets being
attacked or new variants or very few variants in any case being created. So what happened in the
last summer is that we've seen one of these waves come out. And again, usually in each wave,
there's something new and different, technically speaking, in the malware itself.
So we started to look into it because it's always interesting to know
and to understand what's new with Emotet.
And that's what led us to try and, again,
cluster these new malware variants that we've seen into different groups
and trying to understand how and what exactly and in what way it differentiates from previous attack waves.
Well, let's go through it together.
I mean, can you share the story with us?
What did you find in this latest wave from Emotet?
So we found something very, very interesting.
And one of our most interesting findings was the fact that Emotet actually uses
and embeds into the malware sample that are, you know, propagated as part of this campaign,
a lot of benign code and benign or just simply, and what I mean in benign code and more specifically I'd say than that,
is code segments or just different binary sequences
that are found in operating system files
coming from Microsoft or from other very, very popular
or prolific benign software.
And it does that specifically in an attempt
to evade AI-based solutions
that are more susceptible to that kind of attack
where if you inundate the malware samples
with a lot of benign content,
and especially benign content that AI solutions
or in general endpoint solutions for that matter,
would very, very much want to refrain
from triggering on
because they would deem as false positives.
So having that kind of content be embedded in the malware sample
really helps at evading security solutions.
In a lot of cases, that was what happened.
And we could see across multiple samples,
specific code segments taking from different Microsoft
or Windows in general, DLL,
and injected or embedded somehow into the malware samples.
So that was one thing.
And the difference between the different clusters that we found
is that we found different clusters of that attack wave
to just contain different types or different kinds
or different content of actual benign code,
whereas the malicious activity itself,
the malicious code and the malicious business logic
were similar.
So the notion here, just for my own clarity,
is that, say, an AI solution would be looking at the code
and doing sort of spot checks to compare what it was finding against a database of known good code, for example.
And in doing this spot check, this avalanche of benign code would likely to throw it off the trail.
Pretty much, yeah.
to throw it off the trail.
Pretty much, yeah.
Well, take me through then the actual encrypted payload, the part of the malware that is specifically of interest here.
Yeah, so that's another part, by the way,
of how and why Emodet is that successful.
Because other than having most of the exposed content
of the malware sample actually be benign code,
or again, functions taken from DLL
or resources taken from Microsoft DLLs, etc.
The malicious business logic is encrypted,
at least as far as when you look at the file statically,
nothing that's intrinsically malicious pops out
because it's all encrypted.
So again, if you look at it statically,
what you have is a bunch of what would seem
to almost everybody pretty much benign
or even very, very benign content.
And other than that, the rest would just be encrypted.
What we did as part of our research
is understanding exactly where and how is that encrypted payload kept within the file.
What is the flow that happens in runtime that decrypts it and then runs a certain kind of shellcode that then in itself decrypts another layer,
which is where the actual malicious business logic resides.
So you have multiple stages of decryption and deobfuscation
that take place until something bad really starts to happen.
But again, in runtime it happens pretty fast.
It's not that it takes eternity,
but when you come and look at it
and try to reverse engineer it and debug it, etc.,
it takes quite some time to figure out what's going on.
Can you walk us through, how did you reverse engineer
the malicious part of the code here?
How did you get into that encrypted data?
Again, it involved a lot of work with tools like IDA
and other analysis tools running it on VMs
and looking at different types of memory, forensic tools,
trying to understand exactly what happens in memory
as we continuously debug and run it and decompile it.
It took quite some effort, especially, again,
because there are several stages that take place
until the full malicious business logic is discovered.
And the main crux of it here is understanding
where exactly is the decryption key found
and where exactly it appears in memory during round time, where
it's kept, and then how it's used to decrypt the content.
That was the crux of what we needed to understand in order to fully analyze and then, of course,
going on to explain and share with the community what's exactly going on there.
And then the final payload itself,
there's quite a bit going on here,
starting with some code obfuscation.
Yeah, even once you get to the malicious business logic itself,
it's not that life becomes very, very easy.
Because again, the people behind Emotet are very, very easy because again, the people behind Emotet
are very, very aware.
And other than anti, what I'd call evasion techniques,
which is again, the benign code
and the encryption that when you look at the file statically,
you don't really see the malware itself.
They use a lot of other techniques
that are more geared towards anti-reversing,
anti-debugging, and making the researcher's life harder, even once they've already, you know,
understood that this is malware and they're analyzing it. So yeah, it's not that it becomes
easy. It's pretty good code. And there are a lot of additional internal obfuscations
and different kind of fuzzing, I'd say, methods that lie in there
that makes our lives as researchers harder.
But happily we're used to it, or fortunately we're used to it.
Sometimes it doesn't necessarily make things impossible.
It does make them harder and slower.
But we're persistent, just as they are.
And so the ultimate functionality of Emotet,
of this payload, is what?
What is it setting out to do here?
That's actually an additional very, very interesting piece.
If we look at the way Emotet has evolved over the course
of its activity, it set out and it started
as your run-of-the-mill or your day-to-day
financial malware doing things like credential
harvesting,
especially from financial or banking-related accounts,
and user data, acted as, again, spyware,
trying to just collect data, collect files,
look at your emails, look at your addresses,
things that are very, very important in order to keep the attack chain going,
to gain more data on more targets.
But then as it became that successful and as successful and as evasive as it is,
and really malware, if you look at Emotet in general,
it's one of the malware campaigns
with the highest infection rates.
Then what it become is now Emotet is more of a platform for other second
stage malware to come after it.
Now, the thing is, even if that second stage malware in and of itself is not that successful,
is not that evasive, doesn't have that high of an infection rate, once the machine has
already been compromised and infected with Emotet, and Emotet does its thing on that machine,
lowers security settings,
completely removes different kinds of security software,
escalates privileges, etc., it's pretty easy to then
land whatever type of malware that we want onto that
compromised device
and then do pretty much as we wish.
That's one of the reasons why we've seen so much collaboration happening
between Emotet and ransomware campaigns, especially Ryuk,
which we also mentioned somewhere in our research blogs.
Ryuk has become a very, very common second stage after an Imhotep infection,
whereas Imhotep comes in, does everything that it normally does,
taking out data, compromising the machine itself,
can move laterally, steal backing information, etc.,
or steal the data itself.
And then there also comes the ransomware attack
where data that remains on the machine is encrypted
and then a ransom payment is demanded
in order to decrypt the content.
And these are very, very devastating and disruptive attacks
when they happen in enterprises or actual organizations.
happen in enterprises or actual organizations.
But again, the success of Emotet and the infection rate that we're seeing is what made it pretty much this platform for other malware, even if in some cases that malware in itself is
no longer as successful and as infectious as it used to be.
Yeah, it's like adding insult to injury almost.
Yes, absolutely.
I suppose too, I mean, this speaks to the sophistication
but also patience of the developers of Emotet.
That they're willing to, part of their process
is standing down for a little while to improve their tools, to improve their capabilities.
Absolutely. And I think in the long run, it's worth their while in terms of the ultimate financial success and again, ultimately money that they're making out of it. I think the way they're operating, as you said, with those periods of going under,
in the long run is what makes them
and what makes their operation more lucrative
and more profitable.
They have that understanding
that wasting all your ammunition
and being exposed and transparent
for a long period of time will actually make you less evasive,
less infectious, and will allow the industry,
the cybersecurity industry, more time to learn,
to adapt to your operations and to your specific techniques and procedures, that
understanding that one needs to go under for a little while in order to come back better
and stronger is what makes them as successful, and again, over time.
It's one thing to have a very, very successful specific attack,
use that for as long as it may work,
but then pretty much go detected by everybody
and become your day-to-day known malware
that has a very, very low success rate.
That reorganization over long periods of time
is really what makes, again, Emotet what it is today
and as successful as it is today.
And where do we stand in terms of people's ability
to defend themselves against this?
What are the most effective ways?
People and organizations that want to keep themselves safe
from Emotet,
there are several things
that they can do. First of all, they need to
understand
and
speak the truth to
themselves about their current
security posture, what kind
of solutions and
protections they have in place, test those against new
Emotet waves or recent Emotet waves and samples as they become available, and see whether
what they have today will defend them, at what stage of the attack chain it will defend
them.
It's better to be able to stop and thwart an emoted attack
at the dropper stage, at the spare phishing
or malicious document attachment stage,
rather than rely on the actual payload being prevented
or something being prevented during runtime.
In some cases, not in all cases, but in some cases that would be too late.
So first and foremost, my answer would be
understand what is your current protection level
against threats as sophisticated as Emotet.
And with regards to the protection you have in place,
where in the attack chain it's exactly found
and how early it is.
Because the earlier it is, the value, as far as the security value you'd gain from it,
is much higher.
Other than that, I think it's very, very important for organizations to be very well informed of the actual, you know, the TTPs, the techniques,
you know, the way the malware itself operates.
They can do that by, you know, getting themselves familiarized
with the research content that's out there about Emotet and its behavior
so that in the case that they are infected or, you know,
they have a certain fear of being infected,
they would know what exactly it is they need to look for,
what are the assets that need to be
either disabled or protected first,
basically to make sure they have all the knowledge
and the right tool set in order to deal with,
unfortunately,
a potential Emotet attack.
So those are the two main pieces of advice
I would give to organizations.
And there's a lot of research content and analysis
out there about Emotet throughout its period of activity.
But by research blog and research pieces
like we've put out there,
but also that a lot of other of our colleagues and competitors as well in the community have put out there.
There's ample amounts of materials available out there to get familiar with.
Our thanks to Shimon Oren from Deep Instinct for joining us.
The research is titled, Why Emotet's Latest Wave is Harder to Catch Than Ever Before.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.