CyberWire Daily - Emotet's updated business model. [Research Saturday]
Episode Date: August 31, 2019The Emotet malware came on the scene in 2014 as a banking trojan and has since evolved in sophistication and shifted its business model. Researchers at Bromium have taken a detailed look at Emotet, an...d malware analyst Alex Holland joins us to share their findings. The research can be found here: https://www.google.com/url?q=https://www.bromium.com/resource/emotet-a-technical-analysis-of-the-destructive-polymorphic-malware Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Emotech was first discovered in the wild in 2014,
and originally it was a classic banking trojan.
That's Alex Holland. He's a malware analyst at Bromium. The research we're discussing today is titled
Emotet, a technical analysis of the destructive polymorphic malware.
Interestingly, from 2017 onwards, we noticed that it began distributing other families of malware.
What we think is interesting about Emotet is that the change in its tactics, techniques,
and procedures perhaps reflects its change in business model. And it's building upon some
research from the UK's National Cyber Security Centre. What they did in 2017 was put together
a business model for a typical banking Trojan operation. That was appropriate for that time,
and it's really excellent. I encourage people to go out and read it to understand all
the actors involved in a banking trojan operation. But what we've done here is that we've actually
updated that business model to account for malware as a service. And what we mean by that
is different actors, different groups collaborating with one another.
So just as we've seen Emotet stop using its own homegrown banking Trojan module and seen
it distributing other families of malware, we're saying that this is indicative of a
new type of malware as a distribution business model.
Well, so let's go through some of Emotet's capabilities.
Why don't we start out when Emotet first came on the scene, which was, I believe, back in 2014.
What sort of capabilities did it have and what did it seem to be up to?
You kind of standard banking Trojan activity.
So typically what would happen is that you would have a man in the browser attack.
So Emotech would intercept a victim's browsing session and then inject HTML in order to steal funds from targeted banks.
So originally we saw Ematek target Swiss and German banks,
and then that later expanded out to other regions.
And so with this shift to being more of a malware-as-a-service business model,
has the targeting broadened?
Yeah, definitely.
We've seen Emotet definitely develop from being targeted to specific customers,
customers of specific banks, to mass malicious spam campaigns
that are broadly targeted to businesses rather than individuals, but are
across different verticals.
So let's run through some of its current capabilities there. What sorts of things is Emotet capable of?
It can brute-force
weak passwords. It has a built-in password list in a dictionary.
It also uses third-in password list in a dictionary.
It also uses third-party tools to recover credentials from web browsers, email clients,
network credentials as well.
It also has a great deal of capability in terms of stealing email address books.
This is kind of crucial to how it's so
effective at phishing. So as Webber's email addresses, it also has begun to steal the email
body content. And that allows it to construct more plausible and convincing phishing lures.
And is that happening in an automated way?
Yes, yes.
So it's happening in an automated way.
So typically, a user will receive a reply from an email address that they think they've
previously had a conversation with.
And so there's an inherent trust in that I've already spoken to this person.
And combined with a generic message about an invoice that hasn't been paid,
it could cause, say, a business to click on that link and trigger the first stage of the Imatek infection chain.
Well, we're going to walk through the various steps of that infection chain
but before we do let's go through some of the capabilities that Imhotep has in terms of its
anti-analysis features. What's going on there? Yes so Imhotep is polymorphic in nature in that but the packer that's used to obfuscate the Trojan changes each time it's used.
So it's actually quite difficult to write a generic signature for the Trojan because of the way it's packed.
The research we've done has uncovered some what we think are quite high fidelity indicators to detect the use of Emotet's packer.
And we can go more into that later about its use of particular APIs and, in fact, kind of nonsensical API calls, which kind of give it away.
which kind of give it away.
Emotet's developers have really put in a lot of effort to encrypt and hide the true nature of the Trojan.
And I think that's testament to the amount of money
and time that's been spent on this project.
So, for example, its imports and function names are encrypted which is a fairly
standard obfuscation technique for malware. It also has a multi-stage initialization procedure
whereby one Emotet process will actually inject itself into another but in a different region
of memory. And finally of course the C2 channel is encrypted
and we've seen a development over time in that capability. So originally Imatek used
fairly basic RC4 encryption, a type of symmetric key encryption, but now Imotet uses AES combined with RSA encryption, which is much more difficult to
intercept. Well, let's walk through the life cycle of an infection together. How does it begin? How
am I likely to find myself infected with Emotet? Yeah, so Emotet arrives as hyperlinks linking to malicious documents or as attachments to emails.
We've seen different types of document downloaders used for Emotet, the most common being Microsoft Word 2003 documents, but we've also seen JavaScript, XML document formats, and PDFs.
You download a document, and it's typically something that's in a Microsoft Word format,
and then there's a little bit of, I don't know, social engineering or they influence you to enable the ability
to run macros.
What's going on there?
Yeah, so this is a really common conceit used by malware to trick users into running VBA
macros, visual basic application macros.
Typically, your downloader will be commodity malware used by a wide range of threat actors.
Umetek have made the phishing look as generic as possible so that they can target as wide as possible audience.
So they use typically it's a generic kind of banner that says that you need you can't view this version of this document, and then they prompt the user
to enable macros. So really taking
advantage of the user's curiosity in a very
benign way. Yeah, so the phishing
emails will prompt the user to actually open
the attachment, because normally the phishing
allure itself will be this is an invoice or a compensation claim, something vaguely financial
that might spark the interest of somebody.
So they trick you into enabling the execution of a VBA macro. What happens next?
Yep. So at this stage, this is a straightforward downloader. And so the simple purpose of the
downloader is to downloading the main Emotet payload. And to bypass detection, the downloader uses various obfuscation techniques, so
string concatenation, ultimately to hide its intent. And then it runs something in PowerShell?
Yeah, that's right. So again, this is a common way for malware to actually download payloads by using PowerShell's web APIs.
And there's some obfuscation going on there as well.
That's right. So typically we see Base64 and compression used.
And so at this point now we're actually getting to the point of downloading the Emotet
loader itself. Yeah so this is really when it where it gets interesting and sets Emotet apart.
I think one of the things which benefits Emotet is that the phishing campaigns are so high volume
and so far reaching that they get a good infection rate from that.
They're not necessarily the most clever in terms of using sophisticated downloaders.
I think they're relying on scale to infect as many machines as possible.
And so can you walk us through what sort of functionality the loader has itself, what it's up to?
Yeah, sure. So it has a fairly complex initialization process. So for example,
it will launch a child process of itself and then it will do that by using the Windows service API,
and then it will actually register itself as a service, and it will then, at a high level, connect back to the C2
and start sending reconnaissance data, information about the machine.
Now, there's some interesting things going on with the packer itself.
I mean, the packer, there are things about the packer
that allow you to come to a conclusion as to what it's up to?
Like most pack samples of malware, when you look at a regular portable executable file,
it conforms to certain expectations and characteristics,
whereas a packed executable will look different.
So the most basic example would be the use of encrypted data will impact
the entropy of the different sections in that PE file. I see. So let's move on to the unpacking
and initialization procedure. Walk us through what goes on there. When we were looking at the packer, we noticed that early on during the packer decryption
process, there's a check for a specific registry key, and it's done by a call to reg open key A,
and we found that if the key does not exist on the system, then the malware either terminates itself or enters an infinite loop.
And is that an error in the coding?
I mean, is that intentional?
What do you think is going on there?
We actually think it's a deliberate check in the packing code.
Now, we're not sure why exactly it's there.
But we know that it's a useful indicator for network defenders
to know about.
So can you give us a bit of an overview of what's going on in terms of how it's injecting
itself into different memory spaces and those sorts of things?
It does two things.
The first thing it does is that it creates this child process,
another Emotet process, and then injects itself into that process.
And then it resolves a number of API names that it can then use.
And interestingly, after that, it makes a get proc address call
for an invalid function name.
That is to say, it tries to resolve a function that doesn't exist.
And this was really interesting to us because, again, it looks like it could be a coding
error, but the string is unique enough that we feel it can be used as quite a high fidelity
indicator for network defenders.
Yeah, I mean, it's interesting too, given the, I guess it's fair to say the overall
sophistication of everything that's going on here. If it is a coding error, you know,
it sort of shows that even at that level of sophistication, mistakes are still made.
Yeah, it could be a coding error, or it might just be something we don't understand about how Emotet is coded.
I'm also open to that possibility.
But we can definitely use this as an indicator that Emotet is initializing.
So, so far we have two high fidelity indicators.
We have one based in the packer.
So we know it makes a registry check
for quite a specific registry key that if we can monitor or even block access to, we can either
detect ZMTET's packer, or we can even stop it from even unpacking. And then the second is this one,
which is a get proc address call for an invalid function name, which detects Emotet further down the line during its initialization process.
If, for example, in your enterprise you're monitoring API calls, then you can create a rule to detect this particular API call. So once we get through this whole process of Emotet installing itself,
getting itself up and running, what is the ultimate functionality here? What's going on
on my system when a fully functional running copy of Emotet is having at it?
So there are a few things here. Back in 2014, when we saw Emotet being used as a banking
Trojan, it's at this point you would see man-in-the-browser type attacks coming from Emotet.
But since about 2017, where Emotet has been delivering other families of malware,
we actually see Emotet being used not as a banking trojan, but as a loader.
So in campaigns in early 2019, up until Emotet went quiet in June, we saw a very standard
infection chain of Emotet delivering trick bots, which then might deliver Riot Ransomware.
And so really, the folks who are engaging with the people running Emotet, they can choose
to have it install whatever they want.
Yeah, so this is an open question about Emotet's business model.
Because we saw this change in tactics, techniques and procedures from
Emotet in 2014 to Emotet today, we think that this could give an insight into their business
model now. So rather than directly monetize stolen financial information, it could be that
Emotet are making money or the operators of Emotet are making money, or the operators of Emotet are making money,
by setting access to their botnet to other malware operators.
In effect, they're acting as a malware distributor in this wider malware-as-a-service ecosystem.
Yeah, it's an interesting shift.
Now, in terms of your advice for folks protecting themselves against this, and we've talked about some of the indicators, can you sort of run through and review what the conclusions are here in your research? attempt this way would be to lock down your use of commonly abused tools, so PowerShell
and BBA macros in Microsoft Office. So Microsoft supply group policy templates, which you can
configure. And I know the Australian National Cybersecurity Center also has some great advice on configuring those templates.
That would be my first point of advice. For enterprises that want to do a better
job at detecting Emotet specifically, then they can take a look at the
indicators of compromise that we identified in the loader and also during Emotet's initialization process.
It's possible that if you block access, read access to the registry key, that Emotet won't run
at all because it will fail that registry check and it won't initialize. However,
check and it won't initialize. However, it's worth saying that this is, you know, it's technically possible, but whether it's suitable to be deployed out to an entire enterprise is an open question,
because we know this Regi3 key is also used by other programs.
Now, when you consider the overall sophistication of Emotet, where does it rank?
Yeah, so Emotet's operators definitely rank in the top echelons of e-crime groups today.
So they're notable for the scale of their campaigns.
We actually saw, you know, Emotet being responsible for the infection of U.S. municipalities over the last couple of months.
And so it clearly shows that the operators of Emotet as a loader
and the people possibly buying into the Emotet botnet
have specifically targeted local governments,
US local government, to maximize the returns through ransomware campaigns.
So in terms of impact, they are very sophisticated.
Yeah, and that shift in business model has really enabled a diversity in what it can
be used for.
Like we said, it was originally a banking trojan, and now recent uses involve ransomware.
a banking trojan and now you know recent uses involve ransomware yeah i think it just goes to show that if you're an actor malicious actor it's not enough to develop your own malware you need a
way to distribute it and you can either spend all this time and money developing your own
infrastructure or nowadays you can just buy or rent somebody else's infrastructure.
Our thanks to Alex Holland from Bromium for joining us.
The research is titled Emotet,
a technical analysis of the destructive polymorphic malware.
We'll have a link from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.