{"id":46727,"date":"2022-05-19T00:00:00","date_gmt":"2022-05-19T00:00:00","guid":{"rendered":"urn:uuid:23487c69-7d5e-8633-4ded-3cabff500681"},"modified":"2022-05-19T00:00:00","modified_gmt":"2022-05-19T00:00:00","slug":"bruised-but-not-broken-the-resurgence-of-the-emotet-botnet-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/bruised-but-not-broken-the-resurgence-of-the-emotet-botnet-malware\/","title":{"rendered":"Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware"},"content":{"rendered":"

<\/p>\n

The Emotet<\/a> botnet malware is well known in the cybersecurity industry for its success in using spam emails to compromise machines and then selling access to these machines as part of its infamous malware-as-a-service (MaaS) scheme. Operators behind notorious threats such as the Trickbot trojan<\/a> and the Ryuk<\/a> or Conti<\/a> ransomware are among the malicious actors who have used the botnet malware in their attacks.<\/p>\n

But in January 2021 came news of Emotet\u2019s dismantling<\/a>, dubbed Operation Ladybird, during which law enforcement agencies from Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the UK, and the US worked in concert to seize control of Emotet\u2019s infrastructure. In spite of this, the botnet malware proved quite resilient and it resurfaced<\/a> in November 2021. According to researchers at AdvIntel<\/a>, its return was greatly influenced by Conti\u2019s operators, who sought to continue their partnership with the operators of Emotet, as the botnet malware had played an integral role in the ransomware\u2019s initial access phase.<\/p>\n

During the first quarter of 2022, we discovered a significant number of infections in various regions (Figure 1) and across different industries (Figure 2) using multiple new Emotet variants. Based on our telemetry, a large percentage of the infected customers were in Japan, followed by countries in the Asia-Pacific and EMEA (Europe, the Middle East, and Africa) regions. It is possible that the operators behind Emotet targeted profitable industries like manufacturing and education to attract the attention of other malicious actors as potential customers for their MaaS offering.<\/p>\n


Figure 1. Emotet infections by region during the first quarter of 2022<\/span><\/p>\n


Figure 2. Emotet infections by industry during the first quarter of 2022<\/span><\/p>\n

In with the new<\/span><\/h2>\n

We observed that this surge in Emotet spam campaigns used both old and new techniques to trick their intended victims into accessing malicious links and enabling macro content. The newer Emotet samples we analyzed retained the same initial downloader as the one found in previous campaigns. However, these more recent samples used Excel 4.0 macros, an old Excel feature, to execute its download routines (Figure 3), as opposed to Emotet\u2019s previous use of Visual Basic for Applications (VBA).  <\/p>\n


Figure 3. Emotet\u2019s Excel lures<\/span><\/p>\n

Emotet employs various obfuscation techniques to evade detection of the malicious Excel file. One such technique is its use of the .ocx file name extension (Figure 4) and carets (Figures 12 and 13) in URLs, which allow Emotet to sidestep detection methods that look for specific command-line keywords or extensions.<\/p>\n


Figure 4. Emotet using Excel 4.0 macros and the .ocx file name extension for its payload<\/span><\/p>\n

We also observed that some of the recent Emotet samples drop BAT (batch) files (Figures 5 and 6) and VBScript files (Figures 7 and 8) to execute their download routines.<\/p>\n


Figure 5. An obfuscated BAT file<\/span><\/p>\n


Figure 6. A deobfuscated BAT file (Figure 5) that downloads Emotet\u2019s payload via PowerShell<\/span><\/p>\n


Figure 7. An obfuscated VBScript file<\/span><\/p>\n


Figure 8. A deobfuscated VBScript file (Figure 7) that downloads Emotet\u2019s payload via PowerShell<\/span><\/p>\n

Unlike past variants, the recent Emotet samples behave in a more straightforward way, directly downloading and executing their payloads. These samples use regsvr32.exe under the SysWow64 <\/i>folder to execute their payloads, which ensures that the malware runs in a 64-bit environment using the 32-bit binary. This suggests that Emotet now targets only 64-bit machines, which is in line with the recent news of Emotet\u2019s switch to 64-bit loaders<\/a>.<\/b><\/p>\n

We also discovered that the recent Emotet samples employ LNK (link) files to download 64-bit loaders (Figure 9). These allow Emotet to directly execute PowerShell commands for payload execution. For each infection, the LNK file creates a PS1 file via PowerShell, which is then used to download and run Emotet\u2019s payload (Figures 10 and 11).<\/p>\n


Figure 9. Emotet\u2019s malicious LNK file<\/span><\/p>\n


Figure 10. The executed command from Emotet\u2019s malicious LNK file<\/span><\/p>\n


Figure 11. The deobfuscated command from Emotet\u2019s malicious LNK file (Figure 10)<\/span><\/p>\n

Another notable behavior we observed in the samples of these new Emotet variants was their use of hexadecimal (Figure 12) and octal (Figure 13) representations of the IP addresses they connected to, as we reported in a previous blog entry.<\/a> Using these formats to obscure the URLs enables these new variants to circumvent pattern-matching detection methods, thereby allowing the execution of their download routines.<\/p>\n


Figure 12. A hex representation of the Emotet URL (with carets)<\/span><\/p>\n


Figure 13. An octal representation of the Emotet URL (with carets)<\/span><\/p>\n

Emotet\u2019s payload<\/span><\/h3>\n

Emotet\u2019s older 32-bit variants use seven core commands. But the recent Emotet samples are of 32-bit variants that use only six core commands and 64-bit variants that use only five, as shown in Table 1.<\/p>\n

<\/p>\n\n\n\n\n\n\n\n\n\n
Command<\/th>\nExecution method of 32-bit variants<\/b><\/th>\nExecution method of 64-bit variants<\/b><\/th>\n<\/tr>\n
1<\/td>\n\n

Download and execute DLL with regsvr32.exe with parameter <\/p>\n

    \n
  • %Window%\\regsvr32.exe \/s {Installation folder}\\{random}.dll {Base64-encoded string of (randomly created installation folder)}\\(file name of dropped copy) <\/span><\/li>\n<\/ul>\n<\/td>\n
\n

Download and execute DLL with regsvr32.exe<\/p>\n

    \n
  • %Windows%\\regsvr32.exe {Installation folder}\\{random}.dll {Base64-encoded string of (randomly created installation folder)}\\(file name of dropped copy)<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
2<\/td>\nExecute shellcode via CreateThread <\/td>\nExecute shellcode via CreateThread <\/td>\n<\/tr>\n
3<\/td>\n\n

Download EXE file and execute it using CreateProcessW (non-admin) <\/p>\n

    \n
  • {Installation folder}\\{random}.exe <\/span><\/li>\n<\/ul>\n<\/td>\n
\n

Download EXE file and execute it using CreateProcessW (non-admin)<\/p>\n

    \n
  • {Installation folder}\\{random}.exe<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
4<\/td>\n\n

Download EXE file and execute it using CreateProcessAsUserW (admin) <\/p>\n

    \n
  • {Installation folder}\\{random}.exe <\/span><\/li>\n<\/ul>\n<\/td>\n
\n

Download EXE file and execute it using CreateProcessAsUserW (admin)<\/p>\n

    \n
  • {Installation folder}\\{random}.exe<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
5<\/td>\nExecute shellcode via CreateThread <\/td>\nLoad module in memory and execute exported function (via LoadLibraryA and GetProcAddress)<\/td>\n<\/tr>\n
6<\/td>\n\n

Download and execute DLL with regsvr32.exe <\/p>\n

    \n
  • %Window%\\regsvr32.exe \/s {Installation folder}\\{random}.dll <\/span><\/li>\n<\/ul>\n<\/td>\n
 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n

Note: {installation folder}<\/i> could be %AppDataLocal%\\{random}<\/i> (non-admin) or %System% \\{random}<\/i> (admin), depending on the mode of execution.
Table 1. A list of core commands used by the newer Emotet samples<\/span><\/span><\/span><\/span><\/span><\/p>\n

Our analysis of the recent samples showed that Emotet\u2019s use of rundll32.exe for execution between November 2021 and January 2022 had been phased out, replaced by the \u201cregsvr32.exe \/s\u201d <\/i>command as of February 2022. Nonetheless, Emotet employs modular architecture for its other payloads. Based on this, we can still infer that the samples have the same infection chain as in previous Emotet-related campaigns, with some variants opting to include the gathering of running processes as part of their modules instead of their main routine (Figure 14).<\/p>\n

Figure 14. Emotet\u2019s infection chain<\/span><\/span><\/span><\/span><\/span><\/p>\n

The reappearance of Emotet is also notable because its operators have since added Cobalt Strike, a well-known penetration-testing tool, to its arsenal. This poses a bigger risk for target enterprises, as the integration of Cobalt Strike provides more flexibility for Emotet\u2019s MaaS partners to gain a foothold in an intended victim\u2019s systems. With these new features, we expect to see in the coming months a continuous stream of Emotet cases and the delivery of other malware used in Emotet\u2019s MaaS scheme.<\/p>\n

Similarities with QakBot<\/span><\/h2>\n

Since January, we have received and analyzed 300 submissions of the QakBot loader (Figure 15), and our investigation has revealed that its attack chain shares many similarities with that of Emotet (Figure 16).<\/p>\n


Figure 15. Emotet and QakBot submissions from January to April 2022<\/span><\/span><\/span><\/span><\/span><\/p>\n


Figure 16. A comparison of QakBot and Emotet\u2019s attack chains<\/span><\/span><\/span><\/span><\/p>\n

QakBot spam messages attempt to deceive their intended victim into clicking a download link, which is usually a OneDrive URL (Figure 17). An Emotet spam message, on the other hand, poses as a forwarded email that has a password-protected archive attachment (Figure 18).<\/p>\n


Figure 17. A QakBot spam message containing a malicious download link<\/span><\/span><\/span><\/span><\/span><\/p>\n


Figure 18. An Emotet spam message containing a password-protected archive attachment<\/span><\/span><\/span><\/span><\/span><\/p>\n

QakBot infections start with the intended victim downloading a malicious Excel file with an .xlsb file name extension (Figure 19). Emotet infections also involve an Excel file, but with an .xlsm file name extension (Figure 20).<\/p>\n


Figure 19. The malicious Excel file in a QakBot attack<\/span><\/span><\/span><\/span><\/span><\/p>\n


Figure 20. The malicious Excel file in an Emotet attack<\/span><\/span><\/span><\/span><\/span><\/p>\n

Another key difference between the two pieces of malware is that the macro sheets embedded in QakBot\u2019s downloader samples contain links with the .png file name extension in the URLs (Figure 21), while Emotet links do not (Figure 22). This is a means for QakBot to evade detection, as using a common file name extension like .png makes QakBot URLs less suspicious.<\/p>\n


Figure 21. The URLs in a QakBot macro sheet<\/span><\/span><\/span><\/span><\/span><\/p>\n


Figure 22. The URLs in an Emotet macro sheet<\/span><\/span><\/span><\/span><\/span><\/p>\n

Although the Excel files in both QakBot (Figure 23) and Emotet (Figure 24) infections employ regsvr32.exe to execute their payloads, only QakBot drops its payload in a folder with a random five-character name that is located in the C:\\ drive (Figure 25). Emotet, on the other hand, drops its payload in the parent directory of its downloader (Figure 26).<\/p>\n


Figure 23. QakBot\u2019s use of regsvr32.exe to execute its payload<\/span><\/span><\/span><\/span><\/span><\/p>\n


Figure 24. Emotet\u2019s use of regsvr32.exe to execute its payload<\/span><\/span><\/span><\/span><\/span><\/p>\n


Figure 25. QakBot dropping its malicious payload in a folder in C:\\<\/span><\/span><\/span><\/span><\/span><\/p>\n


Figure 26. Emotet dropping its malicious payload in a folder<\/span><\/span><\/span><\/span><\/span><\/p>\n

Security recommendations<\/span><\/p>\n

For enterprises to avoid falling victim to spam emails used in Emotet and QakBot campaigns, user awareness training for employees should be expanded to address email reply chain attacks. Security practices that can mitigate the risk of infection include:<\/p>\n