EMOTET…… The end to end story

Prakash Galande, Bajrang Mane/Quickheal

Emotet malware campaign has existed since 2014 and is quite rampant till today. It carries a complete set of modules by which it can get next victims and also has the modules for the infrastructure to host malware. To evade detection from Behavioral Based Solutions (like EDR, etc.), it uses genuine Windows API and remains silent until complete infection. It has evolved from a standalone banking trojan to complex threat distributor and mainly Remote Code executor.

In this paper will shed light on how it has also become a “threat distributor” and executing payload remotely. It uses large infrastructure by compromising websites i.e. server side and client side. Its self-propagation makes it all the more challenging for security vendors to detect it statically. We will explain how the URLs in the spam emails, malware hosted on these URLs are constantly changing and using genuine Windows network API like WNetAddConnection2 for lateral movement.

At the start of 2017, we had seen the Emotet campaign spreading through malspam email with attached PDF and JS file. In 2018, it is spreading through MS Office Word documents with a heavily obfuscated macro inside it. The mail also consists of a URL which downloads the MS Office (Word, Excel) documents. US-CERT had issued an alert (https://www.us-cert.gov/ncas/alerts/TA18-201A) highlighting how Emotet is a serious threat.

The malware shows persistent infection and is very aggressive in terms of changing the URLs and the payloads delivered by them at regular intervals making it difficult for static detection. We also saw credential theft of the network, email account credentials and passwords stored in web browsers. It attempts to spread internally throughout the network via brute force attacks using stolen credentials. It hijacks the email ids by scraping names and email addresses from the victim's Outlook account and then using the account to send out more malspam, essentially turning victims into spammers. In this paper, we will discuss how Emotet communicates with its C&C and downloads its modules. The downloaded modules are geography-specific thereby creating more challenges for security solutions. In North America & Europe region, it drops trickbot, Qbot, etc. along with the spamming module. In Asia, it drops mainly Spamming module. One of the differentiating factors is that it uses UPnP for Port Address Translation (PAT) access.

As emotet and its modules are changed on an hourly/daily basis, so we suspect that the attacker is using modern technology to change and deliver the components like automation. In this paper we will present an in-depth analysis of Emotet’s infection mechanism, binaries and loaded modules for data stealing, spamming and lateral spreading. At the end, we will discuss the impact of Emotet on infected orgnizations/users. Our paper will propose a solution to counter this deadly malware and will give a demo of this solution indicating how it stops Emotet.

November 7 at 14:30 - 15:00, Stage B

Bajrang Mane: Bajrang is currently leading the Threat Analysis, Incident Response, and Automation teams in Quick Heal Security Labs. Having spent 13 years in the IT security industry, he has worked on various aspects of malware analysis and its detection. His main responsibilities include threat research, improving and automating detection systems. Previously he was involved in analyzing malware families and dealt with complex infectors to come up with remediation and its cleanup.

Prakash Galande: Prakash has over 7 years of experience in the field of Malware analysis. Currently, he is working as a Senior Security Researcher at Quick Heal. He is passionate about malware analysis, reverse engineering and researching on innovative techniques in the anti-malware field. His main specialization is analyzing PE malware. Occasionally he likes to write security blogs.