Reborn of Emotet: New Features of the Botnet and How to Detect it

Renacer de Emotet News

One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. The Emotet executables were updated by law enforcement. It looked as if the trojan had ended.

But the malware has never stopped surprising.

November 2021, it was reported that TrickBot no longer works alone and delivers Emotet. And ANY.RUN with colleagues in the industry were among the first to notice the emergence of Emotet’s malicious documents.

Emotet Botnet Malware
First Emotet malicious documents

And this February, we can see a very active wave with crooks running numerous attacks, hitting the top in the rankings. If you are interested in this topic or researching malware, you can make use of the special help of ANY.RUN, the interactive sandbox for the detection and analysis of cyber threats.

Let’s look at the new version’s changes that this disruptive malware brought this time.

Emotet history

Emotet is a sophisticated, constantly changing modular botnet. In 2014 the malware was just a trivial banking trojan. Since that it has acquired different features, modules, and campaigns:

  • 2014.
      2020 Money transfer, DDoS and address book theft modules.
    • 2015. Evasion functionality.
    • 2016. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
    • 2017. A spreader and address book stealer module

    Polymorphic nature and numerous modules allow Emotet to avoid detection. The team behind the malware constantly changes its tactics, techniques, and procedures to make the existing detection rules useless. To stay inside the system infected, it downloads additional payloads by taking multiple steps. Its behavior makes malware nearly impossible to get rid of. It is fast-growing, produces faulty indicators and can adapt to the needs of attackers.

    And on November 14, 2021, Emotet was reborn with a new version.

    Why was Emotet reborn?

    Throughout Emotet’s history, it got several breaks. But after the global police operations in January 2021, we were ready that it would be gone for good. Many gang members were arrested by joint enforcement. They also took control of servers and destroyed backups.

    Nevertheless, the botnet got back even more robust. The botnet is skilled at using evasion techniques to make networks more dangerous.

    It turned out that Trickbot attempted to download a dynamic linking library (DLL), to the system. And the DLLs turned out to be Emotet, and later, researchers confirmed the fact.

    In 2021 after the comeback, Emotet led the top 3 of uploads in ANY.RUN sandbox. Even after such a long break, it still got popular. All statistics on Emotet trends are available in Malware Trends Tracker, and the numbers are based on the public submissions.

    Emotet Botnet Malware
    Top malware uploads for the last week

    No wonder now when its operations are back on rails, ANY. RUN’s database gets almost 3 thousand malicious samples per week. It’s becoming clear that this type of attack can be prepared for at any time.

    What new features has Emotet acquired?

    The trojan is already a serious threat to any company. It is important to be aware of all updates and remain vigilant. Let’s investigate what features a new version brings and how it differs from the previous ones.

    Templates

    The Emotet campaigns begin with a malspam email that contains Malicious Office Documents (weaponized Microsoft Office documents) or hyperlinks attached to the phishing email, which is widely distributed and lures victims into opening malicious attachments. For its execution, the weaponized Microsoft Office document includes a VBA code as well as an AutoOpen macro. Emotet lures victims into enabling macros. This is all that’s required for initiating the attack. This interaction allows for bypassing verifications and sandbox tests.

    Emotet distributes using malicious email campaigns that usually consist of Office Documents. And the malware gets very creative with templates of its maldocs. They are constantly being changed by the botnet, which imitates files, updates and messages. And the content embeds the obfuscated VBA macro and makes different execution chains. The authors behind the malware trick users into enabling macros to start the attack.

    A new version has an added twist. In summer 2020, Emotet used a doc with Office 365 message. Although the image is unchanged, it has been converted to XLS. The new version also uses the same image, but the first time is now in the XLS format. This represents the IP address where the second stage was downloaded. A later technique was changed again, and crooks don’t use the HEX encoded IP to download the payload.

    New techniques

    Emotet continues to raise the bar for polymorphic creatures by using new techniques. Macro has made some slight changes to its tactics. It now leverages MSHTA. In general, Macro 4.0 leverages Excel to run either CMD, Wscript, or Powershell, which starts another process such as MSHTA or one mentioned above that downloads the main payload and runs it by rundll32.

    The botnet is keen on masking malicious strings and content like URLs, IPs, commands, or even shellcodes. Sometimes, however, the script can be used to grab the URLs or IPs list. You can definitely find it by yourself in ANY. RUN’s Static Discovering – just give it a try!

    Emotet Botnet Malware
    URLs list from the Emotet’s fake PNG file

    Companions

    We know that Emotet often drops additional malware to worsen an infection. It was discovered that Trickbot, a botnet, had infected the hosts with the trojan.

    Currently we see that Emotet is compatible with Cobalt Strike. It is a C2 framework used by penetration testers and criminals as well. Having Cobalt Strike in the scenario means that the time between the initial infection and a ransomware attack shortens significantly.

    Process tree

    The chain of execution also got some modifications. In most cases, we can notice a CMD child process, a PowerShell, and Rundll32, and various samples prove that authors prefer to mix processes, constantly changing their order. It is designed to prevent detection of child applications that pose a threat by using rulesets.

    Emotet Botnet Malware
    Emotet process tree

    Command-line

    Emotet switched from EXE files to DLL a long time ago, so the main payload ran under the Rundll32. The abundance of Powershell/CMD is unchanged :

    Emotet Botnet Malware
    Emotet command-line

    How to detect and protect against Emotet?

    If you need a fast and convenient way to get complete information on the Emotet sample – use modern tools. Any.RUN interactive Sandbox allows you to monitor processes and receive all data instantly.

    Suricata rulesets successfully identify different malicious programs, including Emotet. Moreover, with the Fake net feature to reveal C2 links of a malicious sample. This function also allows you to gather IOCs for malware.

    Emotet sample are constantly changing and can be difficult to keep up. So, we advise you to check out fresh samples that are updated daily in our public submissions.

    Emotet proves to be a beast among the most dangerous cyber threats in the wild. This malware enhances its functionality while working to evade detection. That is why it is essential to rely on effective tools like ANY.RUN.

    Enjoy malware hunting!

David
Rate author
Hackarizona