Threat Research

Yes, Emotet remains an active malware threat

David Strom, 29 July 2020

Emotet has cropped up again, and this time, there's more to the story

One of the longest-running and more lethal malware strains has once again returned on the scene. Called Emotet, it started out life as a simple banking Trojan when it was created back in 2014 by a hacking group that goes by various names, including TA542, Mealybug and MUMMY SPIDER.

Its history has been tracked by researchers, such as this timeline from Proofpoint:

 

Credit: Proofpoint
 
As you can see, it has been through numerous enhancements and improvements. By 2017, its creators had expanded its attacks to deliver various banking trojans (including Qakbot and TrickBot) and steal browser stored passwords. Compromised PCs would be recruited to help form a botnet that was then used to launch additional phishing attacks. A report from Bromium issued in June 2019 tracked its evolution up until that moment in time. The report documents how Emotet’s owners or operators have shifted their strategy from stealing bulk data to selling their malware as a service for others to ply their trade.

What made Emotet interesting was its well-crafted obfuscation methods. It was one of the early malware samples to deploy polymorphic code to vary its size and attachments, meaning that it would change its form and procedures to try to evade detection. It also used multi-state installation procedures and encrypted communications channels. Over the years, it has had some very clever lures, such as sending spam emails containing either a URL or an attachment, and purport to be sending a document in reply to existing email threads. IBM’s X-Force found one variation that uses the COVID-19 virus as part of its phishing lure.

Over time, Emotet has expanded to encompass three different botnet infrastructures, again to make it harder to repel. And to make their phishing lures more believable, they would translate their message subjects, filenames and contents to match the destination countries of their targets, producing not only English but German, Chinese and Spanish versions. Earlier this year, researchers discovered a new module that allows the malware to find open (or easily guessed passwords of) nearby WiFi networks to infect. (See diagram below.)

 

Credit: BinaryDefense 

We covered Emotet most recently back in late 2018. Now, it seems to be back in use. Earlier this year, it had a five-day run that delivered nearly two million phishing emails. And in July, another variation was observed sending out at least 250,000 phishing lures, mostly aimed at US and UK users. Malwarebytes has samples of the emails used and more specifics of its operation. It appears to be using a new Word template for its infected attachment, but not much else. 

The rise of organized defense

Given its long history – as malware families go – it isn’t surprising that defenders have banded together to try to stop its spread. The first efforts of this group of about two dozen white-hat hackers called themselves Cryptolaemus. The group is composed of security researchers from competing vendors along with IT professionals and other malware hunters. They have regular virtual meetings on Slack, Telegram channels to assign specific tasks and share best practices. This effort came from a sad experience, when one member was attacked by the malware back three years ago.

They post daily notices of hundreds of Emotet’s command server IP addresses, typical phishing subject lines, and file hashes on their website. (Their name comes from a species of beetle that eats mealybugs, which is one of the names of the Emotet development group.) The daily posts also include newsy notes at the end and other useful information for virus hunters. Scrolling down this data dump shows that Emotet is still much alive and in force. “We have seen the Emotet creators change tactics within minutes of posting our reports,” said one member.

As if that weren’t enough, though, a new vigilante has been discovered. This individual has been poisoning about a quarter of Emotet’s downloaded files with harmless animated GIFs of celebrities. This prevents the malware from infecting any endpoints and was first seen in late July. The ZDnet post linked above walks you through how the vigilante was able to modify the Emotet malware and make the substitution. The vigilante’s identity remains unknown, although some researchers have speculated it could be a rival malware group.

What you can do to protect yourself

By now, most of the popular endpoint protection products can recognize and block Emotet, including Avast’s antivirus tools. That doesn’t mean Emotet’s developers aren’t hard at work to figure a way around this – if you examine Emotet’s history, you can spot its evolution in trying to remain hidden.

The US CISA issued an alert in January 2020 which describes various tactics that you can use to try to steer clear of its evil intent. This includes adding Group Policy Objects and firewall rules to block it along with proper network segmentation and using mail authentication technologies such as DMARC and SPF on your corporate domains. Given the latest development of seeking out nearby WiFi access points, you should ensure that you have changed the defaults on your own wireless networks and use complex enough passwords.  It also helps if you can disable Word and other Office macros to automatically execute from email attachments, which is a common malware trick not exclusive to Emotet. You can safely open these documents in Google Docs as an alternative.

Starting in February, Binary Defense developed two versions of a killswitch exploiting different weaknesses found in Emotet’s code. They shared it privately with various security researchers to keep the Emotet developers from learning about it as long as possible. But they eventually figured things out and updated their code earlier this month to eliminate the killswitch. That link also describes additional insights about how the malware developers have operated earlier this year.