Emotet is back in full swing with massive, North-America focused E-Mail campaign
Emotet, one of the most prolific financial malware threats of the last two years is being spread en-masse these days as part of a wide E-mail campaign. Since the beginning of November, Deep Instinct (as well as other security vendors) has witnessed a significant rise in Emotet activity. Emotet variants that surfaced in October, included new e-mail exfiltration capabilities. It seems that threat actors behind Emotet are now using harvested email accounts, trying to further expand the malware outreach.
Data from Deep Instinct’s D-Cloud (Deep Instinct’s threat-intelligence and telemetry cloud) indicates the attack is focused in North-America, with some targets found in other parts of the world - EMEA and APAC. We have spotted targets spanning across multiple verticals such as healthcare, education, financial services and hospitality to name a few. Since the beginning of November, we’ve identified and prevented thousands of attempted infections, carried out by a large set of droppers and 2nd stage payloads, which are mutated repeatedly on a daily basis.
Background
Emotet is one of the most prevalent financial malware threats of the last years. It first appeared in German speaking countries in Europe around mid-2014, and after two years without significant activity, Emotet reappeared in 2017, attacking mainly in the UK and US.
From its very first version Emotet spread mainly via Spam campaigns, imitating financial statements, transfers and payment invoices. Once it is dropped and run, Emotet intercepts and logs network traffic, injects to browsers and tries to access banking sites, in order to steal and store financial data.
In recent attacks (as of 2017), the dropper in use is usually an Office document containing VBA which downloads the PE payload, which might also drop additional malware. Emotet has developed since its reappearance in 2017 when it started adopting new evasion techniques. One example is searching for common applications found on security products such as debuggers and for common usernames found on sandboxing environments. And another is a rather rare code-injection technique where instead of using RunPE based process hollowing for injection, some new Emotet versions use windows API functions to create a Timers-queue timer, which call Emotet’s payload instead of calling the windows API callback function.
Emotet’s Back, Again…
Since its return to the financial malware scene in 2017, Emotet has been replicated and mutated frequently, both manually and by using automation to generate large numbers of variants. Emotet’s samples are based on continuous mutations (which vary in scope, complexity and evasion) of droppers and payloads for each target or attack wave. The latest attack wave is based on a set of mostly simple mutations of several dozen newly prepared droppers and payloads.
In several occasions in 2018 Emotet’s infection infrastructure and droppers have also been used to spread other financial malware/spyware such as Trickbot and Dridex. We can confirm this is case in the latest Emotet campaign – several droppers communicate with C2s serving both Emotet and TrickBot payloads.
As seen in previous attacks, the current campaign’s emails are financially related.
[caption id="attachment_4711" align="aligncenter" width="839"] Spam email and malicious attachment of the Emotet dropper, from the November 2018 campaign[/caption]
The droppers are either PDFs carrying malicious JavaScript or MS-office files with an obfuscated malicious Macro embedded. The content of the documents aims to lure users to allow and run the active content which is essential for infection to occur.
Once enabled and run, the malicious script (JS/VBA) will drop and execute Emotet’s payload with a simple cmd.exe command on the victim’s machine. As mentioned earlier, in some cases, the payload dropped is a of different malware strain known as Trickbot. This recurring scenario where Trickbot and Emotet share dropper and payload distribution infrastructures, or one is using the other as a secondary payload or a loader, might indicate a shared backend environment, in attackers have implemented a logic or mechanism which controls and decides the malware to serve.
Associating many of the new payloads to Emotet can be done based on several static artifacts known to be related to Emotet. In addition, Deep-Instinct’s deep-learning malware classification module (a secondary neural network used to classify malware to threat types and families) classifies the payloads which are part of this campaign as Spyware, immediately upon prevention.
[caption id="attachment_4758" align="aligncenter" width="974"] Event page in Deep-Instinct’s management console following Emotet payload prevention[/caption]
The new, large-scale campaign proves Emotet is here to stay and remains an imminent threat. Its polymorphic and mutating nature make its detecting challenging to many anti-malware products. New dropper and payloads variants are coming out daily and are successful at evading a wide range of solutions as is indicated by reports of infection as well as multi-scanner threat intelligence.
Deep Instinct customers are fully protected from Emotet. All new droppers and payloads are detected and prevented pre-execution using Deep Instinct’s Deep-Learning based solution.
IoC (prevalent samples)
Droppers
efdfe8f4b5aada41e97e47e1c439a2695e656c71dd973bb7789b13f516387797
2074fc77244a06c505e78a81d8e97bb0869aa3f7812aadb2a8b8e8a1cf3c95ea
daaf91eb4fb13da6233472df892398bd2ea8cd115398d7087121d6d42b0701ed
fef1c172e68f5812e669577b7d2f003cd0dc533d4d3d041f0f5969a40e39895b
7eddb2b15af34d65a8aaf5a891cddfc60bf278f6de6bede09c76e854363e50b0
533da9e9871ee55d5d60c2a7290f404948e75e1c18582e02d3df5ae0583b9ac2
a809d9fddb75b1643e8aa4b77600a988f6649592603177a406a33629fc2577d1
1112203340b2d66f15b09046af6e776af6604343c1e733fe419fdf86f851caa3
1f09bdbe1013422deff83817196f4c3bf6a9c83481c485d69851c0c0ae9d5f92
9c1468cf0ec8794f7a75fb8537e1a42e24436bcf63298792eb62ff55ee517f38
ba154a65b97dd287b4b85191759be5cae2bfb1b663bd5f6269dea7cb5e80f3a2
34cebe5a052d2d3a5c23059350443b4e6a133983029f9f8c3d275bb8a342402d
d610a705417b20cca16f07ded6445e844816e83747cd3655c5191fb0ed661591
6a34569bf87487070e6ddd5896b403b7dffb7d9a29341fda5813151a3511aaf6
00ad96a25485e893980b4d37bc4c8146c8b14644e4d6f9b6f6c4af9c2cd8a86c
02ed455630207e7d6f6fcd205d5f041f7721d474e39ae6c95194952b23e63cdf
064a9ec44e485f80efa82d29122c82dabb268dcca5b18ab6fe114ee657a6a84d
0734985f67598ec0a0caf9ca31edd54bc93c5072ab0facc09f3d5164c8930afe
0b15a15c61725f6f8f8981dc8ae068752de11018877c161bc578669fbdf65a61
0e8bb19a89fb67502ac0bfadf9f7e9cb0a1f6a239e886ab4d0066209cde3b0e2
19b5e022c1cb7ee7db9d922e90f885926db5e051ae54cdda107a3b98fc1b7dbb
1b70d7e452d68eee61465edc3c8adcd7cf4a1ec155e8ddfe846db68c6807f9a0
240be36c2dd40f30dc6ed9439b1d03b8ec602de20d52fa2c0c19411d365ac7c5
2ec4615e010a107133c1480a3a3a703a38924e64995b212ca50c65a57e88492d
2f7ee884d642d6bb0c92907c1322face20646abde7ea4e3ccaee8cdd65e7bed8
385a7461909257b9a1b154ee0a0f4db583283f741de418d622adbf7d32a4cb8a
3a8c93b83bbf3a15771881a49594ad822947aee3cc5010f92817b02db7b3a54f
4862ce1febc9746994796ede4ec763b77112fde15e63eeff5e1056cbec55adf4
4aaac5950c0405bd5afd633c56330709075d0f7b4afe49eb2842985db5ff6faa
528ea86eaf014de4edf23460006f8cdff14824296552cf2f9db3d1ad03a2880f
56d209dd8183f988088d5465f0035062f3c52c7541924a851cb7bba4564dac9d
5c534ae4e830cf73ddc02a19368138b60bfe0cd8ab12d1bb89106872fb735539
60c17dc600c05fc34a7ac198d6ae84f56c45f10dbddbb2f03420e7b0201d40f1
617a25491c3d643a73d54effbd4352cfa35d47078a76d9fee607961f0573bfac
70bb6ec457f876eaf97f6c27d88e7024b7ebf888fcd404573e5ce458d59cc27d
7176349ecf5ae7f73d255fd3144b5c7bfff57f814afcdec7b62c9dd788b6d53a
75b87903540c9362854bfb71f79dc3408a370b1c7aa829af6d12d04fa62fc026
7c0fb0e2bcd06fc2182b48d3833173c373fc000ad30c9006e9ead9ec1a6f26fd
8039cc157c4e9043521973fed5b0fe6ad374874063ebee389060272f61024da3
91df6bf7a128fad2e1fbe9e9af70539984717c40d96fd69ca007c26901c48b9c
aebb81a6d05b646ad0c345c4ef4b4f8a1ec08d703cd48f1d4f149095f47e7a1a
ba582d3578f14646617e19847cd2f2cb340f24d210131ad60048b4f15548a16b
bb8473cab0b5d82cce325a1cfcd434e0641a52d0c100376fdbf6290c1a5af688
d1d239d52d6332a737259c555ed2014ae6637e1c06fbe2fbb7bd3b180f8802f5
d207d1043348768094e636fdb28bf8b4e1e49cff3196360d5317aa168fa396f9
d66c21e2f60e2d27d3120457f9985791253e4e67df66a0f7efda961788005c06
d787f37aaaa575b0a19aa886fbc8b78743a0834f5f75462ba34d9d894df211e5
ddef4d5d13f37b145e50bce81b79c4b2108c76f17bc2295c9c20424bba55935e
e9daffb5fc1ef635eca9afcde827b82221c1f6905c6b2d4ba1922f922ed96808
ecd992117410d1a83ae3acca3499415387d7f3f73125de93c61c55426c2c36a8
f07be30c7f7158311ebad7481f2a5cc2e3f2a97a80b68882f727a0ece5356668
f247b6d306315dfaf756021628b33b4e6865109329b1bdff4632e9b9635c51db
f898411e938a4016c3af84a9a75466b2eb4eb7d0bd0f37bf0c84c242f39c9739
fe82376ba340ca82e24462e88ec7b4f24a02063d0230c7d2371b0d458af5c5a4
ffa274f2e3086a6ee4fbb8cacfa7f2e28026362481109ee0f88141016d51bbbb
01392dbc6794f27b39606bddd5726b1534f649bb2d36f1f6e837f8931d099044
10e9aeb45fd32f385d5fef1cc9d46a434421da798a87ddacd1327701363921f4
30b8cbdc6fa7ef8f110b27ecf1117b889a778d4e3f62d35e9e1a5df3d1a5f03d
4ef4ab4a8bd718f5c3e475e9c11c3d15b72d6c9475fd36974c1e719a0b23194d
56b2232c9bbdc0730880e3b29c9a791b18dff5bc7f25cad6fac2b2b8fe8d1414
6bc84cca2436f09a7211dc2466ba696f8ff0c70278ab53d10df7443266aaa17b
97d93672bdf6b1894bc079f0afd621ab878accbb5d52eee457df3d02b809f984
9deb9c2ab558a4dee62dc1da89e238854c31d96c175c88e501d76925a58f834c
a2ca4385f6cad68879e4d279c0a24bbfb8e105e9ba54397e87ee1f5433822e7f
a54e00135723727834499e280282d93ffe9d6f79adc224b012a2e3660a0c03a2
c06786289db6e826a8b2e0129bf90355bec19d6bf399ce3fa5603537ddbdcbd9
c4867001647e4cb6ad3a4b768964343ac732b6b4d41b0dcdae3595f1c81ea4fc
091311a798e62667b9752bd7c7e6812caa44f30974f29bd6b8697f4a87cb3e42
3599f8ecdbec7b5876a8304d7b8809c0f426161008fb2478dcb2f446fd0edd03
4b24be8697cb45f22249dab86c46bd77cfdd8eac2c237aecf0d14de99578ae53
60b7acb9e2b35a4b1b8ca59cacc57fe2642296065b25ba458f3781beec4f6da9
79af46ab095b237cd3f36807e493ce8690cb581d349f69615ce8174f9fa86e97
9ecc92a2bf0415036c3baad32b8caf8379568b40df61f617750d0cc4265c4d93
9f5e0f806d5d048806b0ea77022247cb940c6b098a0598fcdd8bd387ac355af3
a33fa1158321b7f44681e836c4cf5cb6b5114da52d8dcdf1d35c56f5525925f9
cae3f836be95674521b1462e02d55449147d95663d85a69dde1af58f34df91c6
d3f24f89e57eab8d5ffdae152a8b24f49fef773c4cad82f486acc660055c02e3
d7e8e6c0630b3874f2bf7de5a10a588c39c409b9e75d28dd7972f5140f08030b
da9f6f8155360ade1fe357630959f7a73869d11d8e04714dfa7bded6a79014aa
dd51dd3d7c04547597afcfc31e5f0c3af528745003c1691260dcffadbcd02ef9
de6fb65182e86c22b9112a1e6f03b425cf9552d513551a9d0b4f1e5cc48f3fcf
f224a5440bd277d7208c4d62d80e81bcc322f19a360c8aa27d1459747c743a61
f605ae380f52ea5a42c0f2de6e16f0c000cd242131cbfbff359f3cb6f7b25c9b
0016e9e223d9ae55eadaf9f0292c25feb4d7dd0430b6f86549e8f586504a746d
03728e25298349487fbdfe05c773c6c708caa5426f22762a4a11d5d0f7c41a82
10191c86a3ad4e1f88cbe3c2cdd0fc9b87b7f06b567dbfa30adaff783017ea92
1aebfb780136439c31d8ae0cfd38945c7d66665a65b7b7aad5e4926ed5827c73
1ebcecb51f02464ffe76c566dce08bca74af6f0213e4e62ae554bcf7edd8e36e
2074aa67a1a9dd4573a5fd34359e9a0b551faff26cb55f4f67593036944adcd5
28b434b6d8ba77390fddefe16ba0e488d507211b384d34cf3eead7fc5a95a998
2e8c933b1a647c86a2b97c1aaad5f8670272f3a6cd991bdef59513f9e9516127
39a36eee98f1e55f71b6bf80e9c87f4f9c1683c45739075dcc5241e2e98bb600
3b971f116d4dc6f32146729441cae789e3fb4860f435fe1647e70a63f1655a4a
4a455e0a53007d2bc3092d2ed1ba66ca53993255f154100d6e4675822aeff947
4dd713cba9002fb3d769973a7cb59fd21e304ebbdc48c2814ff0692d69201e64
518b13f6ba63ea1a958fe82f06581710a8ad9d88fff4396500be1f21e678330c
57d24769c8dd4ea3ef673402fc8768d27f9d231ef22baf1d42dd648e8859b554
58b152ad9500d8df9bf401cfa0505f03012ea99f5b216f78a6c661473c8967c3
633b5b4541f0f037760050ca6a8b8717635ee4ce76baa1d4717d7b0f08ae0bb8
71149b457bea5c3cd9746f7a00ba499e42e461acf87f260bdc64b17e12af64d4
73d7f5cabfc82d7bd8a54e03ecb51567d81ac5dfa8dc1bd36670daede4e6c482
8a30d1c386b48bcc6e7aaeb05493d97225552a0976bb4ce958a10b00af264bae
ab4e5d7bc57b1ef35f09d0f12a20f770d17ab10e22e6d2c66397072da9257ce8
aed428c7d35f2f06ac9d19d16329e6c7cf8ea3bdfd5e393a39566a73bb5b7cce
b303dbd7790be21de9b61e812537ef369ce7327fd536f46dbe3105f7c0273c80
bcc03fc3afc5c709d0ffe34346895f0dde4ca74c900e855e4eea4d9ef40457fa
dc296220562c8ed2aa0ae5f99ff692826a82711c4d7dab4d62e330e1b4aebdb2
e7dcbaaec834d3b3accd527299f71fd1056b9b88e5156d83ec6e928d13872177
f3dfd5cbe82858026348fb76b9400e5c810b7642553dc08220a4261f158fa8b0
ff5a9627b2c8c3871d4dbaea80dfc3c94f35f7f80d9f92203a1a638e68e4b3f6
1112608cf6deef9ec6ada125d068e84fa67d6b081e26753860de055d86907e9d
Payload
5f0df0c31c47da2cf9e379f392144bf8d2437d436d9ea7c14ff07f5d04a705e7
0ea0d10daa8441022afe01bc1bdae16d5a858b77311c3f71a6d1c535e645e623
86b7c8c206ee81e2396a1c16a1014d3759479db9b133cb1906ad33e06cf915e9
f2cbb164dd9defb79c2bc94f075dfaa84cd9fd285f44b8ea1d7ca1c81a537c22
d69a3f1620bf2a442cd584a0a657fc93b47d4f08f446ca84f1d5471e669a59b9
ef2301ce298dc73ed2022e5607400e8ce00a563ea2e6d78cfdafcfb7612fa829
7c359f37bc807c4c2daf5b8f6b705f70f4fbf6fc62b4e02d48cb6b9679b274b0
21248a7f14f2159fd4768e64b1c531358a793c558966dca00aefcbb7ed217c67
8906c39fab5491d47a9502ff8914949afc920914257d31fbc7f92d8d58576b68
a25625f7d1e3bcd30477059562cfa0d0ec618fc076d73b3ca02beabde7a5a601
e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb
10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2
951f1946669138459a5185ea594d13fa358486cf05daab305d4174c1a1cf0579
b2c5e2ce8d94d854f39b418afdbb373e1cf9e40d273046255350366e177156b9
8f3f1ddad7c13b3757ca200fa93d2afd33c52b1c7dc2f27caa8ecd989291f748
a149821063817e9473392d7b3e330db8e4bfbba989bd8ad5f0ad31a1e0629ecc
e468da459d9023c5e6a64e2aa3bea761d05e423cea3f6e594f0569bc922ea416
2b9084bebcb7655879818bf44c15571ce3161e8dd9b3ef5c8387e9c598c0234d
2b641d37a926b7050f9fa179e6cb3439d0eea4e66b9ce4cd84d4ee3c60446c4f
95caccb8371619ba3b340f6bf82b965db08b24286aa75ddcf71e9cde14d34180
582e0912fee577fb52ea5f06ec43a8b241f4baa431ef1ed3a575f7ec0a11a51e
42d1d8cd25db430abe8c665e361fc249ecf773b63721dd52c2db8e12be509562
5cfd134c67b2ea0ddd16a2b7f1e639f4b71301efe22775ce5639a2338ff8576f
9155a2f84c7a36f27deaa0a3f63bbcb426ace329e10edcbe7d9a8aa8a20cb133
e3b29504f62f153921f4f91260c2a7288deeba3c1c8978ed101191a0ebd8cab9
da07fc26a9dded88ef3c27f0cd5145f68620fb599f2d56ce1675a801bfa878ec
afbb5d83f5c9d104a2e478a05d4350f9ad01aa82b66554f452f1336005461346
412d5f1887c34fe7ee92a3fa9328c6003edfd345ad9020f1aed42a4a81341e37
96650fb7488f2d2b7c6c88f5b02428cdc5b54a61f513a28b290450d10b24ff08
667cda76b582c0771f85ad12167238e0f4bb12f479030d99c8a15d7f08eb9975