exploring emotet, an elaborate everyday enigma · 2019-10-08 · history of emotet may, 2014 v1...
TRANSCRIPT
![Page 1: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/1.jpg)
Luca Nagy
Threat Researcher, SophosLabs
Oct 2019
Exploring Emotet, an elaborate everyday enigma
![Page 2: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/2.jpg)
History of Emotet
May, 2014
V1First sample seen by Sophos
Nov, 2014
V2 - modular structure
Targeting German and Austrian banks
Jan, 2015
V3• anti-VM techniques • social engineering tricks
Targeting Swiss banks No significant campaign
Delivering by Rig EK
Dec, 2016
Apr, 2017
V4 - targeting UK• no banking module• network spreading capabilities• delivery service for other malware
Arriving to USA
Auto-updating the binary
Dropping Dridex, IcedID
Dropping ZeusPanda, Trickbot, Qbot
Email harvesting module
Oct, 2018
May, 2017 May, 2019
Email conversation chains in spam messages
2@luca_nagy_
After long break, it reappeared
Aug, 2019
![Page 3: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/3.jpg)
Unique binaries and downloaders on daily basis
70
1763
New binaries
New downloaders
(2019)
(2019)
3@luca_nagy_
![Page 4: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/4.jpg)
Delivery method - Spam messages
4@luca_nagy_
![Page 5: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/5.jpg)
Anti-analysis techniques: Anti-VM techniques, process injection
5@luca_nagy_
Anti-VM techniques
• Checking process list locally, using fake IP list
• Detecting VM, AV related files, folders
• Detecting sandbox environment
• Sending process list
Process injection
• Wrapper modules
• Heaven’s Gate
![Page 6: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/6.jpg)
Anti-analysis techniques: Injecting into 64 bit process - Heaven’s Gate
32 bit disassembler 64 bit disassembler
6@luca_nagy_
![Page 7: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/7.jpg)
Anti-analysis techniques: Custom packer
7@luca_nagy_
![Page 8: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/8.jpg)
Main functions of the binary
8@luca_nagy_
![Page 9: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/9.jpg)
C2 server communication
9@luca_nagy_
![Page 10: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/10.jpg)
IP address count used to reach the C2
10@luca_nagy_
Observed in the first 4 months of 2019
![Page 11: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/11.jpg)
Downloaded Modules: Wrapper modules
11@luca_nagy_
Inject into:
• /System32/alg.exe
• New instance of itself
![Page 12: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/12.jpg)
Wrapper modules - Injected NirSoft executables
WebBrowserPassView
Mail PassView
12@luca_nagy_
![Page 13: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/13.jpg)
Wrapper modules - Injected proprietary executables
Email contact extractor
Email content harvester
13@luca_nagy_
![Page 14: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/14.jpg)
Regular modules: Network spreading module
• Enumerating SMB, null session connection
• Brute-forcing the connections (~10 000 passwords)
14@luca_nagy_
![Page 15: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/15.jpg)
Regular modules: UPNP module
• Port-forwarding
Port numbers set by the module:
20, 21, 22, 53, 80, 143, 443, 465, 990, 993, 995, 7080, 8080, 8090, 8443, 50000
(Same as the port numbers used to reach the C2 – hardcoded in the binary)
• Bypassing firewall rules
• Verifying the settings
15@luca_nagy_
![Page 16: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/16.jpg)
Regular modules: Spam bot module
• SMTP message sent by the spam bot module
16@luca_nagy_
sender = victim Areceiver = target A
hijacked account = victim B
template
![Page 17: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/17.jpg)
Delivered malware
17@luca_nagy_
• Directly: Banking Trojans (e.g.: Trickbot, Qbot, Dridex, Ursnif, IcedID,…)
• Secondly: Ransomware (e.g.: Ryuk, BitPaymer, MegaCortex)
• Attack-chains:
• Emotet – TrickBot – Ryuk
• Emotet – Dridex – BitPaymer
• Emotet – Qbot – MegaCortex
![Page 18: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/18.jpg)
Sum up
• Information, credentials from browser
18@luca_nagy_
![Page 19: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/19.jpg)
Sum up
• Information, credentials from browser
• Spreading through LAN
19@luca_nagy_
![Page 20: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/20.jpg)
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
From: victim A’s name <victim B’s account>To: target A
target A = victim A’s acquaintance
20@luca_nagy_
![Page 21: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/21.jpg)
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
From: victim B’s name <victim A’s account>To: target B
target B = victim B’s acquaintance
21@luca_nagy_
![Page 22: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/22.jpg)
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
• Email conversation threads
From: victim A’s name <victim’s B account>Sub: RE:To: target A
target A = victim A’s acquaintance
22@luca_nagy_
Body: victim A’s email domain/…/...zip
![Page 23: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/23.jpg)
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
• Email conversation threads
• Spamming
23@luca_nagy_
![Page 24: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/24.jpg)
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
• Email conversation threads
• Spamming
• Proxy
24@luca_nagy_
![Page 25: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/25.jpg)
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
• Email conversation threads
• Spamming
• Proxy
• Deliver malware
25@luca_nagy_
![Page 26: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/26.jpg)
?
26@luca_nagy_
![Page 27: Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1 First sample seen by Sophos Nov, 2014 V2 - modular structure Targeting German and Austrian](https://reader033.vdocuments.net/reader033/viewer/2022060516/5f903a2671bc540854080047/html5/thumbnails/27.jpg)
Thank you!
Also thanks for:Gábor SzappanosFerenc László NagyDorka PalotaySophosLabs
@luca_nagy_