Live

Live Blog: Emotet Botnet

  • 10 February 2020
  • 6 replies
  • 961 views
Live Blog: Emotet Botnet
Userlevel 6
Badge +14
  • Sr. Threat Research Analyst
  • 101 replies

This Live Blog will be updated with new info on the Emotet malware as we see it evolve.

 

Botnets have continued to dominate the infection attack chain the past few years. No other type of malware was responsible for delivering more malicious payloads like ransomware, credential stealing trojans, and cryptomining malware. Emotet, which was the most prevalent malware of 2018, held onto that notorious distinction into 2019. Briefly shut down in June 2019, Emotet returned from the dead in September 2019, and still remains the largest botnet to date.  

While Emotet is always evolving and still experimenting with new ways to infect victims and their networks, the below is a short summary of what a user would experience when being the target of this very common attack.  

Emotet infects users via a malicious script or macro-enabled document that spreads from spam emails. The “urgent notice” emails attempt to persuade the user to open the attachment by saying “you’re being sued”, or “you missed a package”, or “here is the invoice/payment details of your order”. Sometimes they'll even take advantage of the holidays in the form of e-Christmas cards.  


When a user opens the file they'll see a document without the information promised. Instead the script will try to persuade the victim that the document is protected. Next, it'll prompt the victim to click the “enable content” button to view the document.  


This is the trick; the 'gotcha'. When the user clicks on the “enable content” button the user has now activated the macro. This will then start the download and execution of the Emotet malware.  

 

 

Once infected, Emotet will act as a sensor for the criminal to analyze the environment to “case the joint” if you will. It will run a variety of tasks like:  

  • Downloading additional malware 

  • Stealing stored passwords 

  • Providing remote access to the attackers 

  • Deploying a ransomware or cryptomining payload to make money 

The in depth analysis of the environments by the hackers using Emotet allow them to know the worth of the data they are stealing/breaching and request much larger ransom payments.   

Summary of end result payloads from Emotet   

Emotet - Trickbot – Ryuk (“Triple Threat”)  

In terms of financial damages this is probably the most successful chain of 2019. It's also worth noting Emotet -> Dridex -> Bitpaymer. Both of these groups (Trickbot / Ryuk and Dridex / Bitpaymer) have shifted to more target/reconnaissance based operations. They assign a value to the targeted network after infection. Then, they'll ransom them for that amount post lateral movement/deployment of their ransomware.

Trickbot/Ryuk 

Through the first half of 2019, Trickbot was often delivered as the second stage payload from Emotet. Ryuk infections typically delivered by Trickbot result in mass encryption of entire networks. Trickbot has been partnering with banking Trojan groups like IcedID and Ursif in 2019. Its modular infrastructure makes it a serious threat for any network it infects and, when combined with Ryuk ransomware, it's one of the more devastating targeted attacks of 2019.  

Dridex/Bitpaymer 

Dridex was once one of the most prominent banking trojans. Now it acts as an implant in the infection chain with the Bitpaymer ransomware and is achieving alarming success. We've observed it also being delivered as a second stage payload off of Emotet.

Cryptomining is an emerging online threat that hides on a computer or mobile device and uses the machine’s resources to “mine” forms of online money known as cryptocurrencies. It uses unused CPU on the machine as discretely as possible without the victims knowledge or consent. And according to Webroot’s research, these attacks rise and fall with the relative market cap of cryptocurrency price.  

 


6 replies

Userlevel 6
Badge +14

Emotet can now also infect via wireless networks through file-sharing services.

emotet spread Wi-Fi networks

See more here: 

https://www.helpnetsecurity.com/2020/02/06/emotet-spread-wi-fi-networks/

Userlevel 7

Hi @TylerM would Webroot SecureAnywhere block outgoing communication with it’s firewall if one is infected with an unknown variant? Re: Monitoring Levels?

 

Thanks,

Userlevel 6
Badge +14

Hi @TylerM would Webroot SecureAnywhere block outgoing communication with it’s firewall if one is infected with an unknown variant? Re: Monitoring Levels?

 

Thanks,

We would block the C2 server before the malware was even downloaded, if that fails, then we would quarantine the file before any execution took place. Our detection for Emotet is top-notch, but if a (unknown to WSA) emotet variant were on a machine and trying to infect others on a network, then yes, we would block that communication. 

Userlevel 7

Hi @TylerM would Webroot SecureAnywhere block outgoing communication with it’s firewall if one is infected with an unknown variant? Re: Monitoring Levels?

 

Thanks,

We would block the C2 server before the malware was even downloaded, if that fails, then we would quarantine the file before any execution took place. Our detection for Emotet is top-notch, but if a (unknown to WSA) emotet variant were on a machine and trying to infect others on a network, then yes, we would block that communication. 


Great to hear and thanks for the info!

 

Cheers,

Userlevel 6
Badge +14

Just a heads up to many of you that may read this. Emotet and previous taken a break for the past couple months and they are now back at it in full force. They are taking advantage of COVID-19 and many of the initial phishing lures to the macro docs are COVID-19 themed. 

 

I’ll post more as I see it

Badge +2

Looks like another wave just started. We've had 2 a day this week.

Reply