Everything You Wish Your Parents Told You About Emotet

Pleasantries

One of the most dangerous Trojans ever created”.

Quite the description for Emotet coming from a popular online malware sandbox.

CISA, The United States Cybersecurity and Infrastructure Security Agency, has described Emotet in a 2018 alert as the “most costly and destructive malware” affecting the US private and public sectors, whilst in 2020 labelling it as “one of the most prevalent ongoing threats”.

Now that is some introduction for a strain of malware that has been around since 2014.

But, where did it originate from, who is responsible for it, and what makes it such an insidious piece of malware today still?


The ‘Genesis’ of Emotet

We’ll start our journey back in the year of Flappy Birds and Ice Bucket challenges. A few months after Flappy Bird was abruptly removed from mobile app stores in early 2014, a blog post appeared by Trend Micro analyst Joie Salvio which introduced the world to “new banking malware” detected as Emotet. Joie was however not responsible for naming the malware, and it appears that the reason behind Trend Micro calling it Emotet will forever be lost in the sands of time.

Although this 27 June 2014 blog post was seemingly the first time the world heard the name Emotet, it was not the first time the actual malware was observed. Security researcher Miko Hipponen noted the following message dug out from his industry mailing list archives from 2014: “Looks like someone found yet another name for Geodo, which we’ve seen since at least a month or more (mid to late May 2014)


But first: Feodo

So let’s take a step back to 2010. This time I’ll spare you references to Fruit Ninja…

During the latter part of 2010, cybersecurity firm FireEye reported on a banking trojan called Feodo. The report noted that they have been seeing this trojan in the wild since August 2010, with similar traits to the then famous banking trojans called Zbot and SpyEye.

Now, this is where you need to keep your wits about you. The Feodo trojan was later on also referred to as Cridex or Bugat. Cridex is where another famous banking trojan called Dridex is said to have evolved from.

Fast forward again to 2014 (queue flappy birds stopping their flapping all too unexpectedly). Abuse.ch reported in early June of that year that they were seeing a new version of the Feodo banking trojan “which some security experts started calling Geodo”. A few days after Trend Micro baptized Feodo as Emotet, Seculert also reported on a new version of Cridex (aka Feodo aka Bugat) whilst referring to it as Geodo.

The Geodo aka Emotet banking trojan continued to happily steal hard-earned cash from various victims between 2014 up until 2017 when a new version of Geodo arrived. The new version was called Heodo. (Now in keeping with the alphabet rotations, you would’ve thought that Geodo aka Emotet would then become Fmotet, but I guess that didn’t go well with focus groups, and the new Heodo malware was able to keep its Emotet naming.)

Here’s a quick Genesis summary:

  • First, there was Feodo (circa 2010), which was also known as Cridex or Bugat (although some might claim that Feodo was the successor to Cridex, and is not Cridex itself). Other researchers noted that Feodo was only first spotted in 2012.
  • In 2014 came Geodo (aka Emotet), the son of Feodo.
  • Finally, in 2017 came Heodo (aka Emotet), the son of Geodo.

As such if in the year of Our Lord 2020, someone is referring to an active Emotet campaign or infection, they are referring to Heodo, and vice versa.


Banking Trojan 101

So the question remains: What does a Banking Trojan do?

At its core, a banking trojan has the purpose of intercepting online banking usernames and passwords from infected computers. Once this data is obtained, it is sent off to their controlling syndicates to use for fraudulent transactions or even sold on for others to use.

This interception of banking credentials can be done in several ways:

  • Logging keystrokes typed on the keyboard of an infected computer.
  • Intercept username and password fields typed into logon forms.
  • Presenting victims with fake online banking login pages when they attempt to access their legitimate banking website.


Evolving With The Times

When Trend Micro analysed Emotet in 2014, they detailed how the malware would specifically monitor web activity on an infected machine. Once an online banking website was accessed which matched a predefined list of targeted banks, the malware would intercept the entered credentials. It was capable of doing this even if the banking website was accessed via an HTTPS connection.

We’ll call this Emotet version 1 (mainly because others did so)

Emotet version 2 and 3 came onto the scene that same year (2014), sporting functionality to automatically conduct fraudulent transactions on infected machines using automatic transfer systems (ATS).

In addition to the ATS functionality, Emotet went modular. This meant the malware had separate modules within itself which were responsible for different things, like stealing banking credentials, intercepting email login data, or distributing spam. Emotet’s loader was also changed into a separate module. A loader (in malware terms), is responsible for loading additional second-stage malware payloads onto the infected system.


Malspam All The Way

Since it’s early days, Emotet has been gaining its initial infections via malspam campaigns. That is spam emails that either contain malware as an attachment or a link that will download malware back to the victim’s computer. These email messages had themes ranging from financial communications to urgent courier delivery messages.

In the early twenty-tens, most banking trojan operators were relying on tricking their victims into thinking that the email attachment or downloaded file named Invoice.pdf.exe was an actual urgent PDF invoice and not something much more dangerous.

Emotet has since moved onto predominantly making use of malicious PDF documents or macro-enabled MS Word document email attachments, or a link to download either.


Mr. Delivery

In 2017, while Elon Musk and Mark Zuckerberg were fighting on Twitter over the threat posed by Artificial Intelligence, Emotet started its own delivery service.

This service evolved with the times and by July 2018, CISA labeled Emotet as a “modular banking trojan that primarily functions as a downloader or dropper of other banking trojans”. This meant that Emotet pretty much became a dodgy food delivery service, that will walk up to your door, ring the bell and when you open, smash a freshly cut sample of the Dridex trojan in your face. To round it off, the delivery guy will then jump your back fence and repeat the same ‘face-smashing-Dridex-delivery-service’ with your neighbors.

CISA estimated that Emotet infections have cost SLTT Governments (State, local, tribal, and territorial) up to $1 million per incident to remediate.

Emotet had five known spreader modules at this stage, which were put to work to allow it to further spread and infect other computers. These could be computers on the same network by attempting to brute force passwords, or using extracted email addresses from Outlook on an infected machine to send out additional spam emails.

Emotet’s delivery service business continued strong throughout 2018 and 2019. In late 2019, Emotet was observed making use of socially engineered spam emails: “Emotet’s reuse of stolen email content is extremely effective. Once they have swiped a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads.” Talos, September 2019.

In 2019, campaigns were noted where Emotet dropped the TrickBot trojan to steal sensitive information from infected machines. After TrickBot did its job, it would in turn download the Ryuk ransomware for a coup de grace.


The Spider In The Room

We still haven’t touched on the aspect of attribution. That is, who are the people behind Emotet?

One thing that is certain is that we have three names being used to refer to Emotet’s handlers:

The “Spider” in Mummy Spider is the umbrella term used to refer to cybercriminal groups that aren’t directly linked to Nation-State-Based Adversaries. Some researchers have also noted that Mummy Spider is a Russian-speaking group.

But, for now, this is the short answer you’ll get when asking the question “Who is behind Emotet”: A likely Russian speaking cybercriminal group.


Emotet Today and Tomorrow

To date, researchers have tracked three different botnets used to send Emotet malspam campaigns. Each of these has its own infrastructure, and are referred to by either Epoch 1, Epoch 2, or Epoch 3. The themes used with Emotet malspam campaign emails also adapt to the times or seasons. One of many examples is the recent ‘Halloween house party’ themed email lures that were used during October. The Emotet delivery service has also been pushing on, with the malware currently being tracked for delivering the notorious QBot (aka Qakbot) malware.

Development of the Emotet malware appears to be ongoing as a new Emotet loader-type was discovered in early 2020, giving it the capability to spread to nearby wireless networks with poor passwords.

Even though there was a five-month hiatus at the beginning of this year without any notable Emotet malspam campaigns, it is still on track to end the year with a bang. Some security firms have stated that they were seeing between 1000% and 1300% increases in Emotet detections in the past months.


Closing Rhyme

(it’s not lame if it makes you smile)

Emotet,
Not dead.
Has caused millions of dollars to be bled,
While helping the most treacherous cyber-attacks spread.

Stay safe.


Need help?
If you are looking for mitigation techniques against Emotet, most major cybersecurity firms have published advice on how to protect against it. Here is a comprehensive list put together by CISA: https://us-cert.cisa.gov/ncas/alerts/aa20-280a

#Cryptojacking – A ‘Not Too Technical’ Story

https://www.popularmechanics.com/culture/tv/a21899/nick-offerman-ron-swanson-woodworker/

Bitcoin, blockchain, bitcoin mining, mining bitcoin on the blockchain, using the blockchain to mine bitcoin in order to buy Ethereum so that you can in turn buy stuff on the dark web. Yeah, that doesn’t make a lot of sense. Now, add another word to the already confusing list of cryptocurrency terms: #Cryptojacking.

Side note: The term Cryptojacking is not to be confused with malware families like CryptoShuffler or ComboJack. These are geared towards stealing actual bitcoin.

Cryptojacking however is when a victim’s computing resources are hijacked and used to mine cryptocurrency. On a basic level, this means that the targeted computer’s processor and GPU are used by an attacker to process the complex algorithms as part of cryptocurrency transactions. The resulting reward (coins) from the mining is then received by the attacker.

Currently, there are two flavours of Cryptojacking:

  1. Via the browser. When a user visits a website that has a cryptomining script enabled, the processing power available from the user’s computer is used, via the browser, to mine cryptocurrency. Mining scripts are often added to compromised websites where mining takes place without a user’s knowledge or consent. The malicious mining seizes once the browser tab for the infected website is closed.
  2. Via malware infections. Cryptojacking malware running on an infected computer will allow for continuous mining. An example of this is the Powerghost miner.

Cryptojacking is in essence the digital equivalent of someone breaking into your tool shed at night and, instead of stealing your stuff, they use your tools:

Creating amazing wood furniture, those projects you see on Pinterest where a guy with a leather tool belt takes old wood pallets and creates the most amazing chest of drawers within 22minutes, flat.

Is Cryptojacking an issue that deserves priority?

This is a legitimate question, seeing that ‘no one is getting hurt‘.

Let’s continue with our tool shed analogy: You now suspect that someone is making use of your tools at night. Do you interrupt your hard earned sleep and hold a stake out to catch the bugger? Or should you rather focus on the real criminals that might actually steal your stuff?

Although our miscreant is bringing along his own upcycled pallets, he is still using your machinery. Say he does it once or twice a month, that ain’t bad you think. But, unfortunately, he does not have the woodworking finesse of Nick Offerman, and for all you know, he’s doing it every night. Using your electricity, breaking your drill bits, leaving the wood glue bottle open and not to mention the wear and tear of your machinery. Some nights he even let your mitre saw run for 8 hours straight, allowing it to overheat and damage the motor.

This guy is now pretty much spending 12 hours a night, 7 nights a week in your tool shed, which also gives him time to look around the yard. One night during a smoke break, he sees that kitchen window with the broken latch you’ve been meaning to fix for the last 4 Saturdays. Miscreant ponders to himself: “A cup of coffee would sure be nice…

As you wake up the next morning, you realise that our miscreant was in your kitchen and used your last batch of Legado Guatemalan Finca El Rincon single origin coffee beans to create the smoothest of cappuccinos in your newly Italian imported Rocket Espresso machine.

As you sip on a stale cup of instant coffee (which you think to yourself tastes more like a cardboard box than pure exhilarating caffeine), you decide that this was the last straw… It is time for action. That afternoon , you swing by the local hardware store and buy a new window latch and a proper hardened steel padlock for the shed. “That’ll keep ‘em out” you think to yourself as you lock the shed and smile at the newly fixed kitchen window latch.

The next morning, as you awake from a restful sleep, you stroll down to the kitchen, already planning an amazing breakfast for the missus (eggs benedict with a chili hollandaise sauce and streaky bacon).

“This is going to be the best…. WORST BREAKFAST EVER!!”.

It’s gone. Everything is gone. Your fridge with the eggs and streaky bacon, gone. Your vegetable rack with the fresh chilies, gone. Your Rocket Espresso machine… GONE. As the horror of what could only have happened during the night dawns upon you, your eye catches a glimpse of the open patch of lawn where your tool shed once stood. FREAKIN GONE. How the dangit did someone steal a tool shed and MY ENTIRE KITCHEN?

During the next few hours as policemen walk up and down the yard looking for clues, it dawns upon you. The woodworking miscreant had other skills as well. He wasn’t only a Pinterest level craftsmen, but also a master thief (he was able to carry away your entire kitchen without you waking up), a pretty decent truck driver (reversing a flatbed truck down your driveway and lifting your tool shed takes some work) and a meticulous planner. During the past week of night time craftsmanship, the miscreant cloned your house keys and your gate remotes. This allowed him to open front the gate with a remote, reverse the truck in and unlocked the kitchen door after loading the shed.

Fairly dramatic, yes, but the take home remains:

Cryptojackers aren’t just a nuisance. In the recent case of the Rakhni Miner, upon successful infection, the malware makes the decision if it wants to encrypt your data (Ransomware) or if it is going to use your resources to mine cryptocurrency.

If there are Cryptojackers running around in your environment, it should be a red flag that there are some definite weaknesses that needs to be addressed within your environment.

 

For further reading on cryptojacking, have a look at the following articles: