Thank you to Ratnesh Pandey who also contributed to this research.
On 16 September 2019, Bromium Labs observed the resumption of Emotet malicous spam (malspam) campaign activity following a hiatus since the beginning of June 2019. Here’s a summary of the changes to Emotet’s operation that we’ve seen so far.
We analysed a sample of Emotet binaries from the malware’s botnets (known as epochs) served in September 2019 and found that some of the binaries now use a different packer. The new packer is significantly larger, containing approximately two thousand functions compared to around 15 functions in the old packer. Using data from the Cryptolaemus research group, who have been doing exceptional research tracking Emotet’s activity, it is apparent that Emotet binaries packed using the new packer are not exclusive to any epoch. For example:
Table 1 – Examples of Emotet binaries served in September 2019.
New Downloader Document Templates
Emotet’s operators use a variety of Microsoft Office templates to trick users into enabling a malicious Visual Basic for Applications (VBA) macro. The AutoOpen macro triggers the download and execution of an Emotet binary. So far in September, we’ve observed two types of document being used. The first type is a macro triggering a PowerShell download cradle, while the second is a macro that drops and runs a JScript (JSE) downloader using Windows Script Host (WScript). The most common document template we’ve observed in September 2019 is the use of a banner pretending to be a Microsoft Office license expiry notification (figure 1).
Figure 1 – One of the new document templates used in the Emotet Microsoft Word downloader.
The banner displays a date when Microsoft Word will supposedly expire (20 September 2019 in the example above), relying on a sense of urgency to convince users to click “Enable Content” and trigger the macro. The document templates are regularly updated and given the choice of date, it’s likely that the banner will be updated weekly. It is interesting that Friday rather than Sunday was chosen as the license expiry day, particularly because historically Emotet campaign activity has paused over weekends. One possibility is that because Emotet targets businesses rather than individuals, the rate of infection is significantly lower over weekends when most employees aren’t in the office, so perhaps Emotet’s operators simply don’t expect many users to infect themselves on their days off.
As observed in previous Emotet campaigns the emails are highly customised, enabling Emotet’s operators to socially engineer targets more effectively by translating subject lines, body content and attachment names into different languages and masquerading as popular regional online services. Across the Emotet samples isolated by Bromium Secure Platform this week, we’ve identified emails in English, Italian and German, determined by the location of the recipient. For example:
Date: Wed, 18 Sep 2019 11:03:02 -0600 From: Robin [Redacted] <[email protected][.]pl> To: "[Redacted]" <[Redacted]@[Redacted].com> Subject: RE: RE: [Redacted] Error Notification System- ACTION REQUIRED Date: Wed, 18 Sep 2019 13:38:27 +0200 From: "[Redacted], Massimo (IT)" <[email protected][.]com> To: "[Redacted]" <[Redacted]@[Redacted].com> Subject: Re: R: FOLLETTO: Piano Certificazione Unica Date: Wed, 18 Sep 2019 05:10:05 -0600 From: <[email protected][.]com[.]mx> To: "[Redacted]" <[Redacted]@[Redacted].com> Subject: Per E-Mail senden: EK 4957718-367 - September
The Emotet botnets send two types of spam email. The first type are emails designed to mimic common financial documents, such as invoices and purchase orders. These rely on eliciting a sense of curiosity in the recipient to cause them to open and run the Emotet downloader. So far in September, we’ve seen Microsoft Word DOCM and DOTM files delivered as attachments or hyperlinks.
The second type are emails that are replies to existing threads. These are more devious because at first glance the recipient may believe that the email is from the sender. This type of spam can occur when the sender’s computer has been infected by Emotet. One of Emotet’s post-infection actions is stealing the address book, credentials and emails from the victim’s email client and sending them to a command and control (C2) server. The stolen emails are used to construct more convincing spam, which are then sent from a subset of bots in one of the Emotet botnets to people that have previously corresponded with the victim.
MIME Type Change in Server-side PHP Script (index.php)
Emotet binaries are hosted on compromised web servers that run PHP. There are only minor differences in the PHP script (index.php) used to serve the Emotet binary between a sample from May and September 2019. The biggest change is in the HTTP GET request headers that are served when Emotet is downloaded. The MIME type of the served Emotet executable is now “application/x-msdownload” instead of “0”.
Figure 2 – Extract from Emotet index.php script from May 2019.
Figure 3 – Extract from Emotet index.php script from September 2019.
GetProcAddress for Invalid Function
Our previous analysis of Emotet binaries found that the loader tries to resolve an invalid function name through a call to GetProcAddress. An analysis of Emotet samples from September 2019 found only the binaries packed using the old packer make a GetProcAddress call for an invalid function. In the samples that do make the API call, the name of the invalid function has changed.
- June 2019:
- September 2019:
Packer Registry Check
An analysis of Emotet binaries served in the September 2019 campaign found that only the binaries packed using the old packer check for a Registry key through a call to RegOpenKeyA, listed below. Previously, Emotet binaries analysed before the hiatus in spam campaigns in June 2019 contained the Registry check. Failing the Registry check (i.e. if the key does not exist, or cannot be read) causes the Emotet process to enter an infinite loop or terminate itself.
- 32-bit systems:
- 64-bit systems:
The most significant change in Emotet campaign activity that we’ve observed in September 2019 is the use of a new packer that is currently being used for some of the binaries. The tactics, techniques and procedures (TTPs) used by Emotet’s operators has not changed significantly from previous campaigns. It is possible that new features that may have been developed during the malware’s 10 week break may be gradually phased into production. What we can say for certain is that Emotet has proven itself to be one of the most resilient and professionally run botnets in recent years.
 For example, SHA256: d36ae7bf558a278579b47f00048f4995e377a022b74ad633981da7ad65f7c976, di1h6oots_767418872.exe.
*** This is a Security Bloggers Network syndicated blog from Bromium authored by Alex Holland. Read the original post at: https://www.bromium.com/changes-to-emotet-in-september-2019/