Changes to Emotet in September 2019

Thank you to Ratnesh Pandey who also contributed to this research.

On 16 September 2019, Bromium Labs observed the resumption of Emotet malicous spam (malspam) campaign activity following a hiatus since the beginning of June 2019. Here’s a summary of the changes to Emotet’s operation that we’ve seen so far.

New Packer

We analysed a sample of Emotet binaries from the malware’s botnets (known as epochs) served in September 2019 and found that some of the binaries now use a different packer. The new packer is significantly larger, containing approximately two thousand functions compared to around 15 functions in the old packer. Using data from the Cryptolaemus research group, who have been doing exceptional research tracking Emotet’s activity, it is apparent that Emotet binaries packed using the new packer are not exclusive to any epoch.[1] For example:

SHA256	Packer	Filesize (bytes)	Epoch
45220f34796220c461e5aff0d9c716b55a1b5fcf55000f52cb2b51107c5d33c6	Old	346624	1
22bb4f5cedd169ef7f8a6b5b6b186c94ff79a5e61eb6bde90bd1032ccf4c7936	Old	346624	2
10b706cfac5a268938cbd87c67ad33a58fd9e99cb7ad7d3d4b76e306723019f6	Old	346624	2
f5af8586f0289163951adaaf7eb9726b82b05daa3bb0cc2c0ba5970f6119c77a	New	483328	1
1e079b99b841a9d317953b09d0af041105d4b0ce5c72f0727fb0e098393ad35d	New	483328	1
6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5	New	491520	2

Table 1 – Examples of Emotet binaries served in September 2019.

New Downloader Document Templates

Emotet’s operators use a variety of Microsoft Office templates to trick users into enabling a malicious Visual Basic for Applications (VBA) macro. The AutoOpen macro triggers the download and execution of an Emotet binary. So far in September, we’ve observed two types of document being used. The first type is a macro triggering a PowerShell download cradle, while the second is a macro that drops and runs a JScript (JSE) downloader using Windows Script Host (WScript). The most common document template we’ve observed in September 2019 is the use of a banner pretending to be a Microsoft Office license expiry notification (figure 1).

Figure 1 – One of the new document templates used in the Emotet Microsoft Word downloader.

The banner displays a date when Microsoft Word will supposedly expire (20 September 2019 in the example above), relying on a sense of urgency to convince users to click “Enable Content” and trigger the macro. The document templates are regularly updated and given the choice of date, it’s likely that the banner will be updated weekly. It is interesting that Friday rather than Sunday was chosen as the license expiry day, particularly because historically Emotet campaign activity has paused over weekends. One possibility is that because Emotet targets businesses rather than individuals, the rate of infection is significantly lower over weekends when most employees aren’t in the office, so perhaps Emotet’s operators simply don’t expect many users to infect themselves on their days off.

Multilingual Targeting

As observed in previous Emotet campaigns the emails are highly customised, enabling Emotet’s operators to socially engineer targets more effectively by translating subject lines, body content and attachment names into different languages and masquerading as popular regional online services. Across the Emotet samples isolated by Bromium Secure Platform this week, we’ve identified emails in English, Italian and German, determined by the location of the recipient. For example:

Date: Wed, 18 Sep 2019 11:03:02 -0600
From: Robin [Redacted] <damian.pirog@ctr[.]pl>
To: "[Redacted]" <[Redacted]@[Redacted].com>
Subject: RE: RE: [Redacted] Error Notification System- ACTION REQUIRED

Date: Wed, 18 Sep 2019 13:38:27 +0200
From: "[Redacted], Massimo (IT)" <dcedeno@hidrocaven[.]com>
To: "[Redacted]" <[Redacted]@[Redacted].com>
Subject: Re: R: FOLLETTO: Piano Certificazione Unica

Date: Wed, 18 Sep 2019 05:10:05 -0600
From: <cobranza1@mapisa[.]com[.]mx>
To: "[Redacted]" <[Redacted]@[Redacted].com>
Subject: Per E-Mail senden: EK 4957718-367 - September

The Emotet botnets send two types of spam email. The first type are emails designed to mimic common financial documents, such as invoices and purchase orders. These rely on eliciting a sense of curiosity in the recipient to cause them to open and run the Emotet downloader. So far in September, we’ve seen Microsoft Word DOCM and DOTM files delivered as attachments or hyperlinks.

The second type are emails that are replies to existing threads. These are more devious because at first glance the recipient may believe that the email is from the sender. This type of spam can occur when the sender’s computer has been infected by Emotet. One of Emotet’s post-infection actions is stealing the address book, credentials and emails from the victim’s email client and sending them to a command and control (C2) server. The stolen emails are used to construct more convincing spam, which are then sent from a subset of bots in one of the Emotet botnets to people that have previously corresponded with the victim.[2]

MIME Type Change in Server-side PHP Script (index.php)

Emotet binaries are hosted on compromised web servers that run PHP. There are only minor differences in the PHP script (index.php) used to serve the Emotet binary between a sample from May and September 2019.[3][4] The biggest change is in the HTTP GET request headers that are served when Emotet is downloaded. The MIME type of the served Emotet executable is now “application/x-msdownload” instead of “0”.

Figure 2 – Extract from Emotet index.php script from May 2019.

Figure 3 – Extract from Emotet index.php script from September 2019.

GetProcAddress for Invalid Function

Our previous analysis of Emotet binaries found that the loader tries to resolve an invalid function name through a call to GetProcAddress.[5] An analysis of Emotet samples from September 2019 found only the binaries packed using the old packer make a GetProcAddress call for an invalid function. In the samples that do make the API call, the name of the invalid function has changed.[6]

• June 2019:
  • mknjht34tfserdgfwGetProcAddress

• September 2019:
  • 99999934tfserdgfwGetProcAddress

Packer Registry Check

An analysis of Emotet binaries served in the September 2019 campaign found that only the binaries packed using the old packer check for a Registry key through a call to RegOpenKeyA, listed below. Previously, Emotet binaries analysed before the hiatus in spam campaigns in June 2019 contained the Registry check. Failing the Registry check (i.e. if the key does not exist, or cannot be read) causes the Emotet process to enter an infinite loop or terminate itself.[5]

• 32-bit systems:
  • HKEY_CLASSES_ROOT\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}

• 64-bit systems:
  • HKEY_CLASSES_ROOT\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F00A0C90DCAA9}

Conclusion

The most significant change in Emotet campaign activity that we’ve observed in September 2019 is the use of a new packer that is currently being used for some of the binaries. The tactics, techniques and procedures (TTPs) used by Emotet’s operators has not changed significantly from previous campaigns. It is possible that new features that may have been developed during the malware’s 10 week break may be gradually phased into production. What we can say for certain is that Emotet has proven itself to be one of the most resilient and professionally run botnets in recent years.

References

[1] https://twitter.com/cryptolaemus1?lang=en
[2] https://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/
[3] https://gist.github.com/riper81/5455fed0c6e5460b0b71d6d5c95f34ad/af90cc54690ba66b4a21575375aef14810a8f312
[4] https://github.com/cryptogramfan/Malware-Analysis/blob/master/Emotet/201909/index.php
[5] https://www.bromium.com/resource/emotet-a-technical-analysis-of-the-destructive-polymorphic-malware/
[6] For example, SHA256: d36ae7bf558a278579b47f00048f4995e377a022b74ad633981da7ad65f7c976, di1h6oots_767418872.exe.