Threat Research

New Emotet Report Details Threats From One of the World’s Most Successful Malware Operations

By FortiGuard SE Team | November 13, 2019

Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as “Emotet” as part of our role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper. Also view the FortiGuard Playbook Viewer detailing this campaign mapped to MITRE’s Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) model.

EMOTET

Emotet was first discovered in 2014 as a “simple” banking Trojan aimed at stealing financial data. Simple is in quotes because, over time, it has not only evolved into a botnet but also added modularity, such as the ability to deliver malware using worm-like capabilities. This is why the US Department of Homeland Security has identified it as “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”

Emotet is still highly active, and its daily activity is noted not only by the organizations affected by this pervasive threat, but by researchers and first responders worldwide trying to understand the latest additions and attack methodologies the Emotet authors have added to their war chest. This latest playbook focuses on a specific Emotet attack campaign that FortiGuard Labs has observed as recently as a few weeks ago. While this playbook is not meant to be an exhaustive analysis of Emotet, as that would be impossible due to time constraints, but it does serve as a small glimpse into an otherwise impressive campaign of criminal behavior.

History

Emotet was first documented by FortiGuard Labs’ own Joie Salvio, who was at Trend Micro at the time. The infection vector was simple – it was delivered via social engineering techniques, such as malspam, with a link to a malicious download. The resulting download contained two payloads: one was a configuration file that contained a list of predetermined banks. The other was a DLL file that could be injected into various processes to intercept outbound network traffic and as well as gather details within a web browser.

The first iteration of Emotet relied on corrupting the registry of a targeted devices, and it continues to do so as a method of evasion as any exfiltrated data is encrypted and stored in the registry. Not only is this method highly effective in thwarting discovery, it allows the attackers to maintain persistence on the targeted machine due to the complexity of finding any indicators of compromise.

Emotet is part of a group that includes – and is loosely related to – the Bugat/Feodo/Geodo/Heodo/Cridex/Dridex malware banking families that have had their fair share of publicity over the span of several years due to their widespread and destructive campaigns. Over the past several years, Emotet has also been seen distributing AZORult, IcedID, ZeuS Panda, and TrickBot. Emotet has now gained the serious attention of the AV industry, law enforcement, and researchers alike for its ability to simultaneously include multiple malware families in its distribution syndicate.

For a malware campaign to be successful over the long term, malware authors have to continuously update its codebase and attack vectors on a regular basis to thwart detection and remediation. This is akin to a full time job, and although we don't have any evidence to the inner workings of the criminals behind Emotet, it is evident that those behind these attacks treat it like a highly successful business, with a team of dedicated developers and project leaders, with the only difference being that it is an illegal criminal enterprise. Because of the sheer number of attacks, along with the large footprint this current campaign has, it cannot be discounted that this group is being run with the precision of a well-disciplined criminal enterprise. It is also possible that the developers and leaders behind this may have previously been professionals in the information security space, and may also have the backing of a criminal enterprise involved in nefarious lucrative activities in order to sustain and support such an endeavor.

Technical Details

This latest variant of Emotet is spread via automated social engineering techniques, primarily through email. As previously reported by several vendors, Emotet hijacks and inserts malicious email into legitimate email threads to appear more trustworthy to the recipient. It is not unheard of for email threads to suddenly change topics and Emotet utilizes that human penchant for going on tangents to change the subject to something else, perhaps an update to an outstanding invoice.

Contained within the body of one of these emails is a zip file attachment that contains an infected Word document (SHA-256: c58f07f84d6aae485416683e5515b39bc39349e69bc14629440e693da23d6c4d) with a malicious macro that calls PowerShell. The Base64 encoded PowerShell command the downloads a payload located at one of the following destinations:

hxxp://www[.]eteensblog[.]com/2tgmnk/fJZIPCYV/
hxxp://www[.]palisek[.]cz/wp-includes/YtgJbWQNtJ/
hxxp://www[.]mnminfrasolutions[.]com/wp-admin/zeteXeJYC/
hxxp://abbasargon[.]com/wp-admin/sqhztj4_dzq3e-019802155/
hxxps://weiqing7[.]com/ex6/3r2js_ocgr3bew87-538460/

Once downloaded, the payload is saved as "%CSIDL_PROFILE%\897.exe" (SHA-256: 1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027). This example is taken from a fairly new Emotet sample had been recently been compiled – as of the time of this writing – on Fri Oct 04 17:25:03 2019 GMT. The file reaches out the to the following URIs:

hxxp://172.105.11.15:8080/img/window/
hxxp://91.121.116.137:443/child/
hxxp://80.79.23.144:443/site/between/add/merge

Emotet also practices operational security and uses custom REQUEST headers:

Referrer: hxxp://[IP address of C2 SERVER]/[dir1]/[dir2]/…
DNT: 1

Do Not Track (DNT) was a proposed HTTP header field, since abandoned, which was designed to allow internet users to opt-out of tracking by websites that collected user data, including a user’s previous website visits and activity. We aren't sure what the purpose of this is within Emotet, but it is perhaps an effort by the attackers to shield their activities and connections to their C2 servers, though we can’t be entirely certain.

The file then copies itself to different locations such as: 

%CSIDL_PROFILE%\AppData\Local\msptermsizes\msptermsizes.exe
%CSIDL_SYSTEM%\hanskds.exe

Afterwards, it may create a service under the name of "hanskds" with the following details:

name: hanskds
display name: hanskds
startup type: automatic
description: Indexes the contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.

Another recently discovered Emotet file (SHA256: 9A0A40DAD123B16C404EB3B786E72AC8F3A4EBAF9E8A14682977C69FFF4F379E) exhibits similar behavior, and has a similarly recent compilation timestamp of Fri Oct 04 18:21:32 2019 GMT, which is only an hour after the first Emotet file described above was compiled.

Having two separate files makes sense for an attacker, as it provides a failsafe should the other file be detected, thereby improving their chances of another attempt at the infection routine.

Aside from the already mentioned C2 servers, others may also be called, including:

hxxp://190.108.228.48:990/symbols/free/img/merge/
hxxp://172.105.11.15:8080/child/enabled
hxxp://91.121.116.137:443/taskbar/glitch/add/
hxxp://80.79.23.144:443/chunk/child/add
hxxp://138.201.140.110:8080/site/img/add/merge/
hxxp://95.128.43.213:8080/xian/nsip/add/merge/
hxxp://190.228.72.244:53/stubs/sess/add/merge/
hxxp://185.94.252.13:443/usbccid/prep/add/merge/
hxxp://37.157.194.134:443/forced/
hxxp://45.79.188.67:8080/guids/attrib

Finally, we also observed the following Emotet campaign downloading Trickbot: [SHA256: 7c06d1f53ccc14d4548b595f7c9afddf07be9c7a799e7a55a671cdf95e27bdca], which also contains a similarly recent timestamp of Fri Oct 04 04:40:28 2019 GMT, suggesting this is also a fresh new campaign.

Global Spread

Footprint for this specific Emotet campaign

Looking at the IP address locations for the related attacks we observed, we can see that, for this specific campaign, Emotet’s footprint is worldwide and does not discriminate based on locale. This is evidenced in the above chart as well as in the data provided below for the specific IP addresses that make up the Emotet back end. The following sections will highlight and provide further insight into the command and control portion of these latest campaigns.

37.157.194.134 (Czech Republic)

The following IP address 37.157.194.134, which is associated with the following SHA256 [9A0A40DAD123B16C404EB3B786E72AC8F3A4EBAF9E8A14682977C69FFF4F379E], calls back to a server located in the Czech Republic.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers.

Top 5 Countries by Visit

The chart below represents a timeline of observed activity that correlates with the recent run we’ve been observing:

45.79.188.67 (United States)

The following IP address, 45.79.188.67, which is associated with the following SHA256 [9A0A40DAD123B16C404EB3B786E72AC8F3A4EBAF9E8A14682977C69FFF4F379E], calls back to a server located in Newark, New Jersey, in the United States.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers.

Top 5 Countries by Visit

Another interesting observation is that we also detected a spike in activity six months prior, in May:

80.79.23.144 (Czech Republic)

The following IP address, 80.79.23.144, which is associated with the following SHA256 [9A0A40DAD123B16C404EB3B786E72AC8F3A4EBAF9E8A14682977C69FFF4F379E], calls back to a server located in Prague, in the Czech Republic.

Historical information for this IP address reveals that this IP address was associated back in 2014 with Sality and Virut malware families. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers.

Top 5 Countries by Visit

The chart below represents a timeline of observed activity that correlates with the recent run we’ve been monitoring:

85.54.169.141 (Spain)

The following IP address 85.54.169.141, which is associated with the SHA256 [DD8B16641395CD00AC9E03B93B02F61F51A79D7DF70B736D567A9C11175E4C55], calls back to a server located in Madrid, Spain.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers.

Top 5 Countries by Visit

The chart below represents a timeline of observed activity that correlates with the recent run we’ve seen:

95.128.43.213 (France)

The following IP address of 95.128.43.213, which is associated with the following SHA256 [DD8B16641395CD00AC9E03B93B02F61F51A79D7DF70B736D567A9C11175E4C55], calls back to a server located in France.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers.

Top 5 Countries by Visit

We have observed that activity at this IP address has been very active over the past 12 months, especially in April, along with a spike in activity over the past few weeks:

138.201.140.110 (Germany)

The following IP address 138.201.140.110, which is associated with the following SHA256 [DD8B16641395CD00AC9E03B93B02F61F51A79D7DF70B736D567A9C11175E4C55], calls back to a server located in Germany.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers.

Top 5 Countries by Visit

We can see that activity at this IP address has been very active over the past 12 months.

172.105.11.15 (United States)

The following IP address, 172.105.11.15, is associated with the following SHA256 [c58f07f84d6aae485416683e5515b39bc39349e69bc14629440e693da23d6c4d, 1D51D8E9AE1D67CB804FB28024B04969FD5888C3BEFECE09547E5506EE946027, 9A0A40DAD123B16C404EB3B786E72AC8F3A4EBAF9E8A14682977C69FFF4F379E, DD8B16641395CD00AC9E03B93B02F61F51A79D7DF70B736D567A9C11175E4C55], and calls back to a server also located in New Jersey, United States.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers. Interestingly enough, this IP address is hosted using the same ISP as 45.79.188.67, previously mentioned and also located in New Jersey, United States.

Top 5 Countries by Visit

The chart below represents a timeline of observed activity that correlates with the recent run we’ve seen:

190.108.228.48 (Argentina)

The following IP address 190.108.228.48 ,which is associated with the following SHA256 [9A0A40DAD123B16C404EB3B786E72AC8F3A4EBAF9E8A14682977C69FFF4F379E], calls back to a server located in Argentina.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers.

Top 5 Countries by Visit

The chart below represents a timeline of observed activity that correlates with the recent run we’ve seen:

91.121.116.137 (France)

The following IP address 91.121.116.137, which is associated with the following SHA256 samples

[9A0A40DAD123B16C404EB3B786E72AC8F3A4EBAF9E8A14682977C69FFF4F379E, c58f07f84d6aae485416683e5515b39bc39349e69bc14629440e693da23d6c4d, 1D51D8E9AE1D67CB804FB28024B04969FD5888C3BEFECE09547E5506EE946027, DD8B16641395CD00AC9E03B93B02F61F51A79D7DF70B736D567A9C11175E4C55], calls back to a server located in France.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address.

OSINT searches reveal that this IP address is blacklisted by various Emotet trackers. Interestingly, enough, this IP address is hosted with the same ISP as the previously mentioned 91.121.116.134, also located in France.

Top 5 Countries by Visit

The chart below represents a timeline of observed activity that correlates with the recent run we’ve seen:

190.228.72.244 (Argentina)

The following IP address 190.228.72.244, which is associated with the following SHA256 samples [9A0A40DAD123B16C404EB3B786E72AC8F3A4EBAF9E8A14682977C69FFF4F379E, and DD8B16641395CD00AC9E03B93B02F61F51A79D7DF70B736D567A9C11175E4C55], call back to a server located in Argentina.

Historical information for this IP address is minimal, meaning that we have not seen any prior usage based on our own telemetry or other OSINT data for this specific IP address. OSINT searches reveal that this IP address is blacklisted by various Emotet trackers.

Top 5 Countries by Visit

The chart below represents a timeline of observed activity that correlates with the recent run we’ve seen:

Conclusion

As outlined above, this specific global campaign only scratches the surface of Emotet, specifically with the samples analyzed and infrastructure observed by us. This single campaign we’ve observed utilizes what is essentially a little over a dozen command and control servers located around the world. Due to the sheer amount of uncountable number of samples, and network IOC’s seen on a daily basis by researchers and organizations tracking Emotet worldwide, there is no doubt that Emotet is one of the most impactful malware campaigns of our time. What first started out as a “simple” banking Trojan has become not only one of the most dangerous and complex botnets of recent memory, but has also persistently evolved with the times to stay highly relevant.

Fortinet has AV coverage in place for all (16) samples observed in this campaign:

Malicious Word Documents

VBA/Agent.3862!tr.dldr
VBA/Agent.NVE!tr
VBA/Agent.F3D4!tr.dldr

Emotet

W32/GenKryptik.DUMV!tr
W32/Packed.FVW!tr
Malicious_Behavior.SB
W32/Kryptik.GXIK!tr
W32/GenKryptik.DVLJ!tr

Trickbot

W32/Kryptik.GWZG!tr

All network IOC’s have also been blacklisted by the FortiGuard Web Filtering client.

References

The following are useful resources of information about Emotet for first responders and defenders, as well as anyone interested in tracking worldwide Emotet activity. These sites are also useful for first time researchers and casual observers alike to get a better understanding of the sheer amount of data that is attributed to Emotet and its infrastructure.

Cryptolaemus -  This team is comprised of many well-known security professionals who are passionate about tracking Emotet. This site contains highly useful IOCs that are provided free of charge. It also provides the casual observer with insight into the sheer amount of Emotet IOCs discovered on a daily basis.

feodotracker.abuse.ch – Feodo Tracker is a project of abuse.ch, with the goal of sharing botnet C&C servers associated with the Feodo malware family (including Dridex, and Emotet/Heodo). It offers various blocklists, helping network owners to protect their users from Dridex and Emotet/Heodo. It also contains Trickbot related campaigns.

For further information regarding the samples used in our research, including indicators of compromise that have been analyzed and mapped according to the specifications of the MITRE ATT&CK framework, please refer to our Playbook Viewer on Emotet here.

Note: MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.