Originally conceived of as banking malware more than eight years ago, Emotet today is among the malware that is most often used by ransomware and cybercriminal gangs. In fact, Emotet is experiencing something of a renaissance just months after a high profile effort, coordinated by InterPol, to take the malware down. In recent months, for example, Emotet was embraced by the Conti ransomware gang and used in many of that group’s recent attacks.
What makes Emotet a go-to malware for sophisticated cyber criminals? And what can organizations do to defend themselves from Emotet infections launched by Conti and other groups? In our most recent episode of the ConversingLabs Podcast, I sat down with two experts who have been taking a close look at Emotet in recent weeks: Dragan Damjanovic, who is a Threat Intelligence Manager at the Global SOC at KPMG and Dado Horvat, a Senior Threat Analyst at ReversingLabs.
Emotet’s origins date to 2014, when the malware first appeared as a banking Trojan. We don’t know exactly who is behind Emotet, but recent disclosures, including chat logs from the ransomware gang Conti, suggest that the group responsible for the malware operates out of Russia and countries of the former Soviet Union, Damjanovic told me.
Like any other business, Emotet has evolved to respond to changes in the marketplace. Over the last 8 years, that has meant steady feature development that has added botnet and dropper capabilities that opened up more lucrative turf as an arms supplier to ransomware and other cybercriminal gangs, Horvat said.
“What we’re seeing lately is that the primary objective of Emotet is not committing crime per se. The bigger income for them is reselling access and as a dropper for third party tools and payloads like Qbot.”
“Good enough” attacks work for Emotet
Eight years is an eternity in the information security space. Still, despite numerous changes in the Emotet business model, one thing hasn’t changed: Emotet’s reliance on large scale, lowest common denominator attacks as an avenue into sensitive IT environments.
Emotet’s operators use malicious email attachments, typically Microsoft Office documents like Word and Excel or ZIP archive files. Malicious commands embedded in XLS or XLM macros and scripts are used to download and install the malware from a proxy site, often disguised as DLL, PNG or JPEG files to evade detection.
That may sound like ham-fisted stuff in an age of sophisticated supply chain compromises like the kind used to compromise customers of Solar Winds and Kaseya - and it is. For one thing, Microsoft has taken a number of steps in recent years to blunt the effectiveness of macro-based attacks. That includes warnings about the risks of enabling macros in Office documents and the announcement on January 19 that it was disabling support for XLM macros in Microsoft Excel by default. (Read our analysis of that news here.)
But Emotet’s operators have always played a numbers game, said Horvat: sending massive waves of infected emails to thousands of users with confidence that a handful of recipients will take the bait, even if 99% don’t. “You only need a fraction of users to enable macros and start an infection chain,” Horvat said.
When he worked for a financial services company, Emotet campaigns were as regular as clockwork. “We’d see daily Emotet campaigns. Very precise. Very predictable,” he recalled. The Emotet group targeted campaigns to coincide with business hours for its victims. “You would not see Emotet emails arriving over the weekend or after business hours,” Horvat said.
Emotet’s second act
That changed after a concerted effort to take down the Emotet malware in early 2021 orchestrated by Europol and Eurojust. Authorities in the U.S, Canada as well as Netherlands, Germany, the United Kingdom, France, Lithuania, and Ukraine seized several hundred servers across the globe that were used to distribute, manage and control Emotet-infected computers.
But the respite from Emotet was short lived, Horvat and Damjanovic say. Within the year, Emotet’s owners were being urged by the leaders of the Conti ransomware group to get their business back online. Emotet’s takedown, it seems, left a hole in the market for an access broker to sensitive networks.
When the malware returned it was, for the most part, unchanged, Horvat and Damjanovic said. Developers changed up the encryption used by Emotet for its .config file and introduced some changes to frustrate reverse engineers who might attempt to analyze the malware, Damjanovic said. Still, many of the proxy servers and compromised sites used to push Emotet prior to the takedown continued to serve the malware.
Emotet’s reemergence also coincides with the appearance of Log4Shell, the Log4j vulnerability, which played a part in the malware’s resurgence, Damjanovic said.
“[Log4Shell] helped them a lot. When they first came back in November (2021) they only had five C2 (command and control) servers. Now they have more than 50.”
Organizations that are unlucky enough to be infected with Emotet are seeing it load instances of the dual-use, post-exploitation tool Cobalt Strike, said Damjanovic of KPMG. Cobalt Strike, in turn, is a precursor to ransomware attacks by Conti and other groups. “If you see Cobalt Strike on your network, it is not a good thing,” Damjanovic.
To stop Emotet: level up your threat analysis
To defend against Emotet, Horvat and Damjanovic said that organizations need to think holistically about the threat.
“When I worked at a financial institution, they were targeting something like 95 percent of our (email) address list,” Horvat recalled. With such a large target list, it was almost inevitable that one or more Emotet-laden emails would find their mark, he said. That wide net put a premium on user awareness, not to mention solid endpoint detection and network monitoring. First and foremost: drill it into your users’ heads that they should not enable macros on email attachments.
But that’s not enough. Damjanovic said that organizations should monitor for process creation from Excel, Word, Powerpoint or other Office applications to PowerShell, CMV, VBScript or other tools that are not typically used with an Office file.
Better threat detection is also key. Look for unusual traffic on behalf of specific, privileged users to domain controllers or from your network to command and control servers, Damjanovic advised. Of course, such monitoring requires that you know what the C2 servers are. Simply geolocating traffic to the former Soviet Union or other rogue nations won't allow you to spot malicious Emotet traffic leaving your network. That's because most of the command and control servers used with the malware are hosted on infrastructure in the U.S. or Europe, Horvat said.
Better threat intelligence helps here. Horvat said his previous employer would take Emotet samples from the inbound email, analyze them and develop a custom list of indicators of compromise (IOCs) that they could use to spot missed samples or active attacks.
In other words: organizations need to level-up their ability to analyze Emotet samples and leverage threat intelligence to help spot active threats within their own environment. With malicious infrastructure like proxies and command and control servers constantly shifting, organizations need to leverage information from both within their environment and a larger (global) community to stay ahead of Emotet, Conti and other threat actors.
Questions? Talk to ReversingLabs
ReversingLabs continuously improves its detection mechanisms to keep up to date with malware trends. That includes threats related to ransomware, wipers and other threats.
ReversingLabs' Titanium platform combines Explainable Machine Learning technology with static analysis to reliably identify and extract wipers, malware and other indicators at scale. That allows our customers to detect such threats in their environment quickly and before they allow malicious actors to extend their reach within compromised networks.
Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.
Watch ConversingLabs Episode 3: Emotet Unbound
To view the full conversation with Dragan Damjanovic, who is a Threat Intelligence Manager at the Global SOC at KPMG and Dado Horvat, a Senior Threat Analyst at ReversingLabs, check out the latest episode of ConversingLabs, our new podcast.