The chronicles of Emotet

[harlan4096]

 
Contents

• 2014
  
• June
  
• November
  
• December
  
• 2015
  
• January
  
• June
  
• 2016
  
• December
  
• 2017
  
• February
  
• April
  
• May
  
• June
  
• July
  
• August
  
• November
  
• 2018
  
• January
  
• April
  
• April 9
  
• April 14
  
• April 30
  
• June
  
• July
  
• August
  
• October
  
• October 12
  
• October 30
  
• November
  
• December
  
• 2019
  
• March
  
• March 14
  
• March 20
  
• April
  
• May
  
• November
  
• February
  
• February 6
  
• February 7
  
• July
  
• Conclusion
  
• IOC
  
• Most active C&Cs in November 2020:
  
• Links to Emotet extracted from malicious documents
  
• MD5s of malicious Office documents downloading Emotet
  
• MD5s of Emotet executable files
  

More than six years have passed since the banking Trojan Emotet was first detected. During this time it has repeatedly mutated, changed direction, acquired partners, picked up modules, and generally been the cause of high-profile incidents and multimillion-dollar losses. The malware is still in fine fettle, and remains one of the most potent cybersecurity threats out there. The Trojan is distributed through spam, which it sends itself, and can spread over local networks and download other malware.

All its “accomplishments” have been described thoroughly in various publications and reports from companies and independent researchers. This being the case, we decided to summarize and collect in one place everything that is currently known about Emotet.

2014

June

Emotet was first discovered in late June 2014 by TrendMicro. The malware hijacked user banking credentials using the man-in-the-browser technique. Even in those early days, the malware was multicomponent: browser traffic was intercepted by a separate module downloaded from the C&C server. Its configuration file with web injections was also loaded from there. The banker’s main targets were clients of German and Austrian banks, and its main distribution vector was spam disguised as bank emails with malicious attachments or links to a ZIP archive containing an executable file.

November

In the fall of 2014, we discovered a modification of Emotet with the following components:

• Module for modifying HTTP(S) traffic
  
• Module for collecting email addresses in Outlook
  
• Module for stealing accounts in Mail PassView (a password recovery tool)
  
• Spam module (downloaded additionally as an independent executable file from addresses not linked to C&C)
  
• Module for organizing DDoS attacks
  

We came across the latter bundled with other malware, and assume that it was added to Emotet with a cryptor (presumably back then Emotet’s authors did not have their own and so used a third-party one, possibly hacked or stolen). It is entirely possible that the developers were unaware of its presence in their malware. In any event, this module’s C&C centers were not responsive, and it itself was no longer updated (compilation date: October 19, 2014).

In addition, the new modification had begun to employ techniques to steal funds from victims’ bank accounts automatically, using the so-called Automatic Transfer System (ATS). You can read more about this modification in our report.

December

The C&C servers stopped responding and the Trojan’s activity dropped off significantly.

2015

January

In early 2015, a new Emotet modification was released, not all that different from the previous one. Among the changes were: new built-in public RSA key, most strings encrypted, ATS scripts for web injection cleared of comments, targets included clients of Swiss banks.

June

The C&C servers again became unavailable, this time for 18 months. Judging by the configuration file with web injects, the Trojan’s most recent victims were clients of Austrian, German and Polish banks.

2016

December

Emotet redux: for the first time in a long while, a new modification was discovered. This version infected web-surfing victims using the RIG-E and RIG-V exploit kits. This distribution method was not previously used by the Trojan, and, fast-forwarding ahead, would not be employed again. We believe that this was a trial attempt at a new distribution mechanism, which did not pass muster with Emotet’s authors.

The C&C communication protocol in this modification was also changed: for amounts of data less than 4 KB, a GET request was used, and the data itself was transmitted in the Cookie field of the HTTP header. For larger amounts, a POST request was used. The RC4 encryption algorithm had been replaced by AES, with the protocol itself based on a slightly modified Google Protocol Buffer. In response to the request, the C&C servers returned a header with a 404 Not Found error, which did not prevent them from transmitting the encrypted payload in the body of the reply.

The set of modules sent to the Trojan from C&C was different too:

• Out was the module for intercepting and modifying HTTP(S) traffic
  
• In was a module for harvesting accounts and passwords from browsers (WebBrowserPassView)
  

...

Continue Reading