Emotet Evolution: The Spreader Gets Integrated

Tuesday, September 5, 2017
Emotet Evolution: The Spreader Gets Integrated
Introduction

On July 19, 2017 we wrote about the incorporation of a spreader component into the popular Emotet downloader. Just a short while later, a volume spam campaign was initiated that delivered Emotet with further modifications from the samples that we had analyzed. This post documents the changes we have observed.

 
Key Findings
  • Emotet now uses a modular framework to load the network spreader component, which was previously loaded as a separate package.
  • This makes it both easier for it deploy the spreader component as well as more difficult to detect, since it's running from the Emotet process space without necessarily touching disk.
 
Campaigns

After a short hiatus, Emotet has recently resurfaced with an updated version of its previously documented loader(1,11). On 24 July 2017, a massive spam campaign kicked off with a different version of Emotet being used than was previously seen. One interesting change observed in this campaign is that the network spreader malware was no longer delivered as a separate component, but was instead delivered as a DLL with encoded strings using the same string encoding as Emotet itself.

 

Emotet

This version of Emotet, like the previous one written about by Cert-PL(1), has very similar C2 structure with a few minor changes.

  1. The first change being related to the botId that is generated, using a similar format as was explained previously (1) but with these exceptions:

[host_name]_[volume_SN]

  • host_name can no longer contain the ‘-‘ character
  • locale or country code is no longer included

Figure 1 BotId

  1. For the C2 protocol itself, the bot still uses Google Protocol Buffers(6), but the protobuf definition has been slightly changed. There’s the addition of two fields into the registration request data sub-message:
syntax="proto2";

message regrequest {

        required int32 command = 1;

        required string botId = 2;

        required fixed32 osVersion = 3;

        required fixed32 crc32 = 4;

        required string procList = 5;

        required string mailClient = 6;

        required string unknown = 7;

}
  1. There’s a CRC hash of the exe file on disk and a string field that was empty in the sample we analyzed. Also worth noting is the fact that the mailClient string was empty, which may indicate its use for other functionality. The CRC hash is interesting as the response if the hash is not correct, the delivery is a new Emotet binary. This could be an easy way for updates to spread more rapidly. The binaries appeared to be repacked/recrypted roughly every 2-4 hours.
  2. The sub-messages themselves are also compressed, so before being put into their wrappers they are ZLIB compressed. This isn’t just the case for the registration request but also the case for the decoded responses from the C2 as can be seen by the ZLIB header in the decoded data after the first 4 bytes (0x78 0x9c).
Figure 2 Compressed Response Data

 

Emotet Network Spreader

This new version of the spreader component has a number of changes compared to the SFX RAR package we previously blogged about(11).

  • Now comes as a DLL
  • Involves code reuse from Emotet
  • Designed as a module

The first change is that the spreader code is no longer in a package format intended to be delivered, but instead is now a DLL. This transition is noteworthy because it indicates a move from a package delivery method to a module-based approach, where each module runs inside the same address space as Emotet.

 

Modularity

The first three modules are the same described in other reports(1) as being MailPassView, BrowserPassView and the module to interact with Outlook. The new DLL however is much smaller than the others, it uses the same code as Emotet to handle rebuilding its imports and also for kicking off its main code loop through a callback function in CreateTimerQueueTimer(7).

Figure 3 Code re-use on main loop callback

 

It also uses the same string encoding routine as Emotet.

Figure 4 Code re-use string decoding

 

These code similarities demonstrate the move to a modular mechanic. This is also proven later in the code when the bot gets the current process filename on disk, which will later be used to copy the file from the current system to the remote system when spreading. This works because the DLL is intended to be ran from the same process memory space as Emotet.

Figure 5 Get process file name

 

After this the module gets the currently logged in user with WTSGetActiveConsoleSessionId and QueryUserToken before calling ImpersonateLoggedOnUser in order to execute API calls as the currently logged in user before kicking off the recursive function that will enumerate network resources.

Figure 6 Setup to start enumerating network

 

This network resource enumeration is done in the same manner that was previously discussed, but this time it first attempts to connect to the remote resource as the currently logged on user before jumping into the bruting portion of the code.

Figure 7 Try to connect as currently logged on user

 

Password bruting

The bruting code is very like the previous package discussed as it enumerates available logons and uses an onboard password list. If all of these attempts fail, it moves into attempting to brute the Administrator account on the remote system. The biggest difference here is the more extensive password list, which when decoded is 1000 passwords in length. Choosing to include 1000 passwords seemed odd, but after a bit of searching it appears the list is the top 1000 off of a publicly available password list on github(8).

After successful login, the spreader code will attempt to copy a file onto the newly connected resource. As previously mentioned, this is different than the previous SFX package. This new modularized version will copy over the file associated with the process this module is running within onto the new system.

Figure 8 Copy file over

 

As with the previous version, a service is setup and kicked off on the remote system in order to execute the file.  But, instead of having a filename and service name hardcoded into the bot, it simply uses GetTickCount and an swprintf function to generate the name of both the exe and the service that will be created on the remote system.

Figure 9 Create a random file name and service name

 

Decompiling this and cleaning it up can create an overview of this creation that might help to make things clear.

Figure 10 File name and service name generation overview
 
Conclusion

Spreading appears to be the new in thing for 2017 with recent additions of a spreader module being added to TrickBot(9) along with even more additions being documented by other researchers(10) perhaps it’d be better to call this summer, the summer of coding for malware development.

I would like to thank researchers Joshua Platt and Brett Stone-Gross for their collaboration efforts on this research.

 -- Jason Reaves

 
IOCs
7f1d13cd17fbdda32327f49c3aec6af60ee493b92b779cee0ea72377715059c6 Emotet
090a6330536b99a809f7a5d10f99262d62a3a71ea9bd28fca23c936069c4d5e4 Emotet
80d255de0c67759b592c072db8153f84d22f78226e1014720010f49739f7b63f Emotet
48f3c89ea2f1e3190ae00f7ac7243ddb752364c076b40afc049424c6a0f75443 Emotet
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Emotet
ef03d465416972121479f4d97fe1a0786795d09f758d1dd243bbd99f0de1600c BrowserPV Module
b2b5893bcf4d30857a6400bdfefd532577e2b854a816fbe29c5eced201f48b21

 

MailPV Module
e549008d40565e849af025f5b8681cdf4087c7cd221830f11bcacd62cab41ddb

 

Outlook Module
ab1b89038f83f73ee498e907862c06cd4c56ef9f5fa862683347cfb222abb1f9

 

Spreader Module
178.79.132.214:443 Emotet C2

 

192.81.212.79:443 Emotet C2<
74.208.17.10:8080 Emotet C2
93.180.157.92:443 Emotet C2
178.62.175.211:443 Emotet C2
164.132.50.32:8080 Emotet C2
173.212.192.45:8080 Emotet C2
80.252.107.173:8080 Emotet C2
192.241.222.53:443 Moduel C2

185.82.23.28:443

Moduel C2

 

 

 

 

References:
  1. https://www.cert.pl/en/news/single/analysis-of-emotet-v4/
  2. https://blog.fortinet.com/2017/05/09/deep-analysis-of-new-emotet-variant-part-2
  3. https://msdn.microsoft.com/en-us/library/windows/desktop/ms694363(v=vs.85).aspx
  4. https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/
  5. https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows
  6. https://developers.google.com/protocol-buffers/
  7. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682485(v=vs.85).aspx
  8. https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/10_million_password_list_top_1000000.txt
  9. https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/
  10. https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/
  11. https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader