Emotet Update

Tuesday, May 1, 2018
A review of the current state of the Emotet Spreader

Last year Fidelis Cybersecurity posted an update to our previous research on the Emotet spreader module(7). Our analysts continue to monitor this threat however, due to ongoing Emotet activity recently, the Fidelis Threat Research Team recently dedicated some time to checking out an updated sample.

We decided to do the full break down on the malware and its modules to verify whether the C2 protocols were the same and also release updated technical data to the community. While in the process of reversing the modules, we noticed the spreader module looked different and this blog will cover the modifications we uncovered during our analysis of the updated Emotet malware.

Emotet Network Spreader

For starters, the new sample was larger than it was when last analyzed. Change in size does typically indicate alteration. Once we dug in we realized the new version is identical to the previous version except for two key differences:

  • Emotet now comes with NetPass.exe onboard
  • Strings have been obfuscated instead of encoded

While the spreader still comes with an onboard password list (10), it also now comes with two embedded and XOR encoded EXE files. After decoding the files we can see that they are the 32bit and 64bit version of NetPass.exe(8) which will be executed with the argument ‘/stab’ in order to dump any stored network passwords onto the system. This is a crude addition similar to their usage of other NirSoft utilities as modules which allow additional passwords to be utilized as the malware spreads around the network. This technique also capitalizes on any potential password reuse across accounts.

Most of the strings for this spreader module are obfuscated instead of encoded as the other modules have encoded strings –similar to how Emotet encodes its strings[11]. The exception being that the onboard password list is still stored encoded.

Emotet Administrator string

The above is an example where we can see the string ‘Administrator’ loaded in chunks.

>>> binascii.unhexlify('41646d696e6973747261746f72')
'Administrator'


Strings used to create file names and service names are similarly obfuscated.

Emotet deobfuscate h1n1 strings

Instead of manually typing this we can utilize a similar technique to deobfuscate H1N1 strings which use a similar method for hiding its strings. This involves using the unicorn emulator(10) in python.

import binascii
from unicorn import *
from unicorn.x86_const import *
 
STACK = 0x90000
code_base = 0x10000000
mu = Uc(UC_ARCH_X86,UC_MODE_32)
 
 
mu.mem_map(code_base, 0x1000)
 
mu.mem_map(STACK,4096*2)
complete = "c745e425007500c745b425007300c745b825007300c745bc5c002500c745c075002e00c745c465007800c745c865000000c78578ffffff22002500c7857cffffff73005c00c7458025007500c745842e006500c7458878006500c7458c22002000c745902d002500c7459463000000c745dc5c004300c745e024000000c745cc5c004100c745d044004d00c745d449004e00c745d824000000c745ec43003a00c7459825005300c7459c79007300c745a074006500c745a46d005200c745a86f006f00c745ac74002500"
mu.mem_write(code_base,'\x00'*0x1000)
mu.mem_write(STACK,'\x00'*(4096*2))
mu.mem_write(code_base, binascii.unhexlify(complete))
mu.reg_write(UC_X86_REG_EBP,STACK+4096)
mu.reg_write(UC_X86_REG_EDI,STACK+4096)
mu.emu_start(code_base,code_base + len(binascii.unhexlify(complete)))
a = mu.mem_read(STACK,4096*2)
print(str(a))
mu.mem_write(STACK,'\x00'*(4096*2))

 

This gives us an output of the strings previously built which also lines up with strings we have previously seen in the Emotet spreader module.

"%s\%u.exe" -%c%SystemRoot%%s%s\%u.exe\ADMIN$\C$%uC:

 

The onboard password list is still stored encoded with the normal Emotet string encoding routine as seen below:

Emotet Update

To find the NetPass executable we needed to investigate some of the large chunks of data that are being referenced.

Emoted Update: function investigation in a 128bit value

This function is passing in the offset to a rather large chunk of data, investigating the routine shows it loading in a 128-bit value.

Emotet Update

Shortly after it begins XOR decoding out the data that was passed in.

Emotet Update

The key as we can see below is just a repeating DWORD value.

Emotet Update

A quick investigation into this data by taking a sample of it shows that it is a XOR encoded PE file.

Python>key = GetManyBytes(0x10004000, 16)
Python>import binascii
Python>binascii.hexlify(key)
d684ef78d684ef78d684ef78d684ef78
Python>blah = GetManyBytes(0x10005000, 500)
Python>blah = bytearray(blah)
Python>key = bytearray(key)
Python>for i in range(len(blah)):
Python>  blah[i] ^= key[i%len(key)]
Python>
Python>binascii.hexlify(blah)
4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000

 

A quick way to decode out every potential file embedded in this sample is to simply XOR encode the entire file and then dump out all the PE files from it, this works as the data is stored on an even offset within the file. Doing this provides us with two PE files, a 32bit and a 64bit version of NetPass from NirSoft.

Now that we’ve found this little addition we can take a look at its usage in the overall setup phase of the spreader module.

As can be seen in this overview of the setup phase of the spreader module, it is much the same as the previously documented version except for an addition involving the executing of NetPass. After this initial setup, the DLL moves into the actual spreading portion:

The spreading portion is similar to our last post. Upon a successful connection to the remote machine the Emotet sample on disk is copied using a random name based on the tick count and then a server is created to execute it which also uses a random name based on the tick count.

 

Conclusion

Network spreading appears to continue to be a development priority for malware authors, this trend isn’t looking to stop anytime soon. The research community appears to have answered this trend with researchers from many fields in cyber security adjusting their focus to lateral movement and pivoting in enterprise environments. Attacks such as the one being utilized by Emotet for spreading however are related to old problems in our field; password policies. There’s nothing like an ever-evolving current threat to help us remember why these old principals are still important to this day. Fidelis threat research team will continue to monitor threats such as these to help the community and our customers stay ahead of our adversaries.

 

IOCs

2e030606fc6815307c442a63b05fcb2584632a0afcb8b601d64a6badacb1dffa

EMOTET

db691d793b16848ab823683c6f6ef0f9843b18b03fe86a7c2c49e825e22da643

EMOTET

3a3c59c9ea15515f294b530f75b4dcd719e5fe658b8dcef411d74ba071b8be14

BrowserPV Module

87627db9e6d8ac0bd70340aae1207066ed2254e304a83b3abe0eac6fe37e5c5d

MailPV Module

7df0dda2094e8ae854e61a4d0ecb3b70173fb4ad4b6d71a33e8c48b91cb0625e

Outlook Module

1c1c6bbe8f5f6c3f0665e0a2575acb819248f7c0e6dbc43195717090b0689577

Spreader Module

23.239.28.4:8080

EMOTET C2

158.69.249.236:4143

EMOTET C2

162.251.81.235:8080

EMOTET C2

192.241.241.94:443

EMOTET C2

187.1.10.164:80

EMOTET C2

12.162.84.2:443

EMOTET C2

220.227.247.35:4143

EMOTET C2

220.227.247.45:443

EMOTET C2

50.31.146.101:8080

EMOTET C2

46.4.251.184:8080

EMOTET C2

200.146.250.0:4143

EMOTET C2

177.99.167.185:443

EMOTET C2

191.242.178.46:443

EMOTET C2

194.88.246.242:80

EMOTET C2

89.186.26.179:4143

EMOTET C2

70.32.94.216:4143

Emode Module C2

37.139.8.197:4143

Emode Module C2

188.226.223.31:443

Emode Module C2

 

References:

  1. https://www.cert.pl/en/news/single/analysis-of-EMOTET-v4/
  2. https://blog.fortinet.com/2017/05/09/deep-analysis-of-new-EMOTET-variant-part-2
  3. https://securelist.com/analysis/publications/69560/the-banking-trojan-EMOTET-detailed-analysis/
  4. https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows
  5. https://developers.google.com/protocol-buffers/
  6. https://www.fidelissecurity.com/threatgeek/2017/07/EMOTET-takes-wing-spreader
  7. https://www.fidelissecurity.com/threatgeek/2017/09/EMOTET-evolution-spreader-gets-integrated
  8. https://www.nirsoft.net/utils/network_password_recovery.html
  9. https://github.com/DavidWittman/wpxmlrpcbrute/blob/master/wordlists/1000-most-common-passwords.txt#L751
  10. https://github.com/unicorn-engine/unicorn
  11. https://www.cert.pl/en/news/single/analysis-of-EMOTET-v4/

- Jason Reaves
Threat Research Principal Engineer I