Emotet Update

Thursday, July 26, 2018

Earlier this year the Fidelis Threat Research team detailed an update with Emotet involving the use of NetPass and string obfuscation which you can read about here(1). Recently I began researching an Emotet sample that appeared to have been updated yet again. Together with researchers from Flashpoint we were able to map out a number of recent updates which I have outlined below.

Emotet Updates Summary

  • C2 Protocol changes
  • Code flow obfuscation
  • New module with onboard miniupnp library
  • IcedID deliveries

Emotet Updated C2 Protocol

The protocol structure for Emotet is still using Google Protocol Buffers(6) but has changed slightly from the previous two iterations mapped out (5,7). The mail client string was removed and the osVersion data is also slightly different.

Registration data building
Figure 1 Registration data building 

 

The new proto buff definition can be seen below for the bot registration.

Figure 2 Registration proto

 

Similar to the previous version this registration request is wrapped up into another structure after being ZLIB compressed. This registration data is then encrypted in the same manner previously described using AES and RSA.

The only other large protocol change that I identified was the response data from the C2 which was changed to specifically deal with the modules and payload which was packaged up together into one group.

Figure 3 Response and module proto

 

Emotet code flow obfuscation

Some of the flow of the binary has been obfuscated by adding jumps into other memory sections which basically just jump back into the previous memory section at the next instruction. You can see that large amounts of padding have been added to the code in order to account for this.

Figure 4 Code flow obfuscation 

 

When the code is executed from its previous layer it is fixed up so that these are not broken.

Figure 5 Code flow obfuscation from debugger 

 

This same piece of code from a debugger shows a jump opcode has replaced part of the block, below we can see that this jump is actually just jumping to the next block.

Figure 6 Code flow obfuscation from a debugger 2

 

Not too difficult to follow then if you’re proficient with static analysis but it’s enough of an obfuscation to throw off IDAs analysis of some of the blocks of code.

Emotet new module

Emotet also comes with a pretty interesting new module which has an onboard UPNP library miniupnp(4). The code appears to be used for creating port forwarding on a router and then has code for binding to a local port. It seems like a good way to turn your infected residential bots routers into proxy nodes for your C2 network. Or judging by the decoded strings perhaps just trying to bypass firewall rules? Seems overkill though unless you’re expecting something inbound.

Figure 7 Decoded strings

 
Figure 8 Miniupnp library strings

 

An interesting crossover here is that McAfee saw this same technique being used by Qbot(2), Emotet has previously been seen delivering Qbot as well as Dridex. What is immediately interesting is that these proxy like C2 nodes for residential IPs appear to have both an HTTP port open and an HTTPS port open, the certificate is generated and appears to match what is specified in the McAfee article. It’s interesting to see the same technique used by Qbot against home routers showing up as a module for Emotet and then seeing many of these nodes hosting what appear to be both.

The new module will post a request to /whoami.php to one of the module's C2s such as 75.128.208.218:8080. However also on this same IP at port 443 is a certificate that appears very similar to what was described in the McAfee article for Qbot.

Figure 9 

 

The next day a newly generated cert was available:

Figure 10

 

Checking another C2 from the modules shows another similar certificate:

This potential Emotet and Qbot crossover of techniques is curious but as we mentioned previously we have seen Emotet delivering Qbot. However,  in this case the UPNP code was being used as a module of Emotet, as with the other modules it expects the main Emotet binary to pass over needed things such as the RSA public key and has some code reuse from Emotet such as functions used for counting its onboard table of IP and ports and stack based string obfuscation. This technique overlap coupled with frequent double ports found on these residential IPs makes for some interesting speculation on how close the actors are behind Emotet and Qbot respectively.

So with all that we are expecting a Qbot delivery right? Well for this run I received an IcedID sample, IcedID being delivered by Emotet is also not new(8) but then why does it appear that the Emotet module C2s (which are residential IPs) appear to be hosting a port for Emotet and a port for Qbot? Questions that will hopefully be answered in due time by the research and intelligence communities.

 

Conclusion

We’ve outlined a number of updates in this paper that will hopefully benefit other researchers and defenders in the field. This research was conducted with the help of other researchteams from Flashpoint as well as Bank of America and as such we would like to thank all parties involved; Vitali Kremez, Director of Research at Flashpoint, Ronnie Tokazowski, Senior Malware Analyst at Flashpoint and Joshua Platt with Bank of America.

References:

  1. https://www.fidelissecurity.com/threatgeek/2018/05/emotet-update
  2. https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-discovers-pinkslipbot-exploiting-infected-machines-as-control-servers-releases-free-tool-to-detect-disable-trojan/
  3. http://www.upnp-hacks.org/igd.html
  4. https://github.com/miniupnp/miniupnp
  5. https://www.cert.pl/en/news/single/analysis-of-emotet-v4/
  6. https://developers.google.com/protocol-buffers/
  7. https://www.fidelissecurity.com/threatgeek/2017/09/emotet-evolution-spreader-gets-integrated
  8. https://www.flashpoint-intel.com/blog/trickbot-icedid-collaborate-increase-impact/

IOCs:

29f645685c97217125f8449d3ceaa08a4e05cfdeb27b8a6c32118e3bb0c120d2

Emotet

30315921273e477cbe6e160421f6fa55ec5b6fcb759ff743628c9f3af5c93988

Outlook module

fb3036693028958c7bfa973ca34f87224a90394e41ad8684a6d6084c65064a8d

BrowserPV Module

5c595cf40af6d3e53e8bd7d87d7c26f27d94f36fd55e7230358c1d770e275adb

MailPV Module

5aa75c528fcc00c72cce8087d4bd2e53512093e9c7f6b30108d8684997e522ea

UPNP Module

b86cf36198105e98211938825ae323a0cb294d6164003a86fadcef41e782318d

Spreader Module

74.139.102.161:443

71.246.52.87:80

217.91.43.150:7080

89.217.155.84:80

139.162.216.32:8080

216.230.231.74:8080

217.8.51.144:80

194.88.246.242:443

96.242.234.105:80

72.52.216.110:8080

179.42.195.195:80

65.41.38.155:80

149.62.173.247:8080

77.154.197.178:8080

177.99.167.185:443

46.4.100.178:8080

142.169.147.106:80

50.31.146.101:8080

95.154.148.38:80

98.172.71.14:80

87.248.77.159:80

89.81.202.64:143

191.242.178.46:443

216.105.170.139:4143

91.205.122.42:80

217.160.20.223:443

206.255.140.203:80

132.204.161.158:7080

46.38.238.8:8080

5.9.252.80:8080

24.217.117.217:80

121.135.19.214:80

23.239.2.11:8080

184.186.78.177:80

78.246.224.252:80

71.244.60.231:4143

206.248.60.218:80

189.199.94.178:80

Emotet C2

99.253.201.86:50000

75.128.208.218:8080

69.193.199.50:80

74.79.26.193:990

173.70.47.89:443

186.71.61.90:80

138.68.13.161:8080

88.198.62.227:8080

Emode Module C2

3b52c32e3cbdc80594f3e767a21be5c1c8890428887dac5a4a31626afe0eacee

IcedID Payload

- Jason Reaves
Threat Research Principal Engineer I