Threat Intelligence

Emotet Update

Last year Fidelis Cybersecurity posted an update to our previous research on the Emotet spreader module(7). Our analysts continue to monitor this threat however, due to ongoing Emotet activity recently, the Fidelis Threat Research Team recently dedicated some time to check out an updated sample.

We decided to do the full break down on the malware and its modules to verify whether the C2 protocols were the same and also release updated technical data to the community. While in the process of reversing the modules, we noticed the spreader module looked different and this blog will cover the modifications we uncovered during our analysis of the updated Emotet malware.

Emotet Network Spreader

For starters, the new sample was larger than it was when last analyzed. Change in size does typically indicate alteration. Once we dug in we realized the new version is identical to the previous version except for two key differences:

  • Emotet now comes with NetPass.exe onboard
  • Strings have been obfuscated instead of encoded

While the spreader still comes with an onboard password list (10), it also now comes with two embedded and XOR encoded EXE files. After decoding the files we can see that they are the 32bit and 64bit version of NetPass.exe(8) which will be executed with the argument ‘/stab’ in order to dump any stored network passwords onto the system. This is a crude addition similar to their usage of other NirSoft utilities as modules which allow additional passwords to be utilized as the malware spreads around the network. This technique also capitalizes on any potential password reuse across accounts.

Most of the strings for this spreader module are obfuscated instead of encoded as the other modules have encoded strings –similar to how Emotet encodes its strings[11]. The exception being that the onboard password list is still stored encoded.

The above is an example where we can see the string ‘Administrator’ loaded in chunks.

>>> binascii.unhexlify('41646d696e6973747261746f72')
'Administrator'

Strings used to create file names and service names are similarly obfuscated.

Instead of manually typing this we can utilize a similar technique to deobfuscate H1N1 strings which use a similar method for hiding its strings. This involves using the unicorn emulator(10) in python.

import binascii
from unicorn import *
from unicorn.x86_const import *

STACK = 0x90000
code_base = 0x10000000
mu = Uc(UC_ARCH_X86,UC_MODE_32)


mu.mem_map(code_base, 0x1000)

mu.mem_map(STACK,4096*2)
complete = "c745e425007500c745b425007300c745b825007300c745bc5c002500c745c075002e00c745c465007800c745c865000000c78578ffffff22002500c7857cffffff73005c00c7458025007500c745842e006500c7458878006500c7458c22002000c745902d002500c7459463000000c745dc5c004300c745e024000000c745cc5c004100c745d044004d00c745d449004e00c745d824000000c745ec43003a00c7459825005300c7459c79007300c745a074006500c745a46d005200c745a86f006f00c745ac74002500"
mu.mem_write(code_base,'x00'*0x1000)
mu.mem_write(STACK,'x00'*(4096*2))
mu.mem_write(code_base, binascii.unhexlify(complete))
mu.reg_write(UC_X86_REG_EBP,STACK+4096)
mu.reg_write(UC_X86_REG_EDI,STACK+4096)
mu.emu_start(code_base,code_base + len(binascii.unhexlify(complete)))
a = mu.mem_read(STACK,4096*2)
print(str(a))
mu.mem_write(STACK,'x00'*(4096*2))

This gives us an output of the strings previously built which also lines up with strings we have previously seen in the Emotet spreader module.

"%s%u.exe" -%c%SystemRoot%%s%s%u.exeADMIN$C$%uC:

The onboard password list is still stored encoded with the normal Emotet string encoding routine as seen below:

To find the NetPass executable we needed to investigate some of the large chunks of data that are being referenced.

This function is passing in the offset to a rather large chunk of data, investigating the routine shows it loading in a 128-bit value.

Shortly after it begins XOR decoding out the data that was passed in.

The key as we can see below is just a repeating DWORD value.

A quick investigation into this data by taking a sample of it shows that it is a XOR encoded PE file.

Python>key = GetManyBytes(0x10004000, 16)
Python>import binascii
Python>binascii.hexlify(key)
d684ef78d684ef78d684ef78d684ef78
Python>blah = GetManyBytes(0x10005000, 500)
Python>blah = bytearray(blah)
Python>key = bytearray(key)
Python>for i in range(len(blah)):
Python>  blah[i] ^= key[i%len(key)]
Python>
Python>binascii.hexlify(blah)
4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000

A quick way to decode out every potential file embedded in this sample is to simply XOR encode the entire file and then dump out all the PE files from it, this works as the data is stored on an even offset within the file. Doing this provides us with two PE files, a 32bit and a 64bit version of NetPass from NirSoft.

Now that we’ve found this little addition we can take a look at its usage in the overall setup phase of the spreader module.

As can be seen in this overview of the setup phase of the spreader module, it is much the same as the previously documented version except for an addition involving the executing of NetPass. After this initial setup, the DLL moves into the actual spreading portion:

The spreading portion is similar to our last post. Upon a successful connection to the remote machine the Emotet sample on disk is copied using a random name based on the tick count and then a server is created to execute it which also uses a random name based on the tick count.

Conclusion

Network spreading appears to continue to be a development priority for malware authors, this trend isn’t looking to stop anytime soon. The research community appears to have answered this trend with researchers from many fields in cyber security adjusting their focus to lateral movement and pivoting in enterprise environments. Attacks such as the one being utilized by Emotet for spreading however are related to old problems in our field; password policies. There’s nothing like an ever-evolving current threat to help us remember why these old principals are still important to this day. Fidelis threat research team will continue to monitor threats such as these to help the community and our customers stay ahead of our adversaries.

IOCs

2e030606fc6815307c442a63b05fcb2584632a0afcb8b601d64a6badacb1dffa EMOTET
db691d793b16848ab823683c6f6ef0f9843b18b03fe86a7c2c49e825e22da643 EMOTET
3a3c59c9ea15515f294b530f75b4dcd719e5fe658b8dcef411d74ba071b8be14 BrowserPV Module
87627db9e6d8ac0bd70340aae1207066ed2254e304a83b3abe0eac6fe37e5c5d MailPV Module
7df0dda2094e8ae854e61a4d0ecb3b70173fb4ad4b6d71a33e8c48b91cb0625e Outlook Module
1c1c6bbe8f5f6c3f0665e0a2575acb819248f7c0e6dbc43195717090b0689577 Spreader Module
23.239.28.4:8080 EMOTET C2
158.69.249.236:4143 EMOTET C2
162.251.81.235:8080 EMOTET C2
192.241.241.94:443 EMOTET C2
187.1.10.164:80 EMOTET C2
12.162.84.2:443 EMOTET C2
220.227.247.35:4143 EMOTET C2
220.227.247.45:443 EMOTET C2
50.31.146.101:8080 EMOTET C2
46.4.251.184:8080 EMOTET C2
200.146.250.0:4143 EMOTET C2
177.99.167.185:443 EMOTET C2
191.242.178.46:443 EMOTET C2
194.88.246.242:80 EMOTET C2
89.186.26.179:4143 EMOTET C2
70.32.94.216:4143 Emode Module C2
37.139.8.197:4143 Emode Module C2
188.226.223.31:443 Emode Module C2

References:

  1. https://www.cert.pl/en/news/single/analysis-of-EMOTET-v4/
  2. https://blog.fortinet.com/2017/05/09/deep-analysis-of-new-EMOTET-variant-part-2
  3. https://securelist.com/analysis/publications/69560/the-banking-trojan-EMOTET-detailed-analysis/
  4. https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows
  5. https://developers.google.com/protocol-buffers/
  6. https://www.fidelissecurity.com/threatgeek/threat-intelligence/emotet-spreader/
  7. https://www.fidelissecurity.com/threatgeek/threat-intelligence/emotet-network-spreader-component/
  8. https://www.nirsoft.net/utils/network_password_recovery.html
  9. https://github.com/DavidWittman/wpxmlrpcbrute/blob/master/wordlists/1000-most-common-passwords.txt#L751
  10. https://github.com/unicorn-engine/unicorn
  11. https://www.cert.pl/en/news/single/analysis-of-EMOTET-v4/
Browse our blog