The Return of Emotet
January 3, 2022
Topics
- Malware
- Ransomware
January 3, 2022
Topics
Emotet is a malware strain that was first detected in 2014. It has been deemed as one of the most prevalent threats of the decade with an estimate of 1.6 million victims in various countries and made about $2 billion USD. The malware mainly spreads through spam/phishing campaigns and use malicious attachments to distribute the malware. The first versions of the malware functioned as a banking trojan designed to steal banking credentials from infected hosts. Throughout 2016 and 2017, the malware operators updated the trojan and reconfigured it to work primarily as a malware loader. Malware loaders allow its operators to download additional payloads, such as ransomware, on an infected host. The operators eventually used the malware to create a botnet of infected computers to which they sell access in a Malware-as-a-Service (MaaS). The Emotet infrastructure was a primary delivery vector in the Ryuk ransomware campaign that plagued organizations around the world in 2019 and 2020.
An international law enforcement operation to take down the Emotet infrastructure began in 2020. The law enforcement agencies were able to gain access to Emotet malware servers sometime after April 1, 2020 and worked to destroy the botnet from the inside through January 2021. The solution they ultimately came up with was to use the Command-and-Control system to push an update to infected devices that cleans Emotet from the system. While this breask the connection with the Emotet botnet, it does not remove any additional malware that Emotet clients might have left on systems after purchasing access to them. In the end, by April 2021, the Emotet botnet was dissolved.
About 10 months after Emotet was taken down, the malware was spotted to be active once again. Since November 15, 2021, the volume of Emotet infection has grown. It is now being spread via Trickbot and malicious spam messages that are being sent from infected systems to other computers worldwide. The revival of Emotet is extremely troublesome as organizations can expect an increase in ransomware activity. Most notably, the Conti ransomware group, who has former Ryuk members in their ranks or is Ryuk rebranded, will surge as they are the ones who convinced the operators of Emotet to come back into the scene. In addition to its return, the operators have upgraded their Emotet malware. There are changes to the communication protocol, a new process checking module, updates to its obfuscation mechanisms, and most importantly Emotet has been observed to drop Cobalt Strike Beacons directly on infected systems. With Cobalt Strike beacons directly dropped by Emotet, threat actors who use them to spread laterally through a network, steal files, and deploy malware will have immediate access to compromised networks. With the instant deployment of Cobalt Strike, ransomware payloads will be dropped even quicker, thus giving cyber security defenders less time to detect and remediate possible infections.
Emotet is currently still rebuilding its infrastructure through the existing TrickBot infrastructure. Both Emotet and TrickBot mainly spread via malicious spam campaigns. To properly defend against these two dangerous malwares, users should be extremely wary of malicious spams, phishing, and malicious email attachments. Perimeter Watch encourages organizations to deploy email security tools such as Proofpoint, MimeCast, Forcepoint, etc., and to implement strict policies for Microsoft Office 365 to protect end users from potential malicious spams and phishing attempts. We also encourage organizations to raise user awareness and issue periodic spam/phishing testing campaigns to train users to better identify potential malicious emails. Below is a list of a few Indicators of Compromise related to the Emotet malware.
Persistence
C:\Windows\System32\randomnumber\
C:\Windows\System32\tasks\randomname
C:\Windows\[randomname]
C:\users[myusers]\appdata\roaming[random]
%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [Randomname].LNK. file in the startup folder
Registry Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services {Random Hexadecimal Numbers}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {Random Names} with value c:\users\admin\appdata\roaming\{Random}{Legitimate Filename}.exe
Filename Examples
PlayingonaHash.exe
certapp.exe
CleanToast.exe
CciAllow.exe
RulerRuler.exe
connectmrm.exe
Strings (The following paths may be missing in some samples, they are not always there)
C:\email.doc
C:\123\email.doc
C:\123\email.docx
C:\a\foobar.bmp
X:\Symbols\a
C:\loaddll.exe
C:\email.htm
C:\take_screenshot.ps1
C:\a\foobar.gif
C:\a\foobar.doc
IP Addresses
1.234.21.73
1.234.65.61
103.109.247.10
103.109.247.13
103.109.247.8
103.109.247.9
103.124.107.109
103.139.242.30
103.140.207.110
103.143.8.71
103.150.68.124
103.164.180.66
103.208.86.179
103.233.25.228
103.253.107.153
103.253.107.155
103.253.107.156
103.253.107.198
103.36.126.221
103.36.79.3
103.52.135.61
103.70.29.165
103.73.102.174
103.74.143.53
103.77.205.102
103.8.26.102
103.8.26.103
103.82.248.59
103.87.173.60
103.94.0.178
104.168.155.129
104.248.178.90
104.36.167.47
105.198.236.99
106.51.48.170
107.170.4.227
107.170.64.97
108.4.67.252
108.55.14.158
109.12.111.14
109.75.64.100
110.172.137.20
113.160.37.196
114.79.148.170
116.124.128.206
116.90.234.82
117.220.229.162
117.248.109.38
117.54.140.98
120.150.218.241
121.199.35.69
122.117.90.133
122.129.203.163
124.41.211.17
128.106.122.39
128.199.192.135
128.199.206.91
128.199.232.159
129.232.146.250
131.100.24.192
131.100.24.199
134.209.247.135
136.143.11.232
136.228.128.21
136.232.34.70
138.197.109.175
139.162.113.169
139.255.199.196
139.59.14.223
139.59.56.73
142.4.219.173
142.44.247.57
142.93.218.86
144.202.34.169
144.217.91.150
144.48.139.206
144.86.10.42
144.91.110.219
144.91.122.100
144.91.122.94
149.135.101.20
149.200.165.116
151.106.39.36
152.156.122.10
153.126.165.175
154.79.244.182
154.79.251.172
158.140.143.54
159.224.167.102
159.65.1.71
159.65.3.147
162.214.106.107
162.214.188.105
162.214.50.39
164.68.99.3
164.90.159.54
167.172.119.42
167.71.11.125
167.99.141.108
168.121.97.34
168.197.250.14
170.130.55.98
170.78.0.135
172.104.227.98
173.21.10.71
176.205.194.245
176.31.163.17
176.67.56.94
177.52.221.73
177.52.26.233
177.67.137.111
177.72.80.14
177.75.5.222
177.87.0.7
178.128.197.110
178.128.23.9
178.128.83.165
178.134.47.166
178.238.236.59
178.254.33.197
178.33.13.40
178.79.147.66
178.79.150.86
180.233.150.134
181.129.167.82
181.129.251.109
181.129.85.98
181.176.174.139
181.189.221.250
181.211.247.43
181.49.135.242
182.191.92.203
182.253.100.150
182.253.106.35
185.164.32.148
185.242.88.63
185.242.89.198
185.82.144.173
185.9.187.10
185.94.172.15
185.99.2.197
186.159.12.18
186.159.16.58
186.159.4.217
186.159.5.177
186.194.119.205
186.225.119.170
186.250.48.117
186.250.48.123
186.32.3.108
186.42.212.30
186.71.134.62
186.97.172.178
186.97.201.66
187.108.32.133
187.162.59.232
187.19.167.233
188.234.115.35
188.40.48.93
189.112.119.205
189.51.118.78
190.109.169.161
190.109.171.17
190.110.222.109
190.145.83.98
190.152.4.202
190.197.55.254
190.214.21.14
190.248.146.170
190.39.205.165
190.45.79.111
190.61.46.106
190.73.3.148
190.93.208.53
191.103.252.193
191.36.151.129
192.119.93.26
192.99.150.39
194.1.193.11
194.190.18.122
194.233.68.48
194.36.28.238
194.9.172.107
198.199.70.22
198.199.98.78
198.61.167.176
200.105.199.234
200.233.192.111
200.236.218.62
200.7.198.138
200.83.98.31
201.148.20.37
201.184.226.74
202.144.203.140
202.29.237.113
202.29.239.161
202.51.122.163
203.173.94.162
204.174.223.210
207.154.208.93
207.180.220.242
207.210.201.159
209.210.95.228
209.33.231.203
211.172.241.52
212.112.86.37
212.175.98.171
212.237.17.99
213.136.86.165
213.190.4.223
213.32.252.221
216.10.251.121
216.108.227.55
216.177.161.118
216.238.71.31
217.160.5.104
217.164.247.241
217.165.123.47
23.253.208.162
24.162.214.166
24.178.196.158
24.222.20.254
24.95.61.62
27.5.4.111
31.173.137.39
31.173.137.47
31.173.137.49
31.215.70.105
31.35.28.29
32.221.229.7
36.37.99.242
36.67.109.15
36.89.98.183
36.92.59.93
36.95.110.19
37.187.115.122
37.247.35.130
37.57.82.112
37.59.103.148
37.59.74.180
38.70.253.226
40.134.247.125
41.175.22.226
41.228.22.180
41.76.108.46
45.116.106.45
45.229.162.233
45.33.20.41
45.56.121.87
45.65.249.154
45.79.91.89
45.9.20.200
45.90.108.123
46.101.90.205
46.55.222.11
49.156.39.150
49.248.217.170
5.181.156.16
5.182.210.132
5.189.150.29
5.199.162.48
5.32.41.46
5.34.74.210
5.39.99.208
50.116.62.25
50.21.183.143
50.237.134.22
50.29.166.232
51.178.161.32
51.178.186.134
51.178.61.60
51.210.242.234
51.38.71.0
51.68.138.110
51.79.205.117
51.83.3.52
51.91.142.158
51.91.76.89
54.37.106.167
54.37.212.235
54.37.70.105
54.38.143.246
54.39.98.141
61.69.102.170
62.64.9.237
64.251.25.156
65.100.174.110
66.175.217.172
67.207.95.35
67.209.195.198
69.14.172.24
69.16.218.101
69.64.50.41
70.163.1.219
72.252.201.34
74.15.2.252
75.156.151.34
75.188.35.168
76.169.147.192
79.167.192.206
80.211.3.13
80.211.40.191
81.190.193.197
81.214.126.173
81.223.127.86
83.146.71.242
85.10.248.28
85.88.174.94
87.97.178.92
91.121.134.180
91.121.146.47
91.207.181.106
91.207.28.33
91.243.125.5
91.83.88.122
93.48.58.123
93.48.80.198
94.136.143.124
94.140.114.201
94.200.181.154
94.28.78.200
95.110.160.239
95.140.217.242
96.21.251.127
96.80.109.57
96.9.77.56
97.107.134.115
98.0.159.122