Characteristics of Emotet Infections

everybody to characteristics of emotech infections I am Brad Duncan I'm a threat intelligence analyst with Palo Alto networks unit 42 team uh I also volunteer for the internet Storm Center do some Diaries their infosec blogs for lack of a better term I tweet at malware underscore traffic on Twitter usually very dry boring technical tweets every once in a while I'll post a meme or something and then I'll post a lot of pcapp and malware samples to my blog at malware traffic Dash analysis.net foreign it's interesting when I submitted this proposal for this talk to the committee imotet was active and very much uh daily uh spammer where we would get various email examples for emotech on a daily basis submitted to virus total and I would see it in my spam traps and now it's uh since about mid-july it's been quiet the botnet the infrastructure behind neemotet is still there it's still alive it's still occasionally doing things but it's not spamming so this emotec is uh what I would call dormant right now but we'll look at what emoted is um I'll describe how my lab environment is set up to look at some examples of emotec infection traffic which is uh we'll have two examples that we'll cover here and then other malware that is active that's kind of filling that hole that emotec left has left open since it's gone dormant so originally discovered in 2014 the emotech is uh was first a banking Trojan discovered as a banking Trojan and it's kind of morphed uh it's a what we call a modular malware which means that uh um it has functions that are sent as separate modules from the initial infection so for example you have a Spam bot module that will usually appear in my lab environment we'll see it uh spam bot activity happen on an infected Windows host approximately 30 to 45 minutes after the initial infection but uh it is back door it is a spam bot and it does uh provide follow-up malware usually Cobalt strike but we've uh we've seen other types of malware as well this the Cobalt strength ties in with the emotec being an initial access broker which means the criminal group behind emotet likes to make extra money I guess by selling access to the hosts the infected Windows hosts that are part of its botnet and then these other criminals will use Cobalt strike to then map out the environment and uh see if there's anything of a high value Target and then usually it'll drop ransomware uh whoever the additional criminal is so uh when you hear stories about Conti ransomware uh attacks in the past year or so some of those can be directly attributed to an initial imhotet infection by someone who was tricked by a emoted Spam body email so there are currently two emoted botnets they act exactly the same I'm not sure how certain people who track these things uh separate these two botnets out they call it epoch4 for one botnet Epoch five for the other botnet the reason they call it four and five is because before the 2021 takedown of emotech where it was gone for about 11 months came back in November of last year before that uh absence there were three botnets and they were called Epoch one Epoch II and Epoch three uh just nicknames by security researchers uh for the infrastructure behind emoted uh in recent years as I've said imotet infections have been publicly documented as leading to ransomware now here is the chain of events for atypical emotec infection for the last few months last two or three months it was consistently something like this before it went quiet in mid-july 2022. so you would have a thread hijacked email and sometimes these emails wouldn't be threat hijacked but they're always impersonating somebody some stolen email address that was taken from a previously emotec infected host because part of what emotec does when it affects a Windows host is if you have a email client like Outlook or Thunderbird and you've got a bunch of emails in there it will take that information and we'll send it up to the botnet and then the uh emote botnet that infrastructure will regurgitate that information and use it for thread hijacked emails impersonating a legitimate a sender and including those email chains but these emails um for the last two or three months before it went silent always contained attachments so it was either a password protected zip archive sometimes not password protected but mostly password protected that contain an Excel spreadsheet a Microsoft Excel spreadsheet specially crafted to with a macro with malicious code designed to infect a vulnerable computer with emotec a vulnerable computer and a victim would enable macros on a vulnerable Windows host and that would generate traffic to retrieve a Windows binary Windows dll File in this case for emotec and it would run it on the infected Windows host now you would see traffic wouldn't be just one HTTP or HTTP request it'd usually be about three or four or five URLs that would retrieve emotec dlls and this would be a redundancy because these URLs will change frequently because they're easily detectable as hosting malware they'll get taken offline so therefore you have usually four or five different URLs that are all triggered to retrieve an emotec dll and hopefully one of them will still be active and then once the motet dll is run that's when we start seeing the command control traffic to servers on the IMO 10 botnet and then from there you see the follow-up activity like spam bot activity or Cobalt strike from what I've seen in my lab and then possibly in a worst case scenario something like ransomware so here's an example of an email that has a password protected zip archive as an attachment and this is a thread hijacked email between it was stolen on a formerly infected Windows host that I infected with emotec my lab environment I'll populate my mail client with emails back and forth between email accounts that I control and one of them was a in this case it was Gmail account that I used uh named with a nickname Dom uh don Bertram and what we do here and Martin uh somebody I forget was the name of the recipient I've got everything shaded out here because I'm not going to share my honey pot email addresses with you guys at least not publicly so if anybody's curious you can ask me about there is a couple I will share publicly here in this presentation but those are considered burned we have a uh you can't see it because I haven't scrolled down but we have uh the legitimate email chain between these two email accounts that I control that I've set up and uh it says hello Martin archive password 723 have a great day Don Bertram and then whatever you know great work on this morning's presentation whatever that email chain was now if you guys got an email like this from someone that you knew or at least that claimed to be some though from someone that you knew this would be uh relatively easy to detect uh just because if you look at the from line of this it says Don Bertram as the name or the nickname but if you look at the email that is not Dom Bertram's Gmail account email it is uh something.it is an Italian email provider an Italian email address you open that password protected zip archive and then within that password protected zip archive there is an Excel spreadsheet that Excel spreadsheet for the last two or three months at emotech was actively spamming was sending out Excel spreadsheets that looked exactly like this um I think uh sometimes the the little gray shaded area with the warning would be yellow or to be pink but it it would look exactly the same and you'll notice that there are seven spreadsheets tabs in this particular spreadsheet and if you look at the workbook properties you'll see a couple of uh consistent things like the author I think was always in this case dream and um last modified I don't know I think they were all RGS sgk but the thing with this is the work the sheets in the workbook were all protected so I can't go in and look at the macro code for this particular spreadsheet without knowing whatever password that was used to protect these particular sheets in this workbook so the only easy way quick and easy way for me to figure out what what those URLs is is to detonate it in a environment or a sandbox So speaking of lab environments we'll look at my lab environment that I will use to um detonate emotent malware to check it in the environment now I will use active directory environments a lot of sandboxes especially the free ones or relatively cheap ones that are available even a lot of the Enterprise solutions for example Palo Alto networks has a live type of sandbox environment called Wildfire but that's a single Standalone Windows host right or maybe it's running them on two different ones you know one Windows 10 one maybe Windows 7 or something like that but it's not an active directory environment I like to use active directory environments because that's how you see Cobalt strike so a malware like emotec or cacbot or iced ID is not going to send Cobalt strike to sell that access to that host to an initial access broker because a standalone Windows host is generally not part of a high value Target right you want an active directory environment with hundreds of clients and various interesting servers that could be uh that could be either exploited or targeted for ransomware but uh what I'll generally do in a virtualized environment in this MacBook that I have here for example I'm running either VMware Fusion or virtualbox those are two of them on a Linux host I can run the KVM system in qemu I've tried that before with uh with the relatively good success and then those are generally it I do have a physical environment that I'll use for certain families of malware that are very resistant to running properly in a virtual environment so instead of uh I'm not I'm not as technically proficient as some people who can alter their virtual environments to disguise the fact that they're virtual right so I I just it's easier for me just to you know pick up a couple of laptops on eBay and an old Cisco switch and you know just set up an environment in my home lab and this is how I do it here plus the benefit of having a physical setup like this is that you can add as many windows clients as you have ports in your switch and then I could usually just do a span port on a Cisco switch to any one of those clients if I'm detonating what's that on there I can just span that Port into another Port where I'm monitoring it on a computer that I'm using TCB dump or Wireshark to record the pcap I like to have fun with my virtual environments it's not all just uh monotonous although there is monotony and routine although it is routine uh stuff that I do every day I'd like to have a little fun so uh for example uh for a while there a short while I was using an environment uh that was Batman and Robin right so um this is not the this is not the modern Batman right the the the guy that's facing the whispery deep voice this is the Adam West Batman of the late 1960s uh with uh Adam West and Bert Ward right so this is uh Batman would use aol.com right he's a little older generation uh and then Robin who's a little more young a little more hip he would use something relatively newer like Yahoo at least that's the way I see it um so I'll come up with these conversations off the top of my head uh this is uh this is one of the an example of the emails that I'll send where um and I try and imitate the Adam West uh version of Batman uh vocally but it doesn't work out it sounds more like the Christopher Lloyd character uh Doc in Back to the Future it's like we gotta defeat the Joker it doesn't sound anything like Adam West but this is type of emails that uh that all Less in between these two accounts I'm using Thunderbird to uh to uh as the email client in my environment and you can see uh what I have up here uh I started near the end of June I had this going for a couple of weeks those accounts are still there though so feel free feel free to send anything you want to any of these emails doubt I'll be I'll doubt I'll be using it much after today but uh you can see some of these emails have attachments and they're uh they're all reply based emails these are thread hijacked emails um I I shouldn't say thread hijacked emails uh sometimes that are not exactly thread hijacked like this one so yeah it's uh please open the attached document it's got a Excel spreadsheet and this is emotech right and uh but there is no uh email chain on this one the subject is r e and then the the uh recipient's email address and there uh there is no actual uh legitimate email chain that has gone back and forth here so we'll kind of see that sometimes with emotec it will just uh put your email address to kind of pretend that there was a conversation anyway the attachment whether it's a within a zip archive that's password protected or whether it's directly attached to the email itself is the same type of Excel spreadsheet that we looked at earlier now this exact email from July 11th with this exact attachment I ran it earlier this week remember how I said there's uh usually four or five urls that are generated after by the macro code in that malicious document well we do have we do have https and HTTP based urls and one of those actually worked one of the HTTP URLs now what's interesting here is uh when I ran this just through my home internet to check my internet service provider it was blocked so I tethered through my phone and my phone allowed this to that internet connection through my phone allowed this this Windows dll to come through right this is this is a URL that has been hosting malware since as early as July 11th and it's still active all right it took that URL that macro code from that malicious uh Microsoft Excel document and it saved it saves it to a under the infected users app data local directory it creates a new directory of random alphabetic characters and it saves it and it runs it and it remains persistent through a Windows registry update through the most commonly used Windows registry update to keep malware persistent it's the hkey current user software Microsoft Windows current version run that particular you know under the HK CU registry hive and red server 32.exe is what is used to run it so it doesn't have an entry point like you would use if you were using run dll32 so with that in mind let's take a look at our first example now the Wireshark displays that are showing here that I'm showing here and there are some of you that I see that have uh participated in the workshop that I ran earlier this week it is my customized Wireshark column display all right and you can find out how to set that up in the same way that I use it by looking at the Wireshark Workshop videos that I have posted through my employer Palo Alto networks if you Google Wireshark Workshop Duncan you should find that link to all that has a Palo Alto networks page that is on my blog posts and articles through the company that I've used to do that now this first infection example is from the 7th of June so I've posted the traffic online at my malware trafficanalysis.net blog I did a tweet about it through the unit 42 Intel handle on Twitter dumpsterfire though Twitter is it is it is very useful you may have heard of the term infosec Twitter that's uh that is a thing figure about anywhere from 50 to 100 Twitter accounts that that are primarily geared towards tweeting or retweeting technical information now granted the unit 42 Intel handles uh specifically you know it's doing more than just these type of tweets it's a little promotional as well and promoting the unit 42 blog and everything but uh my particular uh you know I'll retweet this through my Twitter handle as well the at malware underscore traffic there's a lot of people on Twitter like I said about 50 to 100 that consistently tweet technical details but this particular pcap that is available on my blog site is an active directory environment and I'm using crypto punch.data as a uh as a domain that is not registered by the way I'll go through I'll go through a domain registrar just to check to make sure that whatever domains I'm setting up for my active directory environments are not already registered because I have posted information before on stuff that I didn't realize was registered by somebody and have got an email saying hey uh you uh you you're posting this uh information that implies that our network is compromised and uh they asked me to take it down and I can only say yes but this is the active directory environment I want to infect my an active directory environment with the emotec because if I don't I won't see Cobalt strike if they send it and it's about a 50 50 shot if they actually send it sometimes less than that depends on what time of the day U.S time wherever what time of the day that I am infecting a Windows host as to whether I might or might not see Cobalt strike foreign so I have this in Wireshark this particular P CAP from the 7th of June 2022 there are two https URLs and one HTTP URL that that were generated by the Excel Macro for that emotec dll and those are here now we don't know what those uh two first two URLs are unless you submit the uh the malware to a Sandbox environment that has some sort of uh man in the middle set up to where you can uh decrypt that https traffic which is what I did in this case so the only one that we could look at that we could actually follow the TCP stream for and see if something was returned is uh visibly is that last HTTP URL so in Wireshark this is one of the first tricks that I learned as a analyst using Wireshark when I was first starting out was you follow the TCP Stream So you left click on that particular frame in your column display and you follow the TCP string bring up a menu and follow the TCP stream in this case this particular URL did not return anything so the emotec dll or dlls would have been through the https traffic that's not going to be available in the pcap if you go to that blog entry on my site I retrieve the two dlls that were actually retrieved over https from the infected Windows host itself if we go back to our pcap and use the basic web filter you'll see that there is https activity to various IP addresses over TCP port 8080 and TCP Port 443 and that's just a list of everything right there all right you'll notice that there are a lot of IP addresses over those two various reports it's not limited to Port 443 or 8080 those are just the most common ones sometimes they'll see it over https traffic over TCP port 7080. now um one of the things that you can trigger of an alert for on the network traffic is the certificate data from the certificates that are used to establish that TLS connection this is TLS version 1.2 so there is a certificate that is sent that we can actually see the data for if if this were TLS version 1.3 we could not do this so I would filter on tls.handshake.type equals 11 and in this case I'm just going anything with that particular data which I filter for that to look at the certificate data for any https traffic over TCP port 8080. if I go to the frame details and I'll expand my way down to look at the certificate data so I'm going through transport layer security handshake protocol certificate handshake protocol certificate going all the way down until I see the certificate issuer data and there's a bunch of RDS sequence items and these are the sequence items uh illustrate they they have the values of the issuer data for this particular certificate and this is a self-signed certificate so uh when you set up an https server or web server that does https you need to have a certificate a public and a private in order to establish that TLS connection so this is the public certificate and you can actually you could have when this was still active you could go you could have gone uh back in June on June 7th you could have uh plugged that IP address an