[BreachExchange] Emotet Malware Evolves Beyond Banking to Threat Delivery Service

Destry Winant destry at riskbasedsecurity.com
Wed Jul 25 22:28:47 EDT 2018


https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/

The Emotet trojan has been popping up in the news for years: From
widespread malspam infections of banking German targets in 2014, all
the way up to the costly infection of a New Hampshire town’s computer
network in July.

And while the tricky Emotet malware first emerged targeting banking
credentials, lately researchers have spotted the trojan changing its
tactics – and its targets, catching the eye of both researchers and
law enforcement this week.

“Despite its age, Emotet is far from just barely alive,” researchers
with Check Point Research said in a new report, issued Tuesday. “It
spreads itself abundantly through spam emails, network shares and the
Rig exploit kit. While some features have stayed constant, during the
four years of Emotet’s lifecycle, modules have come and gone.”

These methods have proved effective for the trojan and damaging for
its victims. A technical alert from the Department of Homeland
Security this week said that Emotet infections on average cost state
and local governments up to $1 million per incident to remediate.

The malware has now evolved to adopt new techniques, according to
researchers from both Symantec and Check Point – including an
expansion in capabilities to become a distributor of threats for other
attack groups, and a sneaky newfound interest in third-party,
open-source code libraries.

Importantly, its core functionality has also shifted. In 2017, the
trojan ditched its banking module and made its most important
component is now a loader — symbolizing an expansion in both its
targets and its strategy around distributing threats. The malware,
which was first spotted in 2014 by Trend Micro, now acts as a
downloader or dropper of other banking trojans after gaining access to
devices, typically through spam campaigns.

Self-Propagation

Emotet stands out in its ability to self-propagate, meaning that once
it’s on a computer, the malware downloads and executes a spreader
module. That has a password list that it uses to brute-force access to
other machines on the same network. Emotet can also spread to
additional computers using a spam module that it installs on infected
victim machines.

Network-spreading particularly poses as a headache for organizations,
because it means that victims can become infected without even needing
to click on a malicious link or attachment. In addition, Emotet’s
brute-forcing of passwords may result in multiple failed login
attempts, which can lead to users being locked out of their network
accounts.

The malware currently uses five known spreader modules: NetPass.exe (a
legit utility that recovers all network passwords stored on a system),
WebBrowserPassView (a password recovery tool that captures passwords
stored by browsers, including Internet Explorer and Firefox Mozilla),
Mail PassView (a password recovery tool for various email clients,
including Microsoft Outlook and Windows mail), Outlook scraper (a tool
that scrapes names and email addresses from the victim’s Outlook
accounts) and a credential enumerator.

Evolution

This year, Symantec researchers have linked Emotet to threat group
Mealybug, a cybercrime actor that has been active since at least 2014.

Mealybug seems to have both expanded the trojan’s capabilities and its
targets to become what Symantec researchers call an “end-to-end
service for delivery of threats.”

“Mealybug’s shift from distributing its own banking trojan to a
relatively small number of targets, to acting primarily as a global
distributor of other groups’ threats, is interesting, and backs up an
observation we made… that threat actors are evolving and refining
their techniques and business model to maximize profits,” Symantec
researchers said in a recent blog post.

For instance, since February 2018, Emotet has been using its loader
function to spread the Quakbot malware family, known for behaving like
a network worm. The malware has also been reportedly distributing the
Ransom.UmbreCrypt ransomware, according to Symantec.

Emotet has also sharpened its capabilities and tactics, including the
utilization of third-party open source components. For instance, the
malware has built a communication protocol on top of Google’s
Protobug, which utilizes Lempel–Ziv–Markov (LZMA) compression. LZMA is
a chain algorithm used to perform lossless data compression. This
signifies a more sophisticated and complex level of understanding by
the threat actor, researchers at Check Point said in their report.

“Easy access to third-party libraries is known to be a powerful
stimulant for any development process, and discipline in design
definitely has its benefits, as well as its pitfalls,” they noted.
“Who knows — maybe in a few years we will see enterprise-grade malware
written in Java which invokes
RansomwareResourceMediator.getMediatorInstance() and
MoneroMinerFactory.getAbstractMiner().”

These new characteristics seem to be working for the malware –
especially more recently, when after a relatively quiet period in
2015, detections of Emotet surged in both the second half of 2017 and
the first half of 2018. Its targets have mainly been in the U.S. in
2018, said Symantec researchers.

Notably, in late 2017, Emotet was found acting as a dropper, putting
banking trojan IcedID on targeted systems. As recently as early July,
officials in Portsmouth, New Hampshire said that the Emotet malware
cost them $156,000 to remove after spreading to the city’s entire
computer network via phishing emails.

Best Practices

Symantec researchers said that to avoid Emotet, end users can adopt
multiple, overlapping and mutually supportive defensive systems to
guard against single-point failures in devices.

“This includes deployment of endpoint, email and web-gateway
protection technologies, as well as firewalls and vulnerability
assessment solutions,” they said.  “Always keep these security
solutions up-to-date with the latest protection capabilities.”

However  despite these mitigations, researchers seem to be in
agreement that Emotet will continue to evolve and launch costly
attacks in the future: “With its years of experience and sophisticated
ecosystem, Emotet seems to be here to stay,” Check Point researchers
cautioned.


More information about the BreachExchange mailing list