The (slighty) longer story:
On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Please find first results and IOCs below. Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.
We are still conducting more in-depth analyses to raise the confidence even further. New information will be provided as they become available.
Sunday, November 14, 9:26pm: first occurence of the URLs being dropped; the URL we received was
hxxp://184.108.40.206/Loader_90563_1.dll (SHA256 of the drop:
c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01). Internal processing detected Emotet when executing the sample in our sandbox systems. Notably, the sample seems to have been compiled just before the deployment via several Trickbot botnets was observed:
Timestamp : 6191769A (Sun Nov 14 20:50:34 2021)
The network traffic originating from the sample closely resembles what has been observed previously (e.g. as described by Kaspersky): the URL contains a random resource path and the bot transfers the request payload in a cookie (see image below). However, the encryption used to hide the data seems different from what has been observed in the past. Additionally, the sample now uses HTTPS with a self-signed server certificate to secure the network traffic.
A notable characteristic of the last Emotet samples was the heavy use of control-flow flattening to obfuscate the code. The current sample also contains flattened control flows. To illustrate the similarity in the style of the obfuscation, find two arbitrary code snippets below. Left side is a sample from 2020, on the right is a snippet from the current sample:
Conclusion (so far)
As per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet – seems to be Emotet.
We are currently updating our internal tooling for the new sample to provide more indicators to strengthen the claim that Emotet seems to be back.
URLs: hxxp://220.127.116.11/Loader_90563_1.dll Hashes: c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 - Loader_90563_1.dll Server List: 18.104.22.168:443 22.214.171.124:443 126.96.36.199:7080 188.8.131.52:8080 184.108.40.206:8080 220.127.116.11:8080 18.104.22.168:8080 22.214.171.124:8080 126.96.36.199:8080 188.8.131.52:80 184.108.40.206:7080 220.127.116.11:443 18.104.22.168:443 22.214.171.124:8080 126.96.36.199:443 188.8.131.52:8080 184.108.40.206:8080 220.127.116.11:8080 18.104.22.168:8080 22.214.171.124:8080 String List: SOFTWARE\Microsoft\Windows\CurrentVersion\Run POST %s\rundll32.exe "%s",Control_RunDLL Control_RunDLL %s\%s %s\%s %s\%s%x %s%s.exe %s\%s SHA256 HASH AES Microsoft Primitive Provider ObjectLength KeyDataBlob %s\rundll32.exe "%s\%s",%s Content-Type: multipart/form-data; boundary=%s RNG %s%s.dll %s\rundll32.exe "%s",Control_RunDLL %s%s.dll %s\regsvr32.exe -s "%s" %s\%s %s%s.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run %s\rundll32.exe "%s\%s",%s ECCPUBLICBLOB ECDH_P256 Microsoft Primitive Provider ECCPUBLICBLOB Cookie: %s=%s %s\rundll32.exe "%s\%s",%s %s:Zone.Identifier %u.%u.%u.%u %s\%s %s\* %s\%s WinSta0\Default %s\rundll32.exe "%s",Control_RunDLL %s %s%s.dll ECCPUBLICBLOB ECDSA_P256 Microsoft Primitive Provider %s\%s SHA256 Microsoft Primitive Provider ObjectLength