Guess who's back

Nov 15, 2021 •
Luca Ebach
Luca Ebach's Bild

Deactivated

Luca Ebach

Deactivated since: 2023

Emotet,malware,trickbot

tl;dr: Emotet

The (slighty) longer story:
On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Please find first results and IOCs below. Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.

We are still conducting more in-depth analyses to raise the confidence even further. New information will be provided as they become available.

Initial Analysis

Sunday, November 14, 9:26pm: first occurence of the URLs being dropped; the URL we received was hxxp://141.94.176.124/Loader_90563_1.dll (SHA256 of the drop: c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01). Internal processing detected Emotet when executing the sample in our sandbox systems. Notably, the sample seems to have been compiled just before the deployment via several Trickbot botnets was observed: Timestamp : 6191769A (Sun Nov 14 20:50:34 2021)

The network traffic originating from the sample closely resembles what has been observed previously (e.g. as described by Kaspersky): the URL contains a random resource path and the bot transfers the request payload in a cookie (see image below). However, the encryption used to hide the data seems different from what has been observed in the past. Additionally, the sample now uses HTTPS with a self-signed server certificate to secure the network traffic.

Network Traffic originating from the DLL
Figure 1: Network Traffic originating from the DLL

A notable characteristic of the last Emotet samples was the heavy use of control-flow flattening to obfuscate the code. The current sample also contains flattened control flows. To illustrate the similarity in the style of the obfuscation, find two arbitrary code snippets below. Figure 2 is a sample from 2020, Figure 3 is a snippet from the current sample:

Emotet sample from 2020
Figure 2: Emotet sample from 2020
Logo
Figure 3: Current Emotet sample

Conclusion (so far)

As per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet - seems to be Emotet.

We are currently updating our internal tooling for the new sample to provide more indicators to strengthen the claim that Emotet seems to be back.

IOCs

    URLs:
    hxxp://141.94.176.124/Loader_90563_1.dll
    
    Hashes:
    c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 - Loader_90563_1.dll
    
    Server List:
    81.0.236.93:443
    94.177.248.64:443
    66.42.55.5:7080
    103.8.26.103:8080
    185.184.25.237:8080
    45.76.176.10:8080
    188.93.125.116:8080
    103.8.26.102:8080
    178.79.147.66:8080
    58.227.42.236:80
    45.118.135.203:7080
    103.75.201.2:443
    195.154.133.20:443
    45.142.114.231:8080
    212.237.5.209:443
    207.38.84.195:8080
    104.251.214.46:8080
    138.185.72.26:8080
    51.68.175.8:8080
    210.57.217.132:8080
    
    String List:
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    POST
    %s\rundll32.exe "%s",Control_RunDLL
    Control_RunDLL
    %s\%s
    %s\%s
    %s\%s%x
    %s%s.exe
    %s\%s
    SHA256
    HASH
    AES
    Microsoft Primitive Provider
    ObjectLength
    KeyDataBlob
    %s\rundll32.exe "%s\%s",%s
    Content-Type: multipart/form-data; boundary=%s
    
    RNG
    %s%s.dll
    %s\rundll32.exe "%s",Control_RunDLL
    %s%s.dll
    %s\regsvr32.exe -s "%s"
    %s\%s
    %s%s.exe
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %s\rundll32.exe "%s\%s",%s
    ECCPUBLICBLOB
    ECDH_P256
    Microsoft Primitive Provider
    ECCPUBLICBLOB
    Cookie: %s=%s
    
    %s\rundll32.exe "%s\%s",%s
    %s:Zone.Identifier
    %u.%u.%u.%u
    %s\%s
    %s\*
    %s\%s
    WinSta0\Default
    %s\rundll32.exe "%s",Control_RunDLL %s
    %s%s.dll
    ECCPUBLICBLOB
    ECDSA_P256
    Microsoft Primitive Provider
    %s\%s
    SHA256
    Microsoft Primitive Provider
    ObjectLength