Threat Research

Emotet Returns With New Methods of Evasion

Securonix

Emotet has returned after a period of dormancy, expanding its toolkit with new evasion and propagation methods and heavily leveraging phishing campaigns to drop multiple payloads. It now features an SMB spreader for lateral movement, a Chrome data-stealer module, Heaven’s Gate-based process injection, and endgame payloads like IcedID and Bumblebee, continuing to act as a MaaS distributor. #Emotet #Epoch4 #Epoch5 #Cryptolaemus #IcedID #Bumblebee

Keypoints

  • Emotet re-emerged in November 2022 after a pause, with Epoch4 and Epoch5 botnets restarting spam campaigns.
  • New SMB spreader module enables lateral movement by impersonating the logged-on user and attempting IPC$ brute-forcing using hardcoded usernames and passwords.
  • The SMB spreader enumerates network resources via WinAPIs and then tries to connect to ADMIN$ and C$ shares to copy the Emotet loader and launch it as a service.
  • Emotet now includes a Chrome data-stealer module to exfiltrate financial information, in addition to existing browser credential theft capabilities.
  • Heaven’s Gate 64-bit injection followed by process hollowing is used to load modules into legitimate processes while evading defenses.
  • Phishing emails with macro-enabled Excel attachments plus MOTW-based social engineering bypass enable macro execution to deploy the dropper.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Phishing emails lure victims into downloading the Emotet dropper via .xls attachments with macros to download the loader. “phishing emails used to lure victims into downloading … macros used to download the Emotet dropper.”
  • [T1059.005] Visual Basic / Macro – Macros in Excel used to download and execute the Emotet dropper. “macros used to download the Emotet dropper.”
  • [T1117] Regsvr32 – Execution of the Emotet loader via regsvr32.exe. “Figure 8 – Execution of Emotet dropper via regsvr32.exe.”
  • [T1055.012] Process Injection: Process Hollowing – Heaven’s Gate injection followed by hollowing to run malicious code in a hijacked process. “Heaven’s Gate… process hollowing to suspend a legitimate process, then remap its image with malicious code.”
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement using an SMB spreader that enumerates resources and brute-forces IPC$ shares. “enumerating network resources using the WinAPIs… brute-forcing the IPC$ share.”
  • [T1135] Network Share Discovery – Discovery of remote servers and shares via WinAPI calls (WNetOpenEnumW, WNetEnumResourceW, NetUserEnum). “enumerating network resources … NetUserEnum WinAPI.”
  • [T1110] Brute Force – Brute-forcing IPC$ shares with a list of common usernames and passwords. “hardcoded lists (one of common usernames, another of common passwords)… bruteforcing the IPC$ share.”
  • [T1543.003] Create/Modify System Process: Windows Service – Loader copies to a share and launches as a service. “copies the Emotet loader to said share and launches it as a service.”
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via a registry key. “Registry key created for persistence.”
  • [T1555.003] Credentials in Web Browsers – Chrome data-stealer module targeting stored credit card information. “evidence of credit card exfiltration from Chrome.”
  • [T1059.001] PowerShell – Bumblebee payload delivered via PowerShell script. “PowerShell script that reaches out to a separate URL to download and execute the Bumblebee DLL.”
  • [T1218.011] Rundll32 – Execution of Bumblebee via rundll32.exe. “…download and execute the Bumblebee DLL using rundll32.exe.”

Indicators of Compromise

  • [File hash] Emotet-related bait and loader – EF2CE641A4E9F270EEA626E8E4800B0B97B4A436C40E7AF30AEB6F02566B809C, 199A2E0E1BB46A5DD8EB3A58AA55DE157F6005C65B70245E71CECEC4905CC2C0, and 2 more hashes
  • [File hash] Emotet dropper and SMB spreader indicators – BB444759E8D9A1A91A3B94E55DA2AA489BB181348805185F9B26F4287A55DF36, F6485AEF4BE4CB0EC50317B7F87694FB775F81733AF64C9BC6050F6806504207
  • [File hash] SMB spreader module – 3D8F8F406A04A740B8ABB1D92490AFEF2A9ADCD9BEECB13AECF91F53AAC736B4
  • [File hash] IcedID Trojan – 05A3A84096BCDC2A5CF87D07EDE96AFF7FD5037679F9585FEE9A227C0D9CBF51
  • [URL] Malicious URLs used for downloading Emotet – hxxp://audioselec[.]com/about/dDw5ggtyMojggTqhc/, hxxp://geringer-muehle[.]de/wp-admin/G/, and 7 more URLs
  • [URL] Malicious URL used for downloading IcedID – hxxps[:]//bayernbadabum[.]com/botpack[.]dat

Read more: https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint