CYBERSECURITY ADVISORY - Emotet botnet Resurgence

CYBERSECURITY ADVISORY – Emotet Resurgence – PATCH: NOW – TLP: WHITE

Home | Articles | IP Office Security Certificate Alert

Paul Bulmer, Director of Product, Maintel

19th September 2019

by Paul Bulmer

Director of Product, Maintel

ADVISORY NUMBER:                 MNTL-19-09-2019/1

DATE(S) ISSUED:                         19/September/2019

SUBJECT:                                    Emotet Resurgence

OVERVIEW

Initial Vector

One of the most notable characteristics of the latest campaign is the reuse of stolen email content to trick recipients into opening attached or linked-to Word documents containing malicious macros designed to fetch and execute Emotet.

Once Emotet has discovered a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads.

Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments. Its highly infectious nature makes it difficult to combat and has cost SLTT governments up to $1 million per incident to remediate due to its worm-like features resulting in rapid, network-wide infections.

Emotet is an advanced, modular banking trojan that primarily functions as a downloader or dropper of other banking trojans. Additionally, Emotet is polymorphic allowing it to evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. The trojan uses modular Dynamic Link Libraries (DLL) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine (VM) aware and can generate false indicators if run in a virtual environment.

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

  • NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
  • Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
  • WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
  • Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
  • Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).

THREAT INTELLIGENCE:

There are current reports of these vulnerabilities being exploited in and around Asia. (at the time of writing)

SYSTEMS AFFECTED:

  • Microsoft Windows (All variants)

RISK:

Government:

  • Large and medium government entities:     High
  • Small government entities:                              High

Businesses:

  • Large and medium business entities:            High
  • Small business entities:                                     High

Home users:                                                                      High 

TECHNICAL SUMMARY:

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient. The most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices. Initial infection occurs when a user opens or clicks the malicious download link, XML, PDF, or macro enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.

To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.

Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.

Note: It is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware.

EMOTET INDICATORS OF COMPROMISE (IOCs):

Email subject lines

  • Payment Remittance Advice
  • Numero Fattura 2019…

Malicious Word documents

  • eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
  • fb25f35c54831b3641c50c760eb94ec57481d8c8b1da98dd05ba97080d54ee6a
  • bee23d63404d97d2b03fbc38e4c554a55a7734d83dbd87f2bf1baf7ed2e39e3e
  • 5d9775369ab5486b5f2d0faac423e213cee20daf5aaaaa9c8b4c3b4e66ea8224

Hacked websites hosting the Emotet binary

  • danangluxury.com/wp-content/uploads/KTgQsblu/
  • gcesab.com/wp-includes/customize/zUfJervuM/
  • autorepuestosdml.com/wp-content/CiloXIptI/
  • covergt.com/wordpress/geh7l30-xq85i1-558/
  • zhaoyouxiu.com/wp-includes/vxqo-84953w-5062/
  • rockstareats.com/wp-content/themes/NUOAajdJ/
  • inwil.com/wp-content/oyFhKHoe
  • inesmanila.com/cgi-bin/otxpnmxm-3okvb2-29756/
  • dateandoando.com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/

Emotet binaries

  • 8f05aa95aa7b2146ee490c2305a2450e58ce1d1e3103e6f9019767e5568f233e
  • 7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205
  • 61e0ac40dc2680aad77a71f1e6d845a37ab12aa8cd6b638d2dbcebe9195b0f6
  • f5af8586f0289163951adaaf7eb9726b82b05daa3bb0cc2c0ba5970f6119c77a
  • 6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5

Post-infection traffic (C2s)

  • 187.155.233.46
  • 83.29.180.97
  • 181.36.42.205
  • 200.21.90.6
  • 123.168.4.66
  • 151.80.142.33
  • 159.65.241.220
  • 109.104.79.48
  • 43.229.62.186
  • 72.47.248.48
  • 190.1.37.125
  • 46.29.183.211
  • 91.205.215.57
  • 178.79.163.131
  • 187.188.166.192
  • 181.188.149.134
  • 125.99.61.162
  • 77.245.101.134
  • 138.68.106.4
  • 187.242.204.142
  • 190.19.42.131
  • 213.120.104.180
  • 149.62.173.247
  • 181.48.174.242
  • 80.85.87.122
  • 183.82.97.25
  • 185.86.148.222
  • 90.69.208.50
  • 91.83.93.124
  • 183.87.87.73
  • 62.210.142.58
  • 186.83.133.253
  • 109.169.86.13
  • 179.62.18.56
  • 81.169.140.14
  • 187.144.227.2
  • 69.163.33.82
  • 88.250.223.190
  • 190.230.60.129
  • 37.59.1.74
  • 203.25.159.3
  • 79.143.182.254
  • 200.57.102.71
  • 217.199.175.216
  • 201.219.183.243
  • 196.6.112.70
  • 200.58.171.51
  • 5.77.13.70
  • 217.113.27.158
  • 46.249.204.99
  • 159.203.204.126
  • 170.247.122.37
  • 200.80.198.34
  • 62.75.143.100
  • 89.188.124.145
  • 143.0.245.169
  • 190.117.206.153
  • 77.122.183.203
  • 46.21.105.59
  • 181.39.134.122
  • 86.42.166.147
  • 23.92.22.225
  • 179.12.170.88
  • 182.76.6.2
  • 201.250.11.236
  • 86.98.25.30
  • 198.199.88.162
  • 178.62.37.188
  • 92.51.129.249
  • 92.222.125.16
  • 142.44.162.209
  • 92.222.216.44
  • 138.201.140.110
  • 64.13.225.150
  • 182.176.132.213
  • 37.157.194.134
  • 206.189.98.125
  • 45.123.3.54
  • 45.33.49.124
  • 178.79.161.166
  • 104.131.11.150
  • 173.212.203.26
  • 88.156.97.210
  • 190.145.67.134
  • 144.139.247.220
  • 159.65.25.128
  • 186.4.172.5
  • 87.106.136.232
  • 189.209.217.49
  • 149.202.153.252
  • 78.24.219.147
  • 125.99.106.226
  • 95.128.43.213
  • 47.41.213.2
  • 37.208.39.59
  • 185.94.252.13
  • 212.71.234.16
  • 87.106.139.101
  • 188.166.253.46
  • 175.100.138.82
  • 85.104.59.244
  • 62.75.187.192
  • 91.205.215.66
  • 136.243.177.26
  • 190.186.203.55
  • 162.243.125.212
  • 91.83.93.103
  • 217.160.182.191
  • 94.205.247.10
  • 211.63.71.72
  • 41.220.119.246
  • 104.236.246.93
  • 117.197.124.36
  • 75.127.14.170
  • 31.12.67.62
  • 169.239.182.217
  • 179.32.19.219
  • 177.246.193.139
  • 31.172.240.91
  • 152.169.236.172
  • 201.212.57.109
  • 222.214.218.192
  • 87.230.19.21
  • 46.105.131.87
  • 182.176.106.43

Book a security assessment today

RECOMENDATIONS:

We recommend that we adhere to the following general best practices, to limit the effect of Emotet and similar malspam in our organization.

  • Use Group Policy to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At a minimum create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
  • Use antivirus programs on clients and servers, with automatic updates of signatures and software.
  • Disable all macros except those which are digitally signed.
  • Apply appropriate patches and updates immediately after appropriate testing.
  • Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • If you do not have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security and/or IT departments.
  • Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
  • Provide social engineering and phishing training to employees. Urge them to not open suspicious emails, click links contained in such emails, post sensitive information online, and to never provide usernames, passwords and/or personal information to any unsolicited request. Teach users to hover over a link with their mouse to verify the destination prior to clicking on the link.
  • Adhere to the principle of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
  • Adhere to best practices, such as those described in the CIS Controls, which are part of the CIS SecureSuite.

If a user opened a malicious email or an infection is believed to exist, we recommend running an antivirus scan on the system and take action based on the results to isolate the infected computer. If multiple machines are infected:

  • Consider temporarily taking the network offline to perform identification, prevent reinfections, and stop the spread of the malware. Emotet could be dropping malware with Remote Access Trojan (RAT) capabilities damaging the integrity of the overall network.
  • Identify, shutdown, and take the infected machines off the network.
  • Do not log in to infected systems using a domain or shared local admin accounts.
  • After reviewing systems for Emotet indicators, reimage and move clean systems to a containment VLAN, segregated from the infected network.
  • Issue password resets for both domain and local credentials.
  • As Emotet scrapes additional credentials, consider password resets for other applications that may have had stored credentials on the compromised machine(s).
  • Review log files and the Outlook mailbox rules associated with the user account to ensure further compromises have not occurred. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach.
  • Search base64 encoded network stream data referencing the organization’s email domain. If references are found, perform additional analysis to see if a data breach has occurred.

REFERENCES:

CISA:

https://www.us-cert.gov/ncas/alerts/TA18-201A

Mitre:

https://attack.mitre.org/software/S0367/ 

MalwareBytes: 

https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/

We will continue to post updates as the remediation work progresses.

Paul Bulmer