Glimpsing Inside the Trojan Horse: An Insider Analysis of Emotet

Written by

Banking trojans are rapidly on the rise. In 2018, Darktrace detected a 239% year-on-year uptick in incidents related specifically to banking trojans and one in particular, Emotet, is among the costliest and most destructive malware variants currently imperiling governments and companies worldwide.

Emotet is a highly sophisticated malware with a modular architecture, installing its main component first before delivering additional payloads. Further increasing its subtlety, Emotet is considered to be polymorphic as it constantly changes its identifiable features to evade detection and has worm-like self-propagation abilities, which render it uniquely resilient and dangerous.

Since its first detection in 2014, Emotet has been adapted and repurposed on numerous occasions as its targets have diversified. Initially, Emotet’s primary victims were German banks, from which the malware was designed to steal financial information by intercepting network traffic. By this past year’s end, Emotet had spread far and wide while shifting focus to U.S. targets, resulting in permanently lost files, costly business interruptions, and serious reputational harm.

How Emotet works
Emotet spreads by targeting Windows-based systems via social engineering techniques. For instance, the latest versions of Emotet were delivered by way of Thanksgiving-related emails. These emails contained Microsoft Word documents, that are either linked or attached directly, and act as vectors for malicious macros, which must be explicitly enabled by the user to be executed.

For security reasons, running macros by default is disabled in most of the latest Microsoft application versions. Once macros are enabled, the Word file is executed and a PowerShell command is activated to retrieve the main Emotet component from compromised servers. The trojan payload is then downloaded and executed into the victim’s system.

How Emotet persists and propagates
Once Emotet has been executed on the victim’s device, it begins deploying itself with two main objectives: (1) achieving persistence and (2) spreading to more machines. To achieve the first aim, which involves resisting a reboot and various attempts at removal, Emotet does the following:

  • Creates scheduled tasks and registry key entries, ensuring its automatic execution during every system start-up.
  • Registers itself by creating files that have randomly generated names in system root directories, which are run as Windows services.
  • Typically stores payloads in paths located off AppData\Local and AppData\Roaming directories that it masks with names that appear legitimate, such as ‘flashplayer.exe’.

Emotet’s second key goal is that of spreading across local networks and beyond in order to infect as many machines as possible. To this end, Emotet first gathers information on both the victim’s system itself and the operating system it uses. Following this reconnaissance stage, it establishes encrypted command and control communications (C&C) with its parent infrastructure before determining which payloads it will deliver. After reporting a new infection, Emotet downloads modules from the C2 servers, including:

  • WebBrowserPassView: A tool that steals passwords from most common web browsers like Chrome, Safari, Firefox and Internet Explorer.
  • NetPass.exe: A legitimate tool that recovers all the network passwords stored on the system for the current logged-on user.
  • MailPassView: A tool that reveals passwords and account details for popular email clients, such as Hotmail, Gmail, Microsoft Outlook, and Yahoo! Mail.
  • Outlook PST scraper: A module that searches Outlook’s messages to obtain names and email addresses from the victim’s Outlook account.
  • Credential enumerator: A module that enumerates network resources and attempts to gain access to other machines via SMB enumeration and brute-forcing connections.
  • Banking trojans: These include Dridex, IceID, Zeus Panda, Trickbot and Qakbot, all of which harvest banking account information via browser monitoring routines.

Whilst the WebBrowserPassView, NetPass.exe and MailPassView modules are able to steal the compromised user’s credentials, the PST scraper module can ransack the user’s contact list of friends, family members, colleagues and clients, enabling Emotet to self-propagate by sending phishing emails to those contacts.

Emotet’s other self-propagation method is via brute-forcing credentials using various password lists, with the intent of gaining access to other machines within the network. When unsuccessful, the malware’s repeated failed login attempts can cause users to become locked out of their accounts, and when successful, the victims may become infected without even clicking on a malicious link or attachment. These tactics have collectively made Emotet remarkably durable and widespread. 

How AI fights back
Unlike traditional tools, artificial intelligence (AI) based security, particularly those leveraging unsupervised machine learning algorithms, can detect cyber-threats that have already infiltrated the network. Often, these work by learning the individual ‘pattern of life’ of every user, device, and network that it safeguards.

From this ever-evolving sense of ‘self,’ these systems can, over time, differentiate between normal and anomalous behavior.

For example, Darktrace’s AI models detected a machine that was experiencing active signs of an Emotet infection. The device was observed downloading a suspicious file and, shortly thereafter, began beaconing to a rare external destination, likely reporting the infection to a C&C server.
The device was then observed moving laterally across the network by performing brute force activities. In fact, thousands of Kerberos failed logins, including to administrative accounts, as well as multiple SMB session failures that used a range of common usernames, such as ‘admin’ and ‘exchange’, were detected. 

In addition to the brute-forcing activity performed by the credential enumerator module, another payload that was potentially functioning as an email spammer was also detected. The infected machine started to make a high number of outgoing connections over common email ports. This activity is consistent with Emotet’s typical spreading behavior, which revolves around sending emails to the victim’s hijacked email contacts. 

By forming a comprehensive understanding of what constitutes a normal pattern of life on a network, AI-enhanced cybersecurity can successfully detect infections or breaches even if caused by a new strain of malware not seen before.

Using AI-enabled platforms allows analysts to instantly identify potential threats and network-based indicators related to an attack. They can also generate additional, host-based indicators to supplement an organization’s investigation, without the need for exhaustive data collection and offline parsing by an analyst.

As the cyber threat landscape continues to expand, with many threats evolving and spawning multiple variations, businesses will soon have no choice but to work with AI to keep up and mitigate threats, however subtle. 

What’s hot on Infosecurity Magazine?