The Emotet crimeware is upping its game thanks to recent samples containing internal network propagation capabilities and the ability to scrape contact information from the victim’s Outlook.
It’s a recipe for potential virulence: As the recent Wannacry and Petya outbreaks have demonstrated, there’s immense potency involved in coupling malware with an on-board propagation component.
Emotet is a loader that has been observed in multiple campaigns globally, originally focused on credential theft, but also seen to have delivered banking trojans.
“It becomes an enterprise threat when it can propagate out, via mounted shares or the use of exploits or even both,” said researchers at Fidelis Threat Research, in an analysis. “The Wannacry and Petya campaigns have clearly demonstrated how inclusion of other techniques like credential dumpers (Mimikatz) and exploits (EternalBlue) can greatly accelerate propagation across enterprises…It stands to reason that crimeware authors have taken note of the broad impact observed in these particular events and are looking to incorporate spreader components in their toolkits.”
Emotet typically attacks via spam messages containing basic but effective social-engineering techniques.
“At first glance, these appear to be a fairly run-of-the-mill phishing campaigns complete with booby-trapped Word documents disguised as invoices,” said Barkly researchers, in a separate analysis. “But on further investigation, it appears Emotet is taking things a step further by scraping names and email addresses from victim Outlook accounts, then using that info to send out additional phishing emails from the compromised accounts.”
Barkly said that it specifically hones in on any email messages with an unread status, and collects the sender name and email address from each unread message. As a result, the emails in these campaigns look as though they've been sent from a contact the recipient knows and has emailed in the past, which naturally increases their effectiveness.
It gets worse: Emotet will continue the attack on the original infected device by stealing additional account credentials, including Google accounts and other web mail/messaging services, and FTP accounts saved in Internet Explorer.
Researchers from Fidelis have also observed recent variants of Emotet exercising internal network propagation capabilities, notably focused on credential brute-forcing.
“For over a month now we have had speculations that Emotet had a network spreader component, a technique that has recently gained in popularity for using leaked exploits involving the worming of multiple forms of malware that it was using primarily to spread in internal networks, with some notable exceptions scanning the internet as well,” the researchers said. “Tracking the Emotet deliveries over time, we finally discover a very odd standalone executable which is actually a self-extracting RAR file containing two files.”
That file is the spreader, containing a bypass component that enumerates network resources. It looks for servers, and for each one it finds it will try to brute the user accounts and the administrator account. To do this, it enumerates the normal user accounts with NetUserEnum, and with a list of usernames in hand it will then attempt to brute the passwords for each user with an onboard password list. If no successful accounts are bruted then the program will attempt the password list against the administrator account.
If an account is compromised, the program will then copy the service component over to the remote computer and add a new service using the account.
“If successful, this propagation technique significantly raises the impact of an Emotet infection. Rather than dealing with a single compromised machine, you could have infections throughout the organization to deal with,” Barkly noted. “Even if it isn't successful, because brute-forcing is involved, infections also introduce the risk of account lockouts en masse.”
This functionality should be seen as a sign of things to come as well.
Fidelis researchers concluded, “It seems to be a common trend lately for malware developers to add in functionality based on what’s in the news which recently has been filled with all things wormable, which could mean this might be a continued trend for malware in the future.”