Research Saturday 8.31.19
Ep 100 | 8.31.19

Emotet's updated business model.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Alex Holland: [00:01:53] Emotet was first discovered in the wild in 2014, and originally it was a classic banking Trojan.

Dave Bittner: [00:02:02] That's Alex Holland. He's a malware analyst at Bromium. The research we're discussing today is titled, "Emotet: A Technical Analysis of the Destructive, Polymorphic Malware."

Alex Holland: [00:02:14] Interestingly, from 2017 onwards we noticed that it began distributing other families of malware. What we think is interesting about Emotet is that the change in its tactics, techniques, and procedures perhaps reflects its change in business model. And it's building upon some research from the UK's National Cyber Security Centre. What they did in 2017 was put together a business model for a typical banking Trojan operation. That was appropriate for that time and it's really excellent – I encourage people to go out and read it to understand all the actors involved in a banking Trojan operation.

Alex Holland: [00:02:58] But what we've done here is that we've actually updated that business model to account for malware-as-a-service. And what we mean by that is different actors, different groups, collaborating with one another. So, just as we've seen Emotet stop using its own homegrown banking Trojan module and seen it distributing other families of malware, we're saying that this is indicative of a new type of malware distribution business model.

Dave Bittner: [00:03:36] Well, so let's go through some of Emotet's capabilities. Why don't we start out when Emotet first came on the scene – which was, I believe, back in 2014 – what sort of capabilities did it have and what did it seem to be up to?

Alex Holland: [00:03:51] Your kind of standard banking Trojan activity. So, typically what would happen is that you would have a man-in-the-browser attack. So, Emotet would intercept a victim's browsing session and then inject HTML in order to steal funds from targeted banks. So, originally we saw Emotet target Swiss and German banks, and then later expanded out to other regions.

Dave Bittner: [00:04:24] And so, with this shift to being more of malware-as-a-service business model, has the targeting broadened?

Alex Holland: [00:04:34] Yeah, definitely. We've seen Emotet definitely develop from being targeted to specific customers, customers of specific banks, to mass malicious spam campaigns that are broadly targeted to businesses rather than individuals, but are across different verticals.

Dave Bittner: [00:04:59] So, let's run through some of its current capabilities there. What sorts of things is Emotet capable of?

Alex Holland: [00:05:05] It can brute force weak passwords – it has a built-in passwords list and a dictionary. It also uses third-party tools to recover credentials from web browsers, email clients, network credentials, as well. It also has a great deal of capability in terms of stealing email address books, and this is kind of crucial to how it's so effective at phishing. So, as well as email addresses, it also has begun to steal the email body content, and that allows it to construct more plausible and convincing phishing lures.

Dave Bittner: [00:05:51] And is that happening in an automated way?

Alex Holland: [00:05:54] Yes. Yes, so it's happening in an automated way. So, typically a user will receive a reply from an email address that they think they've previously had a conversation with. And so there is an inherent trust, in that I've already spoken to this person. And combined with a generic message about an invoice that hasn't been paid, it could cause, say, a business to click on that link and trigger the first stage of the Emotet infection chain.

Dave Bittner: [00:06:30] Well, we're going to walk through the various steps of that infection chain, but before we do, let's go through some of the capabilities that Emotet has in terms of its anti-analysis features. What's going on there?

Alex Holland: [00:06:43] Yeah, so Emotet is polymorphic in nature, in that the packer that's used to obfuscate the Trojan changes each time it's used, so it's actually quite difficult to write a generic signature for the Trojan because of the way it's packed. The research we've done has uncovered some of what we think are quite high-fidelity indicators to detect the use of Emotet's packer. And we can go more into that later about its use of particular APIs, and in fact kind of nonsensical API calls, which kind of give it away. Emotet's developers have really put in a lot of effort to encrypt and hide the true nature of the Trojan. And I think that's testament to the amount of money and time that's been spent on this project.

Alex Holland: [00:07:50] So, for example, its imports and function names are encrypted, which is a fairly standard obfuscation technique for malware. It also has a multi-stage initialization procedure, whereby one Emotet process will actually inject itself into another, but in a different region of memory. And finally, of course, the C2 channel is encrypted. And we've seen a development over time in that capability. So, originally Emotet used fairly basic RC4 encryption – a type of symmetric key encryption. But now, Emotet uses AES combined with RSA encryption, which is much more difficult to intercept.

Dave Bittner: [00:08:37] Well, let's walk through the lifecycle of an infection together. How does it begin? How am I likely to find myself infected with Emotet?

Alex Holland: [00:08:48] Yeah, so Emotet arrives as hyperlinks linking to malicious documents or as attachments to emails. We've seen different types of document downloaders used for Emotet, the most common being Microsoft Word 2003 documents. But we've also seen JavaScript, XML document formats, and PDFs.

Dave Bittner: [00:09:20] You download a document, and it's typically something that's in a Microsoft Word format. And then there's a little bit of, I don't know, social engineering, or they influence you to enable the ability to run macros. What's going on there?

Alex Holland: [00:09:38] Yeah, so this is a really common conceit used by malware to trick users into running VBA macros – Visual Basic Application macros. Typically, your downloader will be commodity malware used by a wide range of threat actors. Emotet have made the phishing lure as generic as possible so that they can target as wide as possible an audience.

Dave Bittner: [00:10:04] Hmm.

Alex Holland: [00:10:05] So, they use – typically, it's a generic kind of banner that says that you can't view this version of this document, and then they prompt the user to enable macros.

Dave Bittner: [00:10:17] So really taking advantage of the user's curiosity in a very sort of benign way?

Alex Holland: [00:10:25] Yeah, so, I mean, the phishing emails will prompt the user to actually open the attachment, because normally the phishing lure itself will be, "this is an invoice" or a compensation claim – something vaguely financial that might spark the interest of somebody.

Dave Bittner: [00:10:49] So, they trick you into enabling the execution of a VBA macro. What happens next?

Alex Holland: [00:10:56] Yeah. So, at this stage, this is a straightforward downloader. And so, the simple purpose of the downloader is to download the main Emotet payload. And to bypass detection the downloader uses various obfuscation techniques – so, string concatenation, ultimately to hide its intent. 

Dave Bittner: [00:11:23] And then it runs something in PowerShell?

Alex Holland: [00:11:26] Yeah, that's right. So, again, this is a common way for malware to actually download payloads by using PowerShell's web APIs.

Dave Bittner: [00:11:38] And there's some obfuscation going on there as well?

Alex Holland: [00:11:41] That's right. So, typically, we see Base64 and compression used.

Dave Bittner: [00:11:49] And so, at this point now we're actually getting to the point of downloading the Emotet loader itself?

Alex Holland: [00:11:55] Yeah, so this is really where it gets interesting and sets Emotet apart. I think one of the things which benefits Emotet is that the phishing campaigns are so high-volume and so far-reaching that they get a good infection rate from that. They're not necessarily the most clever in terms of using sophisticated downloaders – I think they're relying on scale to infect as many machines as possible.

Dave Bittner: [00:12:25] And so, can you walk us through what sort of functionality the loader has itself? What it's up to?

Alex Holland: [00:12:31] Yeah, sure. So. it has a fairly complex initialization process. So, for example, it will launch a child process of itself, and then it will do that by using the Windows Service API, and then it will actually register itself as a service. And it will then, at a high level, connect back to the C2 and start sending reconnaissance data, information about the machine.

Dave Bittner: [00:13:02] Now, there's some interesting things going on with the packer itself. I mean, the packer – there are things about the packer that allow you to come to a conclusion as to what it's up to?

Alex Holland: [00:13:13] Like most packed samples of malware, when you look at a regular portable executable file, it conforms to certain expectations and characteristics, whereas a packed executable will look different. So, the most basic example would be the use of encrypted data will impact the entropy of the different sections in that PE file.

Dave Bittner: [00:13:40] I see. So, let's move on to the unpacking and initialization procedure. Walk us through what goes on there.

Alex Holland: [00:13:48] When we were looking at the packer, we noticed that early on during the packet decryption process, there's a check for a specific registry key, and it's done by a call to RegOpenKeyA. And we found that if the key does not exist on the system, then the malware either terminates itself or enters an infinite loop.

Dave Bittner: [00:14:16] And is that an error in the coding? I mean, is that intentional? What do you think's going on there?

Alex Holland: [00:14:22] We actually think it's a deliberate check-in in the packing code. Now, we're not sure why exactly it's there, but we know that it's a useful indicator for network defenders to know about.

Dave Bittner: [00:14:39] So, can you give us a bit of an overview of what's going on in terms of how it's injecting itself into different memory spaces, and those sorts of things?

Alex Holland: [00:14:50] It does two things. The first thing it does is that it creates this child process – another Emotet process – and then injects itself into that process. And then it resolves a number of API names that it can then use. And interestingly, after that, it makes a GetProcAddress call for an invalid function name. That is to say, it tries to resolve a function that doesn't exist.

Alex Holland: [00:15:17] And this was really interesting to us because, again, it looks like it could be a coding error, but the string is unique enough that we feel it can be used as quite a high-fidelity indicator for network defenders.

Dave Bittner: [00:15:33] Yeah, I mean, it's interesting too, given the – I guess it's fair to say, the overall sophistication of everything that's going on here. If it is a coding error, which sort of shows that even at that level of sophistication, mistakes are still made.

Alex Holland: [00:15:47] Yeah, it could be a coding error, or it might just be something we don't understand about how Emotet is coded. I'm also open to that possibility. But we can definitely use this as an indicator that Emotet is initializing.

Alex Holland: [00:16:05] So, so far we have two high-fidelity indicators. We have one based in the packer – we know it makes a registry check for quite a specific registry key, that if we can monitor or even block access to, we can either detect Emotet's packer, or we can even stop it from even unpacking. And then the second is this one, which is a GetProcAddress call for an invalid function name, which detects Emotet further down the line during its initialization process.

Alex Holland: [00:16:39] If, for example, in your enterprise you're monitoring API calls, then you can create a rule to detect this particular API call.

Dave Bittner: [00:16:49] So, once we get through this whole process of Emotet installing itself, getting itself up and running, what is the ultimate functionality here? What's going on on my system when a fully functional running copy of Emotet is having at it?

Alex Holland: [00:17:08] So, there are a few things here. Back in 2014, when we saw Emotet being used as a banking Trojan, it's at this point you would say man-in-the-browser type attacks coming from Emotet. But since about 2017, where Emotet has been delivering other families of malware, we actually see Emotet being used not as a banking Trojan, but as a loader. So, in campaigns in early 2019 up until Emotet went quiet in June, we saw a very standard infection chain of Emotet delivering TrickBot, which then might deliver Ryuk ransomware.

Dave Bittner: [00:17:54] And so, really, the folks who are engaging with the people running Emotet – they can choose to have it install whatever they want.

Alex Holland: [00:18:05] Yeah, so, this is an open question about Emotet's business model. Because we saw this change in tactics, techniques, and procedures from Emotet in 2014 to Emotet today, we think that this could give an insight into their business model now. So, rather than directly monetize stolen financial information, it could be that Emotet are making money – or the operators of Emotet are making money by selling access to their botnet to other malware operators. In effect, they're acting as a malware distributor in this wider malware-as-a-service ecosystem.

Dave Bittner: [00:18:48] Yeah, it's an interesting shift. Now, in terms of your advice for folks protecting themselves against this – I mean, we've talked about some of the indicators. Can you sort of run through and review what the conclusions are here in your research?

Alex Holland: [00:19:03] There are a few ways that enterprises can defend themselves. I think the simplest way would be to lock down your use of commonly abused tools. So, PowerShell and VBA macros in Microsoft Office. So, Microsoft supplies great policy templates which you can configure. And I know the Australian National Cybersecurity Centre also has some great advice on configuring those templates. That would be my first point of advice.

Alex Holland: [00:19:38] For enterprises that want to do a better job at detecting Emotet specifically, then they can take a look at the indicators of compromise that we identified in the loader and also during Emotet's initialization process. It's possible that if you block access – read access – to the registry key, that Emotet won't run at all, because it would fail that registry check and it won't initialize. However, it's worth saying that this is you know, it's technically possible, but whether it's feasible to be deployed out to an entire enterprise is an open question, because we know that this registry key is also used by other programs.

Dave Bittner: [00:20:27] Now, when you consider the overall sophistication of Emotet, where does it rank?

Alex Holland: [00:20:33] Yeah, so Emotet's operators definitely rank in the top echelons of e-crime groups today. So, they're notable for the scale of their campaigns. We actually saw Emotet being responsible for the infection of US municipalities over the last couple of months. And so, it clearly shows that the operators of Emotet as a loader, and the people possibly buying into the Emotet botnet, have specifically targeted local governments – US local governments – to maximize their returns through ransomware campaigns. In terms of impact, they are very sophisticated.

Dave Bittner: [00:21:19] Yeah, and that shift in business model has really enabled a diversity in what it can be used for. Like we said, it was originally a banking Trojan and now recent uses involve ransomware.

Alex Holland: [00:21:33] Yeah, I think it just goes to show that if you're an actor, a malicious actor, it's not enough to develop your own malware. You need a way to distribute it. And you can either spend all this time and money developing your own infrastructure, or nowadays you can just buy or rent somebody else's infrastructure.

Dave Bittner: [00:21:59] Our thanks to Alex Holland from Bromium for joining us. The research is titled, "Emotet: A Technical Analysis of the Destructive, Polymorphic Malware." We'll have a link in the show notes.

Dave Bittner: [00:22:10] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:22:21] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:22:30] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.