Research Saturday 1.9.21
Ep 165 | 1.9.21

Emotet reemerges and becomes one of most prolific threat groups out there.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Shimon Oren: Emotet has been around for several years now, but we can definitely say that in the last twelve to eighteen months, it's really become one of the most prolific threat groups out there.

Dave Bittner: That's Shimon Oren. He's VP of Research & Deep Learning at Deep Instinct. The research we're discussing today is titled, "Why Emotet's Latest Wave is Harder to Catch Than Ever Before."

Dave Bittner: So, what led to you all taking on this research here? What sparked your interest that you started this effort?

Shimon Oren: Well, what sparked our interest is, again, first and foremost, the fact that Emotet constitutes such a significant part of the current threat landscape. And over a year now, the fact that it's one of the malware families and malware campaigns we see most trying to attack the customers which we protect, and in general just a very, very active campaign group.

Shimon Oren: But other than that, what really interests the interest as in Emotet from a pure professional standpoint is the fact that it's a very, very successful, so to speak, or for lack of a better word, it's a very, very successful malware campaign. It's very evasive. It's quite sophisticated, both from a technical standpoint, or I'd say even more so from a kind of modus operandi standpoint – the way they operate as a group and the way they go about carrying on their operations.

Dave Bittner: Well, let's walk through your research together here. You all began with some data samples which you grouped into different categories?

Shimon Oren: Yes, I mean, that's pretty much what we set out with. What we've seen in the – I'd say in the second half of the summer of this year is a new and quite expansive attack wave. In general, at this point, I think it's worth mentioning that Emotet works in waves, and that's part of that interesting modus operandi that I just mentioned. Unlike other malware campaigns that have a certain period – it could be rather short, in some cases, if it's more successful, it can be a bit longer – but usually they have a defined and rather specific period in time in which they're active.

Shimon Oren: Emotet has been quite different in that it comes and goes in waves. There are periods of very, very high activity, where literally hundreds of thousands of variants are created and hundreds of thousands of targets are targeted and, unfortunately, in some cases, infected. And then that's followed by, you know, varying periods, but usually longer periods than the periods of activity, longer periods of just going completely under the radar and without – almost without any kind of new targets being attacked or new variants – or very, very few variants, in any case, being created.

Shimon Oren: So, what happened last summer is that we've seen, you know, one of these waves come out. And, again, usually in each wave, there's something new and different in – from, I guess, technically speaking, in the malware itself. So we started to look into it because it's always interesting to know and to understand what's new with Emotet. And that's what led us to try and, again, cluster these new malware variants that we've seen into different groups and trying to understand how and what exactly, and in what way, differentiates from previous attack waves.

Dave Bittner: Well, let's go through it together. I mean, can you share the story with us? What did you find in this latest wave from Emotet?

Shimon Oren: So, we found something very, very interesting. And one of our most interesting findings was the fact that Emotet actually uses and embeds into the malware samples that are propagated as part of this campaign a lot of benign code and benign – or just simply – and what I mean in benign code more specifically, I'd say, than that is code segments or just different binary sequences that are found in operating system files coming from Microsoft or from other very, very popular or prolific benign software.

Shimon Oren: And it does that specifically in an attempt to evade AI-based solutions that are more susceptible to that kind of attack, where if you inundate the malware samples with a lot of benign content, and especially benign content that AI solutions – or in general endpoint solutions, for that matter – would very, very much want to refrain from triggering on, because they would deem as false positives. So having that kind of content be embedded in the malware sample really helps at evading security solutions, and in a lot of cases that was what happened.

Shimon Oren: And we could see across multiple samples, specific code segments taking from different Microsoft or Windows in general, DLL, and injected or embedded somehow into the malware samples. So that was one thing. And the difference between the different clusters that we found – we found different clusters of that attack wave to just contain different types of different kinds of different content of actual benign code, whereas the malicious activity itself, the malicious code and the malicious business logic were similar.

Dave Bittner: Hmm. So, the notion here, just for my own clarity, is that, say, an AI solution would be looking at the code and doing sort of spot checks to compare what it was finding against a database of known good code, for example. And in doing this spot check, this avalanche of benign code would likely throw it off the trail.

Shimon Oren: Pretty much, yeah.

Dave Bittner: Yeah. Well, take me through, then, the actual encrypted payload – the part of the malware that is specifically of interest here.

Shimon Oren: Yes. So that's another part, by the way, of how and why Emotet is that successful, because other than having most of the exposed content of the malware sample actually be benign code or, again, functions taken from DLLs, or resources taken from Microsoft DLLs, et cetera, the malicious business logic is encrypted, at least as far as the – when you look at the file statically, nothing that's intrinsically malicious pops out because it's all encrypted. So again, if you look at it statically, what you have is a bunch of what would seem to almost everybody pretty much benign or even very, very benign content. And other than that, the rest would just be encrypted.

Shimon Oren: What we did as part of our research is understanding exactly where and how is that encrypted payload kept within the file, why does the flow that happens in runtime that decrypts it and then runs a certain kind of shellcode that then in itself decrypts another layer, which is where the actual malicious business logic resides? So you have multiple stages of decryption and the obfuscation that take place until you know something bad really starts to happen.

Shimon Oren: But again, I mean, in runtime, it happens pretty fast. I mean, it's not...

Dave Bittner: Right.

Shimon Oren: ...It's not that it takes eternity. But, you know, when you come and look at it and try to, you know, reverse engineer it and debug it, et cetera, it takes quite some time to figure out what's going on.

Dave Bittner: And can you walk us through – I mean, how did you reverse engineer the malicious part of the code here? How did you get into that encrypted data?

Shimon Oren: So, again, it involved a lot of, you know, a lot of work with tools like IDA and other analysis tools running it on VMs and looking at it with different types of memory forensic tools, trying to understand exactly what happens in memory as we continuously debug and run it and decompile it. It took quite some effort, especially, again, because there's several stages that take place until the full malicious business logic is discovered. And the main crux of it here is understanding where exactly is the decryption key found and how is it, you know, where exactly it appears in memory during runtime, where it's kept, and then how it's used to decrypt the content. That was the crux of what we needed to understand in order to fully analyze and then, of course, going on to share – to explain and share with the community what's actually going on there.

Dave Bittner: And then the final payload itself, I mean, there's quite a bit going on here, starting with some code obfuscation.

Shimon Oren: Yeah. I mean, even once you get to the malicious business logic itself, it's not that, you know, life becomes very, very easy...

Shimon Oren: (Laughs)

Shimon Oren: ...Because, again, the people behind Emotet are very, very aware. And other than anti- what I'd call "evasion techniques" – which is, again, you know, the benign code and the encryption that when you look at the file statically, you don't really see the malware itself – they use a lot of other techniques that are more geared towards, you know, anti-reversing, anti-debugging, and making the researcher's life harder, even once they've already understood that this is malware and they're analyzing it. So, yeah, it's not that it becomes easy. It's pretty good code, and there are a lot of additional internal obfuscations and, you know, different kinds of fuzzing, I'd say, methods that lie in there that makes, again, makes our lives us researchers harder. But, you know, happily, we're used to it, or fortunately, we're used to it.

Dave Bittner: (Laughs) Right, right. 

Shimon Oren: Sometimes it's just – it doesn't necessarily, you know, make things impossible. It does make them, you know, harder and slower. But we're persistent, just as they are.

Dave Bittner: And so, the ultimate functionality of Emotet, of this payload, is what? What is it setting out to do here?

Shimon Oren: OK, so that's actually an additional very, very interesting piece. So, if we look at the way Emotet has evolved over the course of its activity – so, it set out and it started as, you know, again, your run-of-the-mill or your day-to-day financial malware doing things like credential harvesting, especially from, you know, financial or banking-related accounts and user data, acted as spyware trying to just collect data, collect files, look at your emails, look at your addresses – things that are very, very important in order to, you know, to keep the attack chain going, to gain more data on more targets.

Shimon Oren: But then as it became that successful, and as successful and as evasive as it is – really, if you look at Emotet in general, it's one of the malware campaigns with the highest infection rates – then what it's become is it's – now, Emotet is more of a platform for other second-stage malware to come after it. Now, the thing is, even if that second-stage malware in and of itself is not that successful, is not that evasive, doesn't have that high of an infection rate, once the machine has already been compromised and infected with Emotet, and Emotet does its thing on that machine – you know, lowers security settings, completely removes different kinds of security software, escalates privileges, et cetera – it's pretty easy to then, you know, land, whatever type of malware that we want onto that compromised device and then do pretty much as we wish.

Shimon Oren: That's one of the reasons why we've seen so much collaboration happening between Emotet and ransomware campaigns, especially Ryuk, which we also mentioned somewhere in our research blogs. Ryuk has become a very, very common second stage after an Emotet infection, whereas Emotet comes in does everything that it normally does – taking out data, compromising the machine itself, can move laterally, steal banking information, et cetera, or steal the data itself – and then there also comes the ransomware attack where the data that remains on the machine is encrypted and then a ransom payment is demanded in order to decrypt the content.

Shimon Oren: So, and these are very, very devastating and disruptive attacks when they happen in enterprises or, you know, actual organizations. But again, the success of Emotet and the infection rate that we're seeing is what made it this, you know, pretty much this platform for other malware, even if in some cases that malware in itself is no longer as successful and as infectious as it used to be.

Dave Bittner: Yeah, it's like adding insult to injury, almost, that second wave.

Shimon Oren: Yes, absolutely. Absolutely.

Dave Bittner: Yeah, I suppose, too, I mean, this speaks to the sophistication, but also patience of the developers of Emotet, that, you know, they're willing to – part of their process is standing down for a little while to improve their tools, to improve their capabilities.

Shimon Oren: Absolutely. And I think that in the long run, it's worth their while in terms of the ultimate financial success and, again, ultimately money that they're making out of it. I think the way they're operating, as you said, with those periods of going under, in the long run, is what makes them and what makes their operation more lucrative and more profitable. They have that understanding that, you know, wasting all your ammunition and being exposed and transparent for a long period of time will actually make you less evasive, less infectious, and will allow the industry, the cybersecurity industry more time to learn to adapt to your operations and to your specific techniques and procedures. That understanding that, you know, one needs to go under for a little while in order to come back better and stronger is what makes them as successful, and again, over time. It's one thing to have, you know, a very, very successful specific attack, you know, use that for as long as it may work, but then, you know, pretty much go detected by everybody and become your day-to-day, known malware that has a very, very low success rate. That reorganization over long periods of time is really what makes Emotet what it is today and as successful as it is today.

Dave Bittner: And where do we stand in terms of people's ability to defend themselves against this? What are the most effective ways?

Shimon Oren: People and organizations that want to keep themselves safe from Emotet, there are several things that they can do. First of all, they need to understand and, you know, I'd say even speak the truth to themselves about their current security posture, what kind of solutions and protections they have in place, test those against new Emotet waves or recent Emotet waves and samples as they become available, and see whether what they have today will defend them, at what stage of the attack chain it will defend them. You know, it's better to be able to stop and thwart an Emotet attack at the dropper stage, at the spearphishing or malicious document attachment stage, rather than rely on the actual payload being prevented or something being prevented during runtime. In some cases, not in all cases, but in some cases that would be too late.

Shimon Oren: So, first and foremost, my answer would be understand what is your current protection level against threats as sophisticated as Emotet?And with regard to the protection you have in place, where in the attack chain it's exactly found and how early it is, because the earlier it is, the value – as far as the security value you would gain from it – is much higher.

Shimon Oren: Other than that, I think it's very, very important for organizations to be very well informed of the actual, you know, the TTPs, the techniques, you know, the way the malware itself operates. They can do that by, you know, getting themselves familiarized with the research content that's out there about Emotet and its behavior. So that in the case that they are infected or, you know, they have a certain fear of being infected, they would know what exactly it is they need to look for, what are the assets that need to be either disabled or protected first, basically to make sure they have all the knowledge and the right toolset in order to deal with, unfortunately, a potential Emotet attack.

Shimon Oren: So, those are the two main pieces of advice I would give to organizations. And, you know, there's a lot of research content and analysis out there about Emotet throughout its period of activity, you know, research blogs and research pieces like we've put out there, but also a lot of other of our colleagues and competitors as well in the community have put out there. There's ample amounts of materials available out there to get familiar with.

Dave Bittner: Our thanks to Shimon Oren from Deep Instinct for joining us. The research is titled, "Why Emotet's Latest Wave is Harder to Catch Than Ever Before." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.