Emotet: An Example of Evolving Malware
By BUFFERZONE Team, 26/06/2018
The never-ending battle between cybercriminals and the cyber security establishment is well-known even outside the security community, to the general public. Elsewhere, we’ve written about some aspects of this struggle, specifically regarding Office-based malware.
What is less well known is that the challenge comes not just from new malware and new types of malware, but even the same individual malware can be constantly evolving. Here we’ll use the Emotet Trojan, which steals banking credentials and money from its victims, as an example of how a well-established basic malware package can continuously develop to evade even top state-of the-art security mechanisms.
At its root, Emotet is a software package that steals users’ banking credentials by hooking into network APIs and intercepting outbound network communications. This means that, unlike some other banking malware types, which rely on reading users’ filled-out web page form fields, or on presenting their own fraudulent web pages (phishing), Emotet can record full network communication without any effect noticeable by the user, even when communications are secured by the server (HTTPS).
Emotet is delivered via spam phishing email messages purporting to be about bank transfers, invoices, or other financial transactions. Once active, Emotet may hack Outlook address lists to continue spamming those addresses from the user’s legitimate email account, thus spreading itself further.
Depending on the specific distribution campaign, clicking a link in the message or activating a zipped executable attachment masked as a PDF causes the malware to be downloaded and installed. Once installed, Emotet operates behind the scenes, identifying users’ connections to their online banking sites, reading the credentials, and ultimately stealing money from those accounts.
The Evolution of Emotet
Emotet has been around since June 2014, but didn’t always have all of its current features. Over time, its development has continued, much in the same way conventional software is developed.
One of its major changes was the addition in autumn 2014 of an Automated Transfer System (ATS). Before that, the malware sent stolen banking credentials to its Command and Control (C&C / C2) Servers, for manual use by its creators. The ATS enabled Emotet to automatically use the credentials to transfer money from victims’ accounts.
Other developments were improvements to Emotet’s distribution and delivery mechanisms. These included adding the message attachment option to the existing message link delivery, and adding the software module responsible for stealing Outlook addresses and automatically continuing the spam distribution campaign. Campaigns’ social engineering aspects also developed, originally targeting German-speaking customers of several German and Austrian banks (despite the fact that Emotet’s authors do not seem to be from those regions, as indicated by Russian-language comments found in the code), then expanding to Swiss banks and credit organizations, and eventually using English-language messages and targeting UK and US business and government users.
However, possibly Emotet’s most frightening developments are in the realm of security system evasion. In January 2015, Emotet introduced improved stealth mechanisms, including sandbox (dynamic analysis environment) detection and evasion. Mechanisms for the evasion of security systems continue to develop.
Emotet’s evolvement has not gone unnoticed by the security establishment. For contrast, back in 2015, a Kaspersky article stated: “…this banking Trojan doesn’t incorporate conceptually new technology and so the use of a modern anti-virus program can provide an effective defense against the threat”. However, three years later, a city government, which presumably had deployed standard security tools, suffered a debilitating attack from Emotet; and a Malwarebytes Labs analysis pointed out how Emotet’s frequent code changes pose a significant challenge to analysis by security tools.
Kaspersky’s confident prognosis was premature – signature-based antivirus tools are unlikely to catch changed modules of Emotet. Behavior-based analysis tools may be more likely to identify Emotet’s activity – but only after it strikes, which is always too late for someone.
Emotet is just an example of many such changing and developing malware types. Gradually, attitudes among the security establishment are moving from the outdated model of relying on detection to recognition of the need for proactive containment and isolation.
BUFFERZONE provides exactly such a solution. If Emotet, or other such malware, is downloaded to an endpoint protected by BUFFERZONE, it is automatically isolated with all such downloads inside a virtual container, doing no lasting harm. It cannot affect the native endpoint, and cannot read any trusted data. To safely access banking sites, organizations need only to define banking sites in their Trusted list, and those network connections and data are kept completely separate from any possible downloaded malware. BUFFERZONE users can confidently open any received shipping documents, invoices, or other documents, secure in the knowledge that the activity is safely contained.
Don’t wait for the next new attack. Protect your organization now.
New Banking Malware Uses Network Sniffing for Data Theft, Trend Micro, 27/6/14
The Banking Trojan Emotet: Detailed Analysis, Kaspersky Lab, 9/4/15
Emotet Changes TTPs and Arrives in United States, Center for Internet Security, (4/17?)
How artificial intelligence stopped an Emotet outbreak, Microsoft, 14/2/18
City of Allentown computer systems hit by virus that will require nearly $1M fix, Morning Call, 20/2/18
Malware analysis: decoding Emotet, part 1, Malwarebytes Labs, 25/5/18