Emotet Adds New Evasion Technique and Uses Connected Devices as Proxy C&C Servers

by Marco Dela Vega, Jeanne Jocson and Mark Manahan

Over the years, Emotet, the banking malware discovered by Trend Micro in 2014, has continued to be a prevalent and costly threat. The United States government estimates that an Emotet incident takes an organization US $1 million to remediate. Unfortunately, it is a widespread and particularly resilient malware. Its authors have continuously updated it with new capabilities, new distribution techniques, and more.

Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. These discoveries also show that the malware is being used to compromise and collect vulnerable connected devices, which could become resources for other malicious purposes.

Arrival via spam

Emotet typically arrives on a victim’s system via spam mail. In the beginning of April, samples of Emotet show that the malware still spreads via spam, but with the help of the trojan downloader Powload. The spam messages trick users into downloading malicious files by claiming that an invoice is attached in the email. The attachment is a ZIP file that can be opened with the 4-digit password included in the body of the email. A look into the ZIP file shows that it contains variants of Powload (detected as Trojan.W97M.POWLOAD). If the user enters the password, the file uses Powershell to download an executable file, which is Emotet’s payload.

Figure. 1

Figure 1. Example of an Emotet spam mail; samples show mail written in many different languages

Changes in POST-infection traffic

The wave of Emotet samples using new POST-infection traffic has been monitored since March 15, 2019. As mentioned previously, Emotet has undergone many changes since it was first discovered; but this is the first time we have seen this particular POST-infection traffic technique.

Figure. 2

Figure 2. New Emotet post-infection HTTP Post request traffic

Previous connections from Emotet did not use a URI path, but the newer samples show randomized words and a randomized number used as a URI directory path (see Figure 2). These random words in the URI path help the malware evade network-based detection. An empty URI path is a red flag, so this technique helps the traffic appear more legitimate to security solutions.

Below is a list of random words used in the URI path, found in the new sample. We can also see these same words in the Emotet executable file.

Figure. 3

Figure 3. Decrypted dump with list of words to be used in the URI

Apart from the URI path, the data in the HTTP POST message body has also changed. Previous Emotet samples typically used an HTTP GET request to send victim information to the C&C server, and the data is stored in the Cookie header. The data was encrypted using an RSA key, AES, and then encoded in Base64 before being added to the Cookie value (see Figure 4 HTTP request traffic with Cookie header).

Newer traffic shows something different. Actors stayed away from using the Cookie header and changed the HTTP request method to POST. The data is still encrypted with an RSA key and AES, and encoded in Base 64. However, instead of being stored in the Cookie value, it was put in the body of the HTTP POST message. This change adds another layer of complexity to help the malware evade detection or delay further investigation if it is detected.

Figure. 4

Figure 4. Comparison between the new Emotet C&C traffic and the previous Emotet C&C traffic

Connected devices used as first-layer C&C servers

Emotet is known to list hardcoded IP addresses as its C&C servers. On average, one Emotet sample contains 39 C&C servers, with a maximum of 44 and a minimum of 14. Investigating some of the most recent live IP addresses of known Emotet C&C servers, we saw that they were actually different types of connected devices: One is the web interface of the router, another is an embedded server for managing printers and other devices, and one appears to be a server interface of a DVR (Digital Video Recorders).

A deeper examination of the Emotet C&C servers collected since March shows that these connected devices are being used as an added layer of C&C communication.

Figure. 5

Figure 5. Details from Shodan

Figure. 6

Figure 6. Login page of a compromised DVR

An investigation of open ports and services from the live C&C servers indicates that Emotet actors are attempting to harvest vulnerable connected devices (routers, IP cameras, web servers and more) to try and use them as first layer C&C servers. This first layer serves as a proxy that redirects victims to the real Emotet C&C servers, adding another layer of complexity in C&C server communication to make it more difficult to track down the actors behind the Emotet operations. Moreover, compromising vulnerable devices gives them additional resources that they can use for other malicious purposes.

A C&C list gathered from a Shodan scan in March shows a number of these connected devices already being used by Emotet:

Type of connected device
24 Web server  interface of IP camera
3 Router test server
4 Router
1 Router FTP server
1 Web cam
1 Web administration for printers, network switches, etc.

Table 1. Connected devices compromised by Emotet

How can organizations defend themselves?

The change in POST-infection traffic and the use of these connected devices show that Emotet is still a constantly evolving and resilient threat. The malware authors are fine-tuning evasion techniques and trying to adapt to security solutions. If left unchecked and undetected, this threat may lead to a substantial loss of money and data for businesses.

Combating threats like Emotet calls for a multilayered and proactive approach to security, protecting all fronts — gateway, endpoints, networks, and servers. Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages, as well as blocking all related malicious URLs.

Connected devices can be protected by security software such as the Trend Micro™ Home Network Security and Trend Micro Smart Home Network™ (SHN) solutions, which checks internet traffic between the router and all connected devices. (SHN’s coverage is relative to manufacturers’ release cycles.) Enterprises can also monitor all ports and network protocols for advanced threats and be protected from targeted attacks with the Trend Micro™ Deep Discovery™ Inspector network appliance.

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

The post Emotet Adds New Evasion Technique and Uses Connected Devices as Proxy C&C Servers appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro