Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

Emotet Return Brings New Tactics & Evasion Techniques

Security researchers tracking Emotet report its reemergence brings new tricks, including new evasion techniques to bypass security tools.

The Emotet botnet recently resurfaced following five months of quiet. Now, researchers tracking the prolific threat share details about what's new and different in its latest wave — in particular, evasion detection tactics that help attackers fly under the radar of security tools.

Emotet is often used as the entry point for infecting a business, after which criminals stay in an environment for days or weeks. They often use the time to drop secondary payloads; in its latest iteration, Emotet has used TrickBot and QakBot to spread laterally and steal credentials.

Over the last few years, this threat has been "coming in waves," says Shimon Oren, vice president of research at Deep Instinct, where researchers have been analyzing its recent activity. "We see periods of very, very high volume of activity, both in terms of new samples that are generated and are being distributed and users, and also in terms of the targets."

Emotet has been spotted across sectors and business sizes, using social engineering scams — from invoices and financial statements to COVID-19-related emails — to convince victims to click. Most of its recent victims appear to be in the US and UK; however, operators have been known to diversify distribution with local languages, says Adam Kujawa, director of Malwarebytes Labs.

"Usually it involves an email which claims to be a response to an active e-mail threat (for example, 'RE: That thing I sent ya') and includes an attached Office document," Kujawa says. "Once opened, it activates a macro script [that] downloads the malware and installs it on the system."

In addition to hijacking existing email threads, Emotet has begun to add stolen attachments to emails in order to make them seem legitimate. One of its main capabilities, Kujawa notes, is establishing a spam module on the victim's system, stealing email contacts, and automatically sending phishing attacks to a victim's colleagues. The usual methods of avoiding sketchy emails don't apply: Emotet may send an email from someone you'd expect, in a thread you're part of.

"The folks behind Emotet are masters of development when it comes to making Emotet more capable on the system, but they are also very good at finding unique ways of spreading threats on corporate networks," he adds.

Emotet has become a vast and evasive piece of malware that continues to expand its capabilities, including the ways it bypasses increasingly advanced security tools.

Deep Instinct researchers evaluated a dataset of 38,000 samples from Emotet activity from July 17 to July 28; they divided these samples into three epochs, or botnets operating independently. They also broke the samples down into 170 templates, most of which were found in one epoch, indicating operators behind each have their own Emotet loaders.

The Emotet loader, they found, contains a lot of benign code as part of its evasion techniques and could manipulate artificial intelligence–based security products that rely on both malicious and benign code when classifying files. Inserting benign code into executable files can reduce the chances of detection, and it appears Emotet's operators are using legitimate Microsoft code to do this.

Analysis revealed the benign code of recent Emotet activity may be pulled from Microsoft DLL files that are part of the Visual C++ runtime environment, or even benign software unrelated to how the malware operates, researchers explain in a blog post on their findings. Only a small portion of code used is actually malicious, hidden in code that won't raise a red flag.

"A lot of the code is there in order to confuse, especially when examining statically, but a lot of it isn't even executed," Oren explains. "A lot of it isn't even reached during the execution."

The malware has several steps to execution, which can also trip up security tools. An attack starts with a document; this downloads a file, which decrypts another file, which brings it to the final payload. Its multistage nature is complex, Oren says, because the malicious business logic is never found on disk. It resides in memory and is decrypted and unpacked in runtime.

Coming Back Stronger
The group or groups behind Emotet are conscious of the fact that your organization is more successful and can last longer when it operates in this mode of high-volume activity, Oren says. They increase their efficiency and infection rate, and the wave starts to drop as the industry gains a greater understanding of the threat. 

"Then it's time to go back to the lab, go under the radar completely, and start working on the next wave and making that as good as possible, as evasive as possible," he explains. The tactic seems to be working: After going dark for a few months, Emotet reemerges more evasive than before, with techniques that security tools often aren't equipped to handle.

Emotet usually takes breaks throughout the year, Kujawa says. Sometimes it's during summer, sometimes in winter — sometimes both. It's believed the attackers use this downtime to upgrade their tools and find new distribution methods. This time, however, there was another factor.

"It seems that once folks started working from home, we saw an increase in use of tools not meant to infect corporate networks, but to be used to infect and conduct information gathering operations on employees working from home," he says of the COVID-19 pandemic. 

There may have been too few people working in offices, at corporate endpoints, to allow for a successful campaign, he continues. The chaos of everyone establishing work-from-home policies may have made corporate networks too unstable to attack a specific target, and the bad guys were waiting until things slowed down.

It's important to note that Emotet's attackers know that their malware will be detected, stopping its functions, and there will be efforts to block their threat. "The malware developer vs. malware detector battle will rage forever," Kujawa says. They also know many organizations fail to completely secure their networks from outside access or internal infection, allowing families like TrickBot to move laterally throughout internal systems.

"So they've doubled down on the one vulnerability they can most count on, and that is fooling users," he continues. While new functionality has been added to the botnet itself, researchers have seen even more focus on how it's distributed.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...