The Emotet botnet recently resurfaced following five months of quiet. Now, researchers tracking the prolific threat share details about what's new and different in its latest wave — in particular, evasion detection tactics that help attackers fly under the radar of security tools.
Emotet is often used as the entry point for infecting a business, after which criminals stay in an environment for days or weeks. They often use the time to drop secondary payloads; in its latest iteration, Emotet has used TrickBot and QakBot to spread laterally and steal credentials.
Over the last few years, this threat has been "coming in waves," says Shimon Oren, vice president of research at Deep Instinct, where researchers have been analyzing its recent activity. "We see periods of very, very high volume of activity, both in terms of new samples that are generated and are being distributed and users, and also in terms of the targets."
Emotet has been spotted across sectors and business sizes, using social engineering scams — from invoices and financial statements to COVID-19-related emails — to convince victims to click. Most of its recent victims appear to be in the US and UK; however, operators have been known to diversify distribution with local languages, says Adam Kujawa, director of Malwarebytes Labs.
"Usually it involves an email which claims to be a response to an active e-mail threat (for example, 'RE: That thing I sent ya') and includes an attached Office document," Kujawa says. "Once opened, it activates a macro script [that] downloads the malware and installs it on the system."
In addition to hijacking existing email threads, Emotet has begun to add stolen attachments to emails in order to make them seem legitimate. One of its main capabilities, Kujawa notes, is establishing a spam module on the victim's system, stealing email contacts, and automatically sending phishing attacks to a victim's colleagues. The usual methods of avoiding sketchy emails don't apply: Emotet may send an email from someone you'd expect, in a thread you're part of.
"The folks behind Emotet are masters of development when it comes to making Emotet more capable on the system, but they are also very good at finding unique ways of spreading threats on corporate networks," he adds.
Emotet has become a vast and evasive piece of malware that continues to expand its capabilities, including the ways it bypasses increasingly advanced security tools.
Deep Instinct researchers evaluated a dataset of 38,000 samples from Emotet activity from July 17 to July 28; they divided these samples into three epochs, or botnets operating independently. They also broke the samples down into 170 templates, most of which were found in one epoch, indicating operators behind each have their own Emotet loaders.
The Emotet loader, they found, contains a lot of benign code as part of its evasion techniques and could manipulate artificial intelligence–based security products that rely on both malicious and benign code when classifying files. Inserting benign code into executable files can reduce the chances of detection, and it appears Emotet's operators are using legitimate Microsoft code to do this.
Analysis revealed the benign code of recent Emotet activity may be pulled from Microsoft DLL files that are part of the Visual C++ runtime environment, or even benign software unrelated to how the malware operates, researchers explain in a blog post on their findings. Only a small portion of code used is actually malicious, hidden in code that won't raise a red flag.
"A lot of the code is there in order to confuse, especially when examining statically, but a lot of it isn't even executed," Oren explains. "A lot of it isn't even reached during the execution."
The malware has several steps to execution, which can also trip up security tools. An attack starts with a document; this downloads a file, which decrypts another file, which brings it to the final payload. Its multistage nature is complex, Oren says, because the malicious business logic is never found on disk. It resides in memory and is decrypted and unpacked in runtime.
Coming Back Stronger
The group or groups behind Emotet are conscious of the fact that your organization is more successful and can last longer when it operates in this mode of high-volume activity, Oren says. They increase their efficiency and infection rate, and the wave starts to drop as the industry gains a greater understanding of the threat.
"Then it's time to go back to the lab, go under the radar completely, and start working on the next wave and making that as good as possible, as evasive as possible," he explains. The tactic seems to be working: After going dark for a few months, Emotet reemerges more evasive than before, with techniques that security tools often aren't equipped to handle.
Emotet usually takes breaks throughout the year, Kujawa says. Sometimes it's during summer, sometimes in winter — sometimes both. It's believed the attackers use this downtime to upgrade their tools and find new distribution methods. This time, however, there was another factor.
"It seems that once folks started working from home, we saw an increase in use of tools not meant to infect corporate networks, but to be used to infect and conduct information gathering operations on employees working from home," he says of the COVID-19 pandemic.
There may have been too few people working in offices, at corporate endpoints, to allow for a successful campaign, he continues. The chaos of everyone establishing work-from-home policies may have made corporate networks too unstable to attack a specific target, and the bad guys were waiting until things slowed down.
It's important to note that Emotet's attackers know that their malware will be detected, stopping its functions, and there will be efforts to block their threat. "The malware developer vs. malware detector battle will rage forever," Kujawa says. They also know many organizations fail to completely secure their networks from outside access or internal infection, allowing families like TrickBot to move laterally throughout internal systems.
"So they've doubled down on the one vulnerability they can most count on, and that is fooling users," he continues. While new functionality has been added to the botnet itself, researchers have seen even more focus on how it's distributed.