Free Trial
Schedule Demo
The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
Comments
On July 19, 2017 we wrote about the incorporation of a spreader component into the popular Emotet downloader. Just a short while later, a volume spam campaign was initiated that delivered Emotet with further modifications from the samples that we had analyzed. This post documents the changes we have observed.
After a short hiatus, Emotet has recently resurfaced with an updated version of its previously documented loader(1,11). On 24 July 2017, a massive spam campaign kicked off with a different version of Emotet being used than was previously seen. One interesting change observed in this campaign is that the network spreader malware was no longer delivered as a separate component, but was instead delivered as a DLL with encoded strings using the same string encoding as Emotet itself.
This version of Emotet, like the previous one written about by Cert-PL(1), has very similar C2 structure with a few minor changes.
[host_name]_[volume_SN]
Figure 1 BotId
syntax="proto2"; message regrequest { required int32 command = 1; required string botId = 2; required fixed32 osVersion = 3; required fixed32 crc32 = 4; required string procList = 5; required string mailClient = 6; required string unknown = 7; } |
This new version of the spreader component has a number of changes compared to the SFX RAR package we previously blogged about(11).
The first change is that the spreader code is no longer in a package format intended to be delivered, but instead is now a DLL. This transition is noteworthy because it indicates a move from a package delivery method to a module-based approach, where each module runs inside the same address space as Emotet.
The first three modules are the same described in other reports(1) as being MailPassView, BrowserPassView and the module to interact with Outlook. The new DLL however is much smaller than the others, it uses the same code as Emotet to handle rebuilding its imports and also for kicking off its main code loop through a callback function in CreateTimerQueueTimer(7).
It also uses the same string encoding routine as Emotet.
These code similarities demonstrate the move to a modular mechanic. This is also proven later in the code when the bot gets the current process filename on disk, which will later be used to copy the file from the current system to the remote system when spreading. This works because the DLL is intended to be ran from the same process memory space as Emotet.
After this the module gets the currently logged in user with WTSGetActiveConsoleSessionId and QueryUserToken before calling ImpersonateLoggedOnUser in order to execute API calls as the currently logged in user before kicking off the recursive function that will enumerate network resources.
This network resource enumeration is done in the same manner that was previously discussed, but this time it first attempts to connect to the remote resource as the currently logged on user before jumping into the bruting portion of the code.
The bruting code is very like the previous package discussed as it enumerates available logons and uses an onboard password list. If all of these attempts fail, it moves into attempting to brute the Administrator account on the remote system. The biggest difference here is the more extensive password list, which when decoded is 1000 passwords in length. Choosing to include 1000 passwords seemed odd, but after a bit of searching it appears the list is the top 1000 off of a publicly available password list on github(8).
After successful login, the spreader code will attempt to copy a file onto the newly connected resource. As previously mentioned, this is different than the previous SFX package. This new modularized version will copy over the file associated with the process this module is running within onto the new system.
As with the previous version, a service is setup and kicked off on the remote system in order to execute the file. But, instead of having a filename and service name hardcoded into the bot, it simply uses GetTickCount and an swprintf function to generate the name of both the exe and the service that will be created on the remote system.
Decompiling this and cleaning it up can create an overview of this creation that might help to make things clear.
Spreading appears to be the new in thing for 2017 with recent additions of a spreader module being added to TrickBot(9) along with even more additions being documented by other researchers(10) perhaps it’d be better to call this summer, the summer of coding for malware development.
I would like to thank researchers Joshua Platt and Brett Stone-Gross for their collaboration efforts on this research.
— Jason Reaves
7f1d13cd17fbdda32327f49c3aec6af60ee493b92b779cee0ea72377715059c6 | Emotet |
090a6330536b99a809f7a5d10f99262d62a3a71ea9bd28fca23c936069c4d5e4 | Emotet |
80d255de0c67759b592c072db8153f84d22f78226e1014720010f49739f7b63f | Emotet |
48f3c89ea2f1e3190ae00f7ac7243ddb752364c076b40afc049424c6a0f75443 | Emotet |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | Emotet |
ef03d465416972121479f4d97fe1a0786795d09f758d1dd243bbd99f0de1600c | BrowserPV Module |
b2b5893bcf4d30857a6400bdfefd532577e2b854a816fbe29c5eced201f48b21 | MailPV Module |
e549008d40565e849af025f5b8681cdf4087c7cd221830f11bcacd62cab41ddb | Outlook Module |
ab1b89038f83f73ee498e907862c06cd4c56ef9f5fa862683347cfb222abb1f9 | Spreader Module |
178.79.132.214:443 | Emotet C2 |
192.81.212.79:443 | Emotet C2< |
74.208.17.10:8080 | Emotet C2 |
93.180.157.92:443 | Emotet C2 |
178.62.175.211:443 | Emotet C2 |
164.132.50.32:8080 | Emotet C2 |
173.212.192.45:8080 | Emotet C2 |
80.252.107.173:8080 | Emotet C2 |
192.241.222.53:443 | Moduel C2 |
185.82.23.28:443 | Moduel C2 |