Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

Emotet Return Brings New Tactics & Evasion Techniques

Security researchers tracking Emotet report its reemergence brings new tricks, including new evasion techniques to bypass security tools.

The Emotet botnet recently resurfaced following five months of quiet. Now, researchers tracking the prolific threat share details about what's new and different in its latest wave — in particular, evasion detection tactics that help attackers fly under the radar of security tools.

Emotet is often used as the entry point for infecting a business, after which criminals stay in an environment for days or weeks. They often use the time to drop secondary payloads; in its latest iteration, Emotet has used TrickBot and QakBot to spread laterally and steal credentials.

Over the last few years, this threat has been "coming in waves," says Shimon Oren, vice president of research at Deep Instinct, where researchers have been analyzing its recent activity. "We see periods of very, very high volume of activity, both in terms of new samples that are generated and are being distributed and users, and also in terms of the targets."

Emotet has been spotted across sectors and business sizes, using social engineering scams — from invoices and financial statements to COVID-19-related emails — to convince victims to click. Most of its recent victims appear to be in the US and UK; however, operators have been known to diversify distribution with local languages, says Adam Kujawa, director of Malwarebytes Labs.

"Usually it involves an email which claims to be a response to an active e-mail threat (for example, 'RE: That thing I sent ya') and includes an attached Office document," Kujawa says. "Once opened, it activates a macro script [that] downloads the malware and installs it on the system."

In addition to hijacking existing email threads, Emotet has begun to add stolen attachments to emails in order to make them seem legitimate. One of its main capabilities, Kujawa notes, is establishing a spam module on the victim's system, stealing email contacts, and automatically sending phishing attacks to a victim's colleagues. The usual methods of avoiding sketchy emails don't apply: Emotet may send an email from someone you'd expect, in a thread you're part of.

"The folks behind Emotet are masters of development when it comes to making Emotet more capable on the system, but they are also very good at finding unique ways of spreading threats on corporate networks," he adds.

Emotet has become a vast and evasive piece of malware that continues to expand its capabilities, including the ways it bypasses increasingly advanced security tools.

Deep Instinct researchers evaluated a dataset of 38,000 samples from Emotet activity from July 17 to July 28; they divided these samples into three epochs, or botnets operating independently. They also broke the samples down into 170 templates, most of which were found in one epoch, indicating operators behind each have their own Emotet loaders.

The Emotet loader, they found, contains a lot of benign code as part of its evasion techniques and could manipulate artificial intelligence–based security products that rely on both malicious and benign code when classifying files. Inserting benign code into executable files can reduce the chances of detection, and it appears Emotet's operators are using legitimate Microsoft code to do this.

Analysis revealed the benign code of recent Emotet activity may be pulled from Microsoft DLL files that are part of the Visual C++ runtime environment, or even benign software unrelated to how the malware operates, researchers explain in a blog post on their findings. Only a small portion of code used is actually malicious, hidden in code that won't raise a red flag.

"A lot of the code is there in order to confuse, especially when examining statically, but a lot of it isn't even executed," Oren explains. "A lot of it isn't even reached during the execution."

The malware has several steps to execution, which can also trip up security tools. An attack starts with a document; this downloads a file, which decrypts another file, which brings it to the final payload. Its multistage nature is complex, Oren says, because the malicious business logic is never found on disk. It resides in memory and is decrypted and unpacked in runtime.

Coming Back Stronger
The group or groups behind Emotet are conscious of the fact that your organization is more successful and can last longer when it operates in this mode of high-volume activity, Oren says. They increase their efficiency and infection rate, and the wave starts to drop as the industry gains a greater understanding of the threat. 

"Then it's time to go back to the lab, go under the radar completely, and start working on the next wave and making that as good as possible, as evasive as possible," he explains. The tactic seems to be working: After going dark for a few months, Emotet reemerges more evasive than before, with techniques that security tools often aren't equipped to handle.

Emotet usually takes breaks throughout the year, Kujawa says. Sometimes it's during summer, sometimes in winter — sometimes both. It's believed the attackers use this downtime to upgrade their tools and find new distribution methods. This time, however, there was another factor.

"It seems that once folks started working from home, we saw an increase in use of tools not meant to infect corporate networks, but to be used to infect and conduct information gathering operations on employees working from home," he says of the COVID-19 pandemic. 

There may have been too few people working in offices, at corporate endpoints, to allow for a successful campaign, he continues. The chaos of everyone establishing work-from-home policies may have made corporate networks too unstable to attack a specific target, and the bad guys were waiting until things slowed down.

It's important to note that Emotet's attackers know that their malware will be detected, stopping its functions, and there will be efforts to block their threat. "The malware developer vs. malware detector battle will rage forever," Kujawa says. They also know many organizations fail to completely secure their networks from outside access or internal infection, allowing families like TrickBot to move laterally throughout internal systems.

"So they've doubled down on the one vulnerability they can most count on, and that is fooling users," he continues. While new functionality has been added to the botnet itself, researchers have seen even more focus on how it's distributed.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
WannaCry Has IoT in Its Crosshairs
Ed Koehler, Distinguished Principal Security Engineer, Office of CTO, at Extreme Network,  9/25/2020
Navigating the Asia-Pacific Threat Landscape: Experts Dive In
Kelly Sheridan, Staff Editor, Dark Reading,  9/25/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...