In July 2018 we already talk about Emotet, we described the ability of this malware to replicate itself inside a corporate network. Let’s dig into this it and some other types of malwares to understand how fast a compromise of your entire network may occur.
A little background
At its beginning in 2014, Emotet, also named Geodo or Heodo, was sold as a banking malware. It was designed to mainly steal banking access by modifying the web pages displayed to the user in his browser. This technique allows the malware to dynamically change the content of the page. It does so by adding or editing forms in order to modify the requests and steal data. Note that this technique is called web inject or man in the browser,
However, we never really used Emotet in that way. Nevertheless, it is still one of the most seen malware when talking about malicious emails. According to some Anti-Virus vendors, it represents up to 75% of the malicious emails in terms of volume.
So why malware operators are using it? The answer is double: effectiveness and modularity.
Emotet malware: a modular conception
Emotet is modular, it may download and execute additional code, called modules. We can add these modules to provide additional features to the malware and to only use them when the operator needs them. It could be, for example, based on the geographical location from where the malware is running. On the latest versions the modules are:
For communications and replication:
- C2 traffic proxy: Used to route traffic through the malware itself, acting as a relay. This plugin is capable of controlling uPnP devices, allowing direct connections from the internet.
- Spammer: Used to spread spam.
- Network password brute-forcer: Used to brute-force local windows shares near it.
- Administrative share spreader: Used to replicate between hosts using administrative share.
For Data Harvesting:
- WebBrowserPassView: Used to run WebBrowserPassView from Nirsoft directly in memory. This tool retrieves all saved passwords stored by the following Web browsers: Internet Explorer (Version 4.0 – 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera.
- MailPassViewc: Same as the precedent, also from Nirsoft, this module allows in-memory retrieving of the password of a mail application. It allows Emotet to retrieve passwords from many mail application; Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002/2003/2007/2010/2013/2016 (POP3, IMAP, HTTP and SMTP Accounts), Windows Mail and Windows Live Mail, IncrediMail, Eudora, Netscape 6.x/7.x, Mozilla Thunderbird, Group Mail Free, Yahoo! Mail in Yahoo! Messenger application, Hotmail/MSN mail-in MSN/Windows/Live Messenger application and Gmail from Gmail Notifier application, Google Desktop, or by Google Talk.
- Outlook contact harvester: Used to retrieve contact details from Outlook. The stolen details are then often used to send malicious emails.
- Outlook mail harvester: Used to grab information inside your mailbox.
Attackers using Emoted may decide to use some modules or to execute a module on just a part of the compromised hosts, based for example on IP geolocation from where they are running.
Emotet privilege escalation
As we can see, Emotet is a Swiss army knife for hackers trying to enter a network. When the attacker install the malware inside your network, it allows him to be present in your information system as if he were sitting in front of a workstation. In addition, it is common for the attacker to harvest as much as credential as possible to then resale or exchange them with other malicious actors. This may increase your attack surface and helps others breach you.
Once inside, the attacker will continue the side steeping and privileges escalation phases using Emotet to download and launch backdoors from other offensive tools like Metasploit or Cobaltstrike as a pentester would do during an internal assessment. That is why it is really interesting to perform such kind of engagement in order to increase the internal security but above all, to improve the detection capabilities. Most of the time, it is quite hard to find the malware by itself besides crosschecking threat intelligence IOC at the network level or relying on antivirus detection. However, once the attacker starts to move inside your network he will inevitably make noises that you may detect.
Action on objectives
Sadly, since a couple of months, it seems that actions on objective are always the same. First, leak the internal data, most of the time it is the emails databases or files on the share.
Then, ransom the whole information systems.
Finally, to monetize, they first try to extort money with the ransomware itself, and then, if unsuccessful, try to extort money for not leaking stolen data. Recently, for some groups, the monetization goes beyond as some groups try to sell the stolen data in auctions.
Malwares’ detection is crucial
Since 2019, CERT-XLM responded to numerous incidents where the breached customer faced such a scenario. Of course, the intrusion is not driven only by malware as an initial entry point, it could be by using or replaying stolen passwords through exposed assets like RDP access brute force. But malwares are still important parts of the breaches. Therefore, handling the incident response upon malware detection is crucial.
