Malware Analysis of the Emotet Banking Trojan
Written by Cybersecurity Engineer, Brice Dickinson
Ever since I can remember, my Dad has always loved watching heist movies. Whether it was Ocean’s 11, Catch Me If You Can, National Treasure, or the Italian Job, if there is a heist movie on TV, he’s watching it, and more than likely changing the channels during the commercials if there are two on at the same time. Heist movies, more often than not, have some grandiose over-thought-out plan involving a select group of people chosen specifically for that heist, and while that’s entertaining, it seems to get further and further from reality as our technology advances. In this article, we will be doing some Malware Analysis to dig into what a current day heist looks like when an attacker uses malware to “rob a bank”.
Ever since the start of online banking, there have been attackers looking to steal both money and personal information using a variety of tactics with one of the more sinister methods being the banking trojan. Now before we dig in deeper we need to establish some common language that will help us understand what banking trojans are and how they work. First up is the term that most people have heard of, malware. Malware is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. A trojan is a type of malware that conceals its true content to fool a user into thinking it’s a harmless file. This type of malware gets its name from the large wooden horse that secretly encased Greek soldiers that were waiting until nightfall to emerge from the horse and open the gates and sack the city of Troy. While the large wooden horse trend has largely gone out of style, the “payload” carried by a banking trojan is unknown to the user, but it can act as a delivery vehicle for a variety of threats.
One of the fundamental ideas to understand when it comes to trojans, and in this case specifically banking trojans, is that although they may seem like a straightforward attack, in reality, they are made of several different parts that when combined can create some truly devastating results. These different parts will often vary from trojan to trojan as each piece of malware is constantly evolving to evade detection, but in general, there are some common components that each trojan leverages. These components are the hook, compromise, persistence, replication, payload, and exfiltration. To better understand these different components we will be examining some real-world malware that I have encountered and successfully mitigated in two different school districts, the Emotet trojan with the embedded Trickbot trojan. We will also be using the Malwarebytes Labs documentation to gain more information on these trojans as I do not have a sandboxed sample of this malware to document properly. It’s important to note that there are many other resources similar to these that we could use but I have chosen the Malwarebytes Labs documentation as it is much easier to read and understand because it was written for both the security and non-security communities. The links to these articles for further reading can be found here: Malwarebytes: Emotet, Malwarebytes Labs: Trickbot, Malwarebytes Labs: Malware Analysis Emotet Pt.1, Malwarebytes Labs: Malware Analysis Emotet Pt.2.
The hook is the initial interaction the user makes with malware. This can be delivered in a myriad of ways, however, the most common, and most effective, is through phishing. By attaching a malicious document to a phishing email, often a Microsoft Word or Excel file, the attacker has presented the user with a large wooden horse. Now, all it takes is for the user to download and view the file for the trojan to now be on the user’s system. Once the trojan is on a system the user may need to interact with it in some way to trigger the true purpose of the malware. Some trojans may require more user interaction than others but most are fairly simple to make it as easy as possible for the user to accidentally trigger the trojan. Let’s look at a real-world example to see what this looks like. The Emotet trojan distributes the trickbot trojan through a malicious Microsoft Word document. The initial phishing email is usually crafted as a fake invoice that the user then downloads and to be able to view the document, the user must click the “Enable Content” button that appears at the top of the file. This button is supposed to be used for enabling helpful macros and extensions but the attacker uses it to enable the document to use and run outside code that is stored within the document that is invisible to the user who is interacting with the document. Once that button is clicked the trojan is activated and it is akin to the Greek soldiers jumping out of the large wooden horse at Troy.
Once the trojan is triggered, the compromise is the next step in a trojan’s mission. Usually, this involves a pre-packaged vulnerability exploit that runs when the trojan is triggered, however, this vulnerability could be anything from a common well-known vulnerability that may or may not be exploitable on the user’s machine to what’s known as a Zero-Day vulnerability, meaning that only the attackers know the vulnerability exists and is exploitable and the first time the vendor or software provider learns of the vulnerability is when the vulnerability is being actively exploited by an attacker. While true Zero Day vulnerabilities are relatively rare they do happen and can have devastating consequences when weaponized by attackers. The most famous Zero-Day vulnerability is the Stuxnet virus that was used by the United States and Israel in 2010 to stealthily manipulate the speed of the sensitive enrichment centrifuges to disrupt and slow down the Iranian Nuclear Program. For more information on this wild story and the aftermath it created, check out this Wired article: An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.
The Emotet trojan uses strings of obfuscated code, code that is purposefully encoded in several different ways, to hide its true intent and attempt to hide from antivirus signatures and compromise the affected system by obtaining administrative credentials and downloading additional trojans to further compromise the affected system. Once decoded, we can see that this obfuscated code also runs a PowerShell command that calls back out to the internet to download the true Emotet payload on the affected system. This obfuscated code also drops a secondary trojan that runs automatically with no user interaction, called Trickbot, as well as creates a new program called itsportal.exe, although it could be named many different things, and writes that program to the system’s memory. This memory writing process is called persistence and is the 3rd step in the trojan’s mission to take over the system. The goal of persistence for the malware is to remain on the system even if the user removes the malicious program or file. It does this by writing to the memory buffers to create a cyclical cycle of callbacks that can even survive a restart of the affected system. For a technical breakdown of the Emotet memory buffer sequence, check out Fortinet’s threat research article: A Deep Dive into the Emotet Malware.
The Emotet trojan also creates lateral persistence, which is persistence in the network environment by compromising additional systems across the network. This is the Replication step. Emotet uses the Trickbot trojan which uses a pre-packaged exploit, EternalBlue (MS17-010) to replicate across the network. Doing this can result in a total compromise of the network and reduce the effectiveness of remediation efforts as an infected system will re-infect previously cleaned devices. Each affected system would need to be isolated, patched, and remediated one by one, slowing remediation effects. For more information on EternalBlue and how it works check out this Article from SentinelOne: EternalBlue Exploit: What It Is And How It Works. Along with lateral replication, Emotet also establishes a C2 channel, also known as a Command and Control channel, to communicate out to the attackers via the web. This can also be used for receiving updates to attempt to evade antivirus detection.
So far we have seen how a user can accidentally download and trigger the trojan as well as how the trojan infects the system to stay alive and replicate to other devices, but what does it do once the system is infected? At its core, Emotet is a banking trojan and its ultimate goal is to get your banking information and send it back to the attackers so they can access your account at a later time without you ever knowing. To do this, Emotet uses a modular approach. The modules are made to be interchangeable and can be taken out or changed out for other modules depending on the target. The most common modules are a module for modifying HTTP(S) traffic, a Spam module, a module for the collection of email addresses, a module for stealing email account data, a password cracking module, and a module designed for organizing DDoS attacks. All of these modules contribute to the overall payload and when executed together can modify your internet traffic, compromise your email account, compromise your passwords, send out more malicious trojans to your email contacts lists, steal your banking account data, and prevent you from doing anything about it as the trojan communicates back to the attackers with all of the stolen information. This communication back to the attackers is the final stage of the trojan, called exfiltration, which simply just means the unauthorized movement of data.
All of these steps together make one powerful piece of malware that can cause total devastation to a network if the proper steps are not taken beforehand. As with all cybersecurity threats, we are not helpless in preventing these kinds of threats from entering or amassing in our networks. Enforcing Multi-Factor Authentication (MFA) on all accounts, practicing the principles of least privilege, and proper phishing and social engineering training can reduce our risk of these kinds of attacks. While these controls will not eliminate the threat, they will, however, allow us to detect, remediate, and eliminate the threats before the threats eliminate us.
For help implementing Multi-Factor Authentication (MFA) on all accounts, and more Cybersecurity best practices, click below to schedule a meeting with our team.