Emotet Kill Chain Added to BreakingPoint Attack Campaigns
2020-09-15 | 9 min read
By Kang-Wei Chang | Keysight’s Application and Threat Intelligence (ATI) research team released a new type of cyber-attack campaign this month. BreakingPoint Attack Campaigns are a group of attacks called Strikes that, when executed in the correct sequence, represent part of a real-world attack kill chain. Read these blogs for more information on Attack Campaigns:
The latest strikes for BreakingPoint application and security testing, ATI-2020-17 StrikePack, includes a new attack campaign named Emotet August 2020 Campaign.
According to MalwareBytes, Emotet has been used in attacks dating back to 2014, and it is still evolving and circulating in the wild. Emotet was originally designed and used to attack larger banking corporations in the past, but over the years it has changed a lot in how it functions by attacking individual users to exfiltrate specific user information. To help our customers recognize and stop these attacks, we have increased our coverage by adding them to our threat intelligence library.
The campaign simulates the malicious network communication that occurs after a user has received a phishing email and clicks on the link pointing to a malicious Word document. By opening the document, the user will download and execute a malicious executable file with an “exe” file extension. From this point, the malware is retrieved and call-backs to the command and control (C&C) are executed. The campaign simulates the malicious behavior captured and observed by ATI researchers, and it includes 4 strikes as shown in the following image.
Figure 1: Emotet Aug 2020 campaign
The malware campaign begins with a malicious email phishing attempt. The first strike, P20-cire1, simulates a phishing email that has been seen in the wild that contains shipment information with a malicious link.
The second strike, M20-rb001, simulates the network-visible actions that occur if a user has clicked the link. The strike performs an HTTP GET request, resulting in the download of the ‘Word’ module over the transport protocol HTTP.
The third strike, M20-ckq01, simulates the network-visible actions that occur if a user has opened the malicious Word document. The strike performs an HTTP GET request, resulting in the download of the ‘Emotet’ binary over the transport protocol HTTP.
The fourth strike, B20-ii101, simulates the successful installation of the ‘Emotet’ binary. The victim issues an HTTP POST request with encrypted data that contains the host information and process name, and the attacker replies with an HTTP 200 OK Server Response and unknown binary data.
Figure 2: Encrypted data contains victim host information and process name
Analysis of Sample
The following are some interesting techniques observed during the sample analysis.
Sample hash: 876c29a8dd6ceefa0633a5f651e111cbcd13457d
We start from the third strike (M20-ckq01) malware sample -- malicious Word file.
Opening the doc file will secretly execute the following PowerShell command:
The command body is Base64 encoded, which we can easily decode. The output looks like the following:
Figure 4: Obfuscated PowerShell Command
The output above is an obfuscated PowerShell script comprised of junk code mixed with capital letters. After removing the junk code, renaming the variables, and breaking it into line-delimited readable code, we can recover the original format.
Figure 5: Script after de-obfuscation
The malicious PowerShell script will contact the C2 server via an HTTP GET request and download the next stage 113.exe to execute from the list of URIs present in the image above. If a connection cannot be made to one host, it tries to connect to the next in the list. After the execution, 113.exe will drop the final Emotet binary under "C:\Users\admin\AppData\Local\" and start the Emotet binary.
The Emotet binary includes anti-debug techniques like the Windows API IsDebuggerPresent, as well as some other anti-analysis indirect API calls. Malware often uses anti-debugging techniques like OutputDebugString, CheckRemoteDebuggerPresent, and QueryInformationProcess to hinder or slow down the analysis process. IsDebuggerPresent is a more commonly seen technique used to prevent analysis by detecting whether a Debugger is present on the host system. It does this by checking BeingDebugged bit in the Process Environment Block when the API is called to see if it has been set.
It performs other anti-analysis like avoiding a direct call to the InternetOpen WinAPI for the CNC connection. The InternetOpen WinAPi is commonly used to initialize multiple network-related APIs for an application’s use, but the malware instead uses an indirect call like call eax. An indirect call can increase difficulty during static analysis by replacing the actual API function with a register like eax.
This Emotet sample is using runtime dynamic linking techniques to avoid static analysis tools like IDA. Because it uses run-time dynamic linking, it is not necessary to link the module with an import library for the DLL, and thus we are not able to see as many relevant and useful DLLs in the Imports section for the binary. After the API has been dynamically resolved, it uses the native Windows API BCryptEncrypt to encrypt the victim’s information/processes before sending the information back to the CNC server via TCP.
Figure 7: Using BcryptEncrypt for the data encryption
Figure 8: CNC traffic data before encryption
Figure 9: Attacker reply traffic
Malware can hide in many kinds of files including emails and documents. All it takes is a single click to allow malware infection, file encryption, or data exfiltration to compromise the targeted system. In this blog post, we described in detail what we observed from an August 2020 Emotet campaign that used a phishing email to download a malicious document that, when executed, compromises the victim’s machine.
Beyond what was shown from this sample of Emotet malware, it can cause a much wider range of damaging effects that include business damage, stolen property, and sensitive information disclosure. The ATI research team continues to strive to deliver valuable, timely content of this nature in every release. As these threats emerge, we will continue to be vigilant in researching the threat and re-creating how it operates so that our customers are better prepared to recognize it in the future.
Leverage Subscription Service to Stay Ahead of Attacks
Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of BreakingPoint have now access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.