Emotet botnet resurrects via Trickbot malware

A bittersweet victory? At the end of January 2021, Europol allied with several police and justice forces at the international level (including the National Police) struck a blow by announcing that it had taken control of the infrastructure of the dreaded Emotet botnet. Using the eponymous trojan, this network of zombie computers had ended up biting the dust. At least, that’s what we thought before security researchers from German security solution provider G Data sounded the alarm: “We have reason to assume with certainty that Emotet is active again. and currently distributed via Trickbot”.

According to security researcher Luca Ebach of G Data, TrickBot would indeed be used to install Emotet on targeted systems whose infection vectors remain classic, mainly by e-mail containing an infected attachment or a malicious link. Trickbot is a well-known trojan, identity since 2016, and historically used for bank data theft. Over time, cybercriminals have extended its capabilities by, for example, equipping it with a cookie-stealing module to collect email credentials and contacts from mailboxes’ address books.

Emotet 2.0 in the time of HTTPS

“On Sunday, November 14, at approximately 21:26 UTC, we observed on several of our Trickbot trackers that a bot attempted to download a DLL onto the system. After an internal analysis, these DLLs were identified as Emotet”, explains Luca Ebach. “A notable feature of the latest Emotet samples was the heavy use of control flow flattening to obfuscate code. The current sample also contains flattened control flows”. According to his research, this sample seems to have been compiled just before the deployment via several Trickbot botnets was observed. The network traffic from this sample resembles what has been observed before, including a random resource path contained in the URL and the malicious request payload being transferred in a cookie. “However, the encryption used to hide the data appears different from what has been seen in the past. Additionally, the sample now uses HTTPS with a self-signed server certificate to secure network traffic,” says Luca Ebach. Previously, a simple HTTP protocol was used.

Brad Duncan, creator of the Internet Storm Center malicious traffic analysis service, provided details on the infection vectors of this resurrection of Emotet. “We found emails from a recently relaunched Emotet botnet on Monday 11/15/2021 that have one of three attachment types: Microsoft Excel spreadsheet, Microsoft Word document, and password-protected zip archive password (password: BMIIVYHZ) containing a Word document”, indicates the researcher. The distribution of these booby-trapped emails is done via address spoofing and from stolen email data strings presumably collected from previously infected Windows hosts.

Malicious files and URLs and DLLs identified

Given the situation, it is therefore important to be extra vigilant and warn employees of the increased risks associated with the risk of clicking on this type of email. Malicious files, URLs and DLLs have been identified:

-DOC_100045693068737895.docm ;
-DOC_10010148844855817699830.docm ;
-INF_10043023764772507433030.docm ;
-FILE_24561806179285605525.docm ;
-INF_4069641746481110.zip ;
-INF_4069641746481110.docm ;
-FILE_10065732097649344691490.xlsm ;
-SCAN_1002996108727260055496.xlsm.

These files contain malicious URLs:

– hxxp: // av-quiz[.]tk/wp-content/k6K/
– hxxp://storefront[.]with[.]sg/wpincludes/XBByNUNWvIEvawb68/
– hxxp://ranvipclub[.]net/pvhko/a/
– hxxp://visteme[.]mx/shop/wp-admin/PP/
– hxxps: //goodtech.cetxlabs[.]com/content/5MfZPgP06/
– hxxps://newsmag.danielolayinkas[.]com/content/nVgyRFrTE68Yd9s6/
– hxxps://team.stagingapps[.]xyz/wp-content/aPIm2GsjA/

DLL hashes have also been identified as belonging to this new version of Emotet, namely:

– 0b132c7214b87082ed1fc2427ba078c3b97cbbf217ca258e21638cab28824bfa ;
– 373398e4ae50ecb20840e6f8a458501437cfa8f7b75ad8a62a84d5c0d14d3e59 ;
– 29de2e527f736d4be12b272fd8b246c96290c7379b6bc2d62c7c86ebf7f33cd4 ;
632447a94c590b3733e2e6ed135a516428b0bd1e57a7d254d5357b52668b41f1 ;
– 69efec4196d8a903de785ed404300b0bf9fce67b87746c0f3fc44a2bb9a638fc ;
– 9c345ee65032ec38e1a29bf6b645cde468e3ded2e87b0c9c4a93c517d465e70d ;
— b95a6218777e110578fa017ac14b33bf968ca9c57af7e99bd5843b78813f46e0.