Emotet resurgence packs in new binaries, Trickbot functions

Updated: One of the most dangerous modular malware variants is back with new delivery functions.

Emotet is this year's big malicious threat to your users The banking trojan turned botnet accounts for almost two-thirds of all malware payloads delivered by email - with malicious URLs favoured far more than weaponised attachments.

Emotet, a Banking Trojan turned devastating modular threat, has returned with upgraded functions in a new wave of attacks. 

The malware, first discovered in 2014, has evolved over the past few years from a relatively basic, singular threat into a customizable modular package used to deploy additional payloads against financial institutions, the enterprise, and consumers worldwide. 

Emotet, believed to be the work of a threat group dubbed Mealybug, differs due to its operator's pivot from standalone malware to malware-as-a-service. 

By opening up the Trojan to use by other cybercriminals and tampering with its code to support bolt-ons, exploit kits, and varied functionality, Emotet has now become a prevalent and popular payload distributor -- and something far more dangerous.  

See also: Emotet, today's most dangerous botnet, comes back to life

According to Proofpoint researchers, between January and March 2019, Emotet accounted for almost two-thirds of all payloads delivered through phishing emails. Botnets accounted for 61 percent of all spam messages during the same timeframe. 

Successful infections by Emotet can be costly, given its destructive nature, ability to steal credentials and forge backdoors into impacted systems. The malware has previously been detected harnessing Trickbot, a dangerous Trojan recently upgraded to be able to conduct SIM-swapping attacks

On Wednesday, cybersecurity researchers from Netscout said that Emotet activity started to decline in May this year, but this hiatus was short-lived. In September, the team picked up a resurgence in activity, and with it, a number of changes to the malware's deployment and functionality. 

According to the team, Emotet has now begun sharing a number of obfuscation techniques already utilized by Trickbot. A new export function has also been found in executable binary functions -- used by both malware variants -- and this feature resolves API names through an export list of loaded DLLs. The API call resolution is present in both Emotet and Trickbot packers.

Update 18.11 GMT: The Cryptolaemus team detected the packer link between Emotet and Trickbot a month previously. Daily Emotet IOCs can be found here

When it comes to the main payload, Emotet has changed little in its core -- aside from command-and-control (C2) lists and RSA keys which change from version to version -- but the list of words used to create a process name for its bot has been refreshed. 

Words such as engine, finish, magnify, resapi, query, skip, and many more are used and updated alongside new binaries. 

CNET: Lasers can seemingly hack Alexa, Google Home and Siri

Once researchers have secured these lists, they may be able to create signatures to root out Emotet infections on machines -- but should the list change, signature-based detection is more difficult. 

TechRepublic: Wanted: More women hackers

Since September, new Emotet binaries have appeared almost every day. Netscout says that each binary contains roughly 40 - 80 C2 indicators, with C2 distribution spread worldwide rather than being concentrated in particular areas. 

"Observing the changes in the way Emotet malware authors pack their binaries and other distributed malware, constantly tweak portions of the code, and alter the configuration data to defeat signatures showcases the aggressive behavior of the malware authors in ensuring that not only their binaries avoid detection, but that of their distributed malware as well making this a very effective operation that persists despite efforts to eliminate the threat," the researchers conclude. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0