Over a period of just five years, Emotet has managed to evolve into one of the most notorious cyber threats in existence – one that causes incidents that cost up to $1 million dollars to rectify, according to US-CERT. We recently reported about Emotet’s activities as well as its two infrastructure setups. This follow-up blog post focuses on Emotet’s multilayer operating mechanisms, which is one of the malware’s noteworthy features mentioned in the first blog. More extensive insight on the way this modular malware operates — as well as a discussion of the possibility that Emotet is tied to Russian-speaking actors — can be found in our research paper “Exploring Emotet’s Activities.”
Multilayer Operating Mechanisms: Document Droppers and Packed Executables
The activities of Emotet’s artifacts — its document droppers and packed executable samples — showed discrepancies in terms of when each showed signs of activity. As we’ve mentioned in our previous blog entry, we observed that the infrastructure for creating and spreading document droppers differ from that of packing and deploying its executables.
For Emotet’s document droppers, we decided to observe when the malware authors created them — as they are frequently used, easily gathered, and created in large volumes. We then took note of the time patterns by the hour and by the day the document droppers’ unique timestamps were generated.
Figure 1. Daily activity pattern of Emotet’s document droppers
Figure 2. Hourly activity pattern of Emotet’s document droppers
Figures 1 and 2 show that the creation of Emotet’s document droppers has a pattern of taking one or two days off in a week’s time, and that there are periods of inactivity between the non-working hours of 1:00 to 6:00 (UTC). We also noted that the malware authors used the document dropper tools more than twenty times a day in the month of September.
Meanwhile, our interests were piqued by Emotet’s executable samples that have been packed by a homebrew packer. We noticed that unlike usual malware packers that wipe or forge compilation timestamps in the packed samples, Emotet uses a packer that still shows some possibly legitimate timestamps from its artifacts.
We found that Emotet samples with a hash value of SHA256 30049dadda36afb0667765155aa8b3e9066511f47e017561bee7e456d4c0236d and 2f93c8c97f99c77880027b149d257268f45bce1255aeaefdc4f21f5bd744573f appeared in the wild just minutes after they were compiled, according to their compilation timestamps. To ascertain the time between an Emotet sample having being compiled to appearing in the wild, we used this expression:
delta = Math.Floor(record of first appearance – compilation timestamp)
Since it is legitimate for delta to be plotted between -24 to +24 hours, we selected 371 out of 571 samples with potentially legitimate timestamps.
From our calculation, we discovered that upon plotting delta at a shorter time interval — such as by the minute — we were able to get two groups of delta distribution. This is important to note, because our computation would have showed uniform distribution information if the timestamps were randomly forged.
Figure 3. Delta distribution (packed compilation time)
101 of the Emotet samples were packed seven hours before they were found in the wild. We refer to this as the first sample group, and its machines may have been set to the UTC +7 time zone. The other 267 samples showed delta distribution information that’s smaller than 60 minutes. This is the second sample group, and its machines might be set to the UTC +0 time zone. Meanwhile, we lack sufficient information on the third group, which is composed of the rest of the Emotet samples, because the compilation timestamps have been smashed to fake ones.
We found an interesting behavior between the two groups’ sets of machines: Emotet actors seem to be using them consecutively, as they took turns appearing in the wild.
Figure 4. The first-seen dates of the executable samples of the two sample groups (UTC +0 and UTC +7). The radius of each circle represents the number of samples found that day
The two Emotet groups’ showing up in the wild lasted between one and five days at a time, which could mean that each groups’ set of machines were used in succession to produce and deploy packed executables.
We then portrayed the activity patterns of the document droppers and the packed executable samples. We saw that on some days, new documents surfaced but no executables appeared, or vice versa. This may mean that multilayer operating mechanisms for creating document droppers and producing executable samples exist.
Figure 5. The activity patterns of the document droppers (red) and the packed executable samples (blue)
Protecting Against Emotet
Emotet spreads by tricking users to open malware-laden emails through social engineering, so avoiding opening suspicious emails can help lower the risk of infection from this threat. Emotet actors usually trick victims with financial-related email subjects and file attachments, such as “invoice,” “payments,” and “receipts” in different languages. As for emails sent with embedded URLs that deliver Emotet document droppers, take note of the URL information — malicious URLs associated with this malware usually contain country information, such as US or DE, as well as the commonly used keywords, such as “commercial,” “small business,” and “payroll,” among others.
The following are some URL examples utilized by Emotet actors:
Aside from being wary of suspicious emails, users are also advised to keep their operating systems updated, as Emotet drops SMB exploits to propagate. Since it has been known to drop browser and password grabber modules to steal user information, as well as use hacking tools to recover user passwords, the practice of regularly changing passwords will help provide protection against this malware.
More Emotet mitigation techniques, as well as an extensive analysis of Emotet’s activities, operational models, infection chains, and binaries, can be found in our research titled “Exploring Emotet’s Activities.”