Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

Emotet Return Brings New Tactics & Evasion Techniques

Security researchers tracking Emotet report its reemergence brings new tricks, including new evasion techniques to bypass security tools.

The Emotet botnet recently resurfaced following five months of quiet. Now, researchers tracking the prolific threat share details about what's new and different in its latest wave — in particular, evasion detection tactics that help attackers fly under the radar of security tools.

Emotet is often used as the entry point for infecting a business, after which criminals stay in an environment for days or weeks. They often use the time to drop secondary payloads; in its latest iteration, Emotet has used TrickBot and QakBot to spread laterally and steal credentials.

Over the last few years, this threat has been "coming in waves," says Shimon Oren, vice president of research at Deep Instinct, where researchers have been analyzing its recent activity. "We see periods of very, very high volume of activity, both in terms of new samples that are generated and are being distributed and users, and also in terms of the targets."

Emotet has been spotted across sectors and business sizes, using social engineering scams — from invoices and financial statements to COVID-19-related emails — to convince victims to click. Most of its recent victims appear to be in the US and UK; however, operators have been known to diversify distribution with local languages, says Adam Kujawa, director of Malwarebytes Labs.

"Usually it involves an email which claims to be a response to an active e-mail threat (for example, 'RE: That thing I sent ya') and includes an attached Office document," Kujawa says. "Once opened, it activates a macro script [that] downloads the malware and installs it on the system."

In addition to hijacking existing email threads, Emotet has begun to add stolen attachments to emails in order to make them seem legitimate. One of its main capabilities, Kujawa notes, is establishing a spam module on the victim's system, stealing email contacts, and automatically sending phishing attacks to a victim's colleagues. The usual methods of avoiding sketchy emails don't apply: Emotet may send an email from someone you'd expect, in a thread you're part of.

"The folks behind Emotet are masters of development when it comes to making Emotet more capable on the system, but they are also very good at finding unique ways of spreading threats on corporate networks," he adds.

Emotet has become a vast and evasive piece of malware that continues to expand its capabilities, including the ways it bypasses increasingly advanced security tools.

Deep Instinct researchers evaluated a dataset of 38,000 samples from Emotet activity from July 17 to July 28; they divided these samples into three epochs, or botnets operating independently. They also broke the samples down into 170 templates, most of which were found in one epoch, indicating operators behind each have their own Emotet loaders.

The Emotet loader, they found, contains a lot of benign code as part of its evasion techniques and could manipulate artificial intelligence–based security products that rely on both malicious and benign code when classifying files. Inserting benign code into executable files can reduce the chances of detection, and it appears Emotet's operators are using legitimate Microsoft code to do this.

Analysis revealed the benign code of recent Emotet activity may be pulled from Microsoft DLL files that are part of the Visual C++ runtime environment, or even benign software unrelated to how the malware operates, researchers explain in a blog post on their findings. Only a small portion of code used is actually malicious, hidden in code that won't raise a red flag.

"A lot of the code is there in order to confuse, especially when examining statically, but a lot of it isn't even executed," Oren explains. "A lot of it isn't even reached during the execution."

The malware has several steps to execution, which can also trip up security tools. An attack starts with a document; this downloads a file, which decrypts another file, which brings it to the final payload. Its multistage nature is complex, Oren says, because the malicious business logic is never found on disk. It resides in memory and is decrypted and unpacked in runtime.

Coming Back Stronger
The group or groups behind Emotet are conscious of the fact that your organization is more successful and can last longer when it operates in this mode of high-volume activity, Oren says. They increase their efficiency and infection rate, and the wave starts to drop as the industry gains a greater understanding of the threat. 

"Then it's time to go back to the lab, go under the radar completely, and start working on the next wave and making that as good as possible, as evasive as possible," he explains. The tactic seems to be working: After going dark for a few months, Emotet reemerges more evasive than before, with techniques that security tools often aren't equipped to handle.

Emotet usually takes breaks throughout the year, Kujawa says. Sometimes it's during summer, sometimes in winter — sometimes both. It's believed the attackers use this downtime to upgrade their tools and find new distribution methods. This time, however, there was another factor.

"It seems that once folks started working from home, we saw an increase in use of tools not meant to infect corporate networks, but to be used to infect and conduct information gathering operations on employees working from home," he says of the COVID-19 pandemic. 

There may have been too few people working in offices, at corporate endpoints, to allow for a successful campaign, he continues. The chaos of everyone establishing work-from-home policies may have made corporate networks too unstable to attack a specific target, and the bad guys were waiting until things slowed down.

It's important to note that Emotet's attackers know that their malware will be detected, stopping its functions, and there will be efforts to block their threat. "The malware developer vs. malware detector battle will rage forever," Kujawa says. They also know many organizations fail to completely secure their networks from outside access or internal infection, allowing families like TrickBot to move laterally throughout internal systems.

"So they've doubled down on the one vulnerability they can most count on, and that is fooling users," he continues. While new functionality has been added to the botnet itself, researchers have seen even more focus on how it's distributed.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...