Malware - Ransomware

Emotet Malware Returns to Exploit a World on Edge

Adrien Gendre

October 09, 2020

20 min

Emotet Malware

Relatively silent for most of 2020, apart from a burst of activity in January, Emotet malware reemerged in July with a series of global attacks. It’s not surprising that Emotet went dormant for several months—this is their typical pattern. It is surprising that it took them so long to exploit the turmoil that grips most of the world due to the pandemic.

The return of Emotet malware

Emotet’s spring hiatus came as the COVID-19 pandemic swept the globe. While other threat actors emerged en masse with a wave of COVID-19 themed spam and phishing attacks, Emotet remained silent. Whether they missed their opportunity or were simply honing their techniques and code in anticipation of this most recent wave is difficult to say. But when Emotet did return it did so with a bang.

The botnet that is typically a precursor to additional malware and ransomware attacks sent a massive wave of malspam to Outlook users in July, prompting a July 17 warning from Microsoft.

The return of Emotet malware

French, Japanese, and Australian security agencies sent urgent warnings about Emotet in early September. France in particular hit peak levels of panic, with the French Interior Ministry blocking all Office documents from being delivered via email. Weeks later, Italy and the Netherlands issued warnings.

Microsoft issued an additional warning after a new wave emerged, with emails crafted mostly in English but also in some European languages. Emotet emails transiting through Microsoft Outlook can have a cataclysmic effect. Once a computer is infected with Emotet, the virus gets to work, swiping credentials and data, which are then sold to other malware gangs, who use the data to launch ransomware attacks.

Recent Emotet activity and techniques

Like a lot of malspam, Emotet emails are unsophisticated in appearance. Many of the captured Microsoft samples include outdated Microsoft text. In some cases, they include Word doc attachments that appear to be created in the now-retired Windows 10 mobile, a clear mistake on the part of threat actors, which they quickly cleaned up. However, the emails contain heavily obfuscated URLs and macros.

This is especially bad news for businesses that rely on signature-based email filters. These types of filters can recognize known malware code, but they struggle with obfuscation and polymorphic viruses.

Sandboxing is equally useless against Emotet malware, which is virtual-machine (VM) aware. Able to recognize that it is in a virtual environment, such as a sandbox, it can go dormant or even change its code while in the VM.

A hallmark of Emotet malware is its ability to steal credentials. When it is downloaded onto a computer, Emotet often unleashes additional tools, including Outlook scraper, which steals email addresses and even email threads.

Together, they allow hackers to send phishing emails as replies to legitimate email threads. Thread hijacking leaves recipients unable to recognize that email senders are not who they appear to be.

PDFs are still in rotation, but we’re currently seeing a high volume of password-protected .ZIP files containing Word docs with malicious URLs and macros. Around 1,000 captured samples feature thread hijacking, including the French sample below in which the hacker replies to an email thread with an “urgent quote”:

Recent Emotet activity and techniques

Below is another example of thread hijacking. In this English example, the hacker doesn’t bother with conversation, but responds to the thread with a .ZIP file and archive password. This approach might be lazy, but the average user might not be suspicious of a direct-reply email, especially if the subject or purported sender are important:

Recent Emotet activity and techniques

Most samples captured by Vade Secure are sent from hacked accounts, including Japanese Emotet malware emails originating from Vietnam, India, Brazil, Germany, and the U.S. The below example of a hijacked thread features typical business correspondence. However, it’s generic and doesn’t include any specifics details or inside knowledge about the target, indicating the hacker knows little—if anything—about them:

Blocking Emotet malware

Emotet is certainly unique, but it displays the same anomalies as any other malware. Vade Secure focuses on analyzing the behavior of emails and attachments for that reason. We use heuristic rules that are updated daily by our SOC. As new intelligence emerges, either from the filter or our feedback loop, new rules are created.

Vade Secure analyzes emails and parses URLs and files, including .ZIP files, Word documents, and PDFs, in real time. We also scan for signatures, but the constantly changing nature of viruses like Emotet make behavioral analysis the most effective method of malware detection.

A Word document with malicious macros, for example, might not feature a recognizable malware signature, but it will include anomalies that we can recognize. The same is true of PDFs. Examples of common anomalies include executable files and excessive special characters. Non-Latin alphabetic characters, such as Chinese or Cyrillic (Russian), are also anomalous and highly suspicious in most scenarios.

Code obfuscation, even done well, also reveals itself through anomalies, including useless code, otherwise known as “noise” or “dead code”. Vade threat analyst, Thomas Gendron, wrote a comprehensive malware analysis that reveals how one Emotet hacker used code obfuscation to hide a Powershell command in a Word macro—a popular technique in recent attacks. Read the full analysis here.

Password-protected files containing malicious documents are among the most difficult to block for most filters. Although we cannot scan the content of password-protected .ZIP files, we can see the list of documents contained in those files, which provide clues.

We have heuristic rules for .ZIP files in general but also specifically for Emotet based on its behavior, including the file-compression technique, the names of the file and archive, and length and format of the password. Our heuristic rules for these and other indicators consistently identify and block Emotet attacks.

Overall, Vade Secure uses 10,000 heuristic rules to identify malware, phishing, spear phishing, and spam. Additionally, the Vade Secure SOC monitors for known IPs and URLs used by Emotet and adds them to the filter on a daily basis. With this behavioral approach, we have the ability to block malware without knowing the payload—in some cases, without having to analyze the file.

To give our Vade Secure for Microsoft 365 users more visibility into the Emotet threats targeting their businesses and clients, Vade Secure created a custom filter for Emotet in the Current Events feature.

Blocking Emotet malware

Any email that is either classified by Vade Secure as Emotet via heuristic rules or associated with a known Emotet URL or IP can be identified in Current Events. For MSPs, this feature provides clients with peace of mind that their MSP is proactively responding to Emotet and that it is being contained.

Learn more about Vade Secure’s Anti-Malware and Anti-Ransomware solution.