Emotet trojan: by Pierguido Iezzi, Jim Koohyar Biniyaz, Riccardo Paglia
Emotet malware : Introduzione
Il Cyber Incident Response Team di Swascan ha gestito, e analizzato una nuova variante del malware Emotet, anche conosciuto con il nome di Mealybug e Geodo. Emotet è stato rilevato 2014 rimane ancora oggi una minaccia concreta ed estremamente attiva. Non è un caso che nel 2019 è stato uno dei Trojan malware più diffusi e in questi ultimi mesi è stato la causa princiali dei diversi data breach.
Inizialmente Emotet era classificato come Trojan bancario. Tra il 2016 e il 2017 il malware è stato aggiornato diventando uno strumento che permette di scaricare payload maligni sulle macchine infette. Il malware Emotet è diventato uno strumento al servizio dei vari gruppi criminal hacker.
- Vettori di Attacco Emotet Trojan
- Le Fasi cyber attack Emotet
- Strumento Diffusione Ransomware
- Emotet MITRE ATT&CK
- IoC
- Emotet new wave : Indicatori di Compromissione
- Come difendersi da un attacco ransomware Emotet
Sotto attacco Ransomware?
Contattaci
Emotet malware: Vettori di Attacco
Emotet si diffonde attraverso le mail phishing che contengono link o documenti. Cliccando sul link o scaricando i documenti nel dispositivo, viene avviato il payload. Il malware Emotet ha caratteristiche simile ad un worm polimorfo.
Il malware Emotet utilizza principalmente:
- documenti Word
- file con estensione .zip
Aprendo il file viene richiesta l’abilitazione della macro che attiva un PowerShell. In questo modo il payload si connette a Internet per il download completo del malware Emotet. Inoltre Emotet utilizza librerie dinamiche che permettono al malware Emotet l’aggiornamento e l’evoluzione constante mentre è persistente nel network infettato.
Le Fasi di un cyber attack Emotet
- Infection: tramite una campagna malspam
- Establish Persistence: crea chiavi di avvio automatico e inserisce nel processo in esecuzione
- Instruction Phase: si connette al server Command & Control
- Network Propagation: inizia ad infettare il network
Emotet malware: Strumento Diffusione Ransomware
L’ Emotet Trojan bancario ha subito una evoluzione trasformandosi in un Dropper, un programma che ha il compito di aprire una backdoor sul dispositivo infettato. Questa backdoor viene usata dai criminal hacker per accedere direttamente sul target e installare codice malevole come Trojan o ransomware:
- TrickBot
- Ryuk
Emotet Trojan MITRE ATT&CK
| Name | Use |
| Account Discovery: Email Account | Emotet can scrape email addresses from Outlook. |
| Archive Collected Data | Emotet has been observed encrypting the data it collects before sending it to the C2 server. |
| Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence. |
| Brute Force: Password Guessing | Emotet has been observed using a hard coded list of passwords to brute force user accounts. |
| PowerShell | Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. |
| Visual Basic | Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. |
| Windows Command Shell | Emotet has used cmd.exe to run a PowerShell script. |
| Create or Modify System Process: Windows Service | Emotet has been observed creating new services to maintain persistence. |
| Credentials from Password Stores: Credentials from Web Browsers | Emotet has been observed dropping browser password grabber modules. |
| Email Collection: Local Email Collection | Emotet t scrapes email data from Outlook. |
| Encrypted Channel: Asymmetric Cryptography | Emotet is known to use RSA keys for encrypting C2 traffic. |
| Exfiltration Over C2 Channel | Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers. |
| Exploitation of Remote Services | Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation. |
| Network Sniffing | Emotet has been observed to hook network APIs to monitor network traffic. |
| Non-Standard Port | Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S. |
| Obfuscated Files or Information | Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. |
| Software Packing | Emotet has used custom packers to protect its payloads. |
| OS Credential Dumping: LSASS Memory | Emotet has been observed dropping password grabber modules including Mimikatz. [2] |
| Phishing: Spearphishing Link | Emotet has been delivered by phishing emails containing links. |
| Phishing: Spearphishing Attachment | Emotet has been delivered by phishing emails containing attachments. |
| Process Discovery | Emotet has been observed enumerating local processes. |
| Process Injection: Dynamic-link Library Injection | Emotet has been observed injecting in to Explorer.exe and other processes. |
| Remote Services: SMB/Windows Admin Shares | Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. |
| Scheduled Task/Job: Scheduled Task | Emotet has maintained persistence through a scheduled task. |
| Unsecured Credentials: Credentials In Files | Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. |
| User Execution: Malicious Link | Emotet has relied upon users clicking on a malicious link delivered through spearphishing. |
| User Execution: Malicious File | Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing. |
| Valid Accounts: Local Accounts | Emotet can brute force a local admin password, then use it to facilitate lateral movement. |
| Windows Management Instrumentation | Emotet has used WMI to execute powershell.exe. |
Indicatori di Compromissione
Di seguito gli IoC:
https://www.virustotal.com/gui/file/fa90ce60234356d5733bd40987d6000b9a5086cd13c295f5d7ce6c0e64b57d2e/behavior/Lastline
Contacted URLs
| Scanned | Detections | URL |
|---|---|---|
| 2020-12-23 | 15 / 84 | http://resuco.net/wp-content/uploads/2020/12/S0K/ |
| 2020-12-21 | 0 / 83 | http://95.76.153.115/jx65hkqyfjtpq/ve4ifhzkxig7/gfv5c2kq87sbutd/5q3lqj/ |
| 2020-12-21 | 0 / 83 | https://167.71.148.58/dftpk3y5/kp03g/uyr15766q/ |
| 2020-12-21 | 1 / 83 | https://167.71.148.58/nb1its5x5ojep3x/hyfwe/ |
| 2020-12-21 | 1 / 83 | http://191.241.233.198/0wf2rfx/ckz0/ |
| 2020-12-21 | 0 / 83 | https://167.71.148.58/3qpwzeod/ |
| 2020-12-23 | 14 / 84 | http://parakkunnathtemple.com/bckup/7SDAvi/ |
| 2020-12-22 | 1 / 83 | http://167.71.148.58:443/wpqey1q0bse/4o6j/a0giwel/pv5pg9s867l2ojdak/rcq7v8yhp/c1nywe/ |
| 2020-12-21 | 0 / 83 | https://167.71.148.58/c21s32yetmkr56nn4ws/5s3dmzadwsysu28/snswzc/645u9n65/ |
| 2020-12-21 | 1 / 83 | https://167.71.148.58/8fm48rgppok/e5jjp3m99/ |
| 2020-12-23 | 9 / 84 | http://helionspharmaceutical.com/wp-admin/oXJB/ |
| 2020-12-21 | 1 / 83 | http://191.241.233.198/z2denkx1/fbmgeamzls8yms/xo6z30ub3fot/ |
| 2020-12-22 | 1 / 83 | http://118.38.110.192/jkozll/i3umgpms4tgb0gsp9bd/salkzo4k8/ |
| 2020-12-21 | 1 / 83 | https://167.71.148.58/edppj7qcf51gpbr1b5v/ampg8k/o0nik2pmjxkw9/kf5qk9/ |
| 2020-12-22 | 1 / 83 | http://181.136.190.86/c7nwzromr0/7tjxic/9v02vai9t/i892/2nuf64qxpgdm0tg/ |
Contacted IPs
| IP | Detection | System | Country |
|---|---|---|---|
| 167.71.148.58 | 4 / 86 | 14061 | US |
| 191.241.233.198 | 6 / 86 | 28669 | BR |
| 104.18.58.55 | 0 / 89 | 13335 | US |
| 104.18.59.55 | 0 / 79 | 13335 | US |
| 46.17.172.182 | 0 / 86 | 47583 | SG |
| 172.67.212.64 | 0 / 88 | – | US |
| 68.66.248.28 | 0 / 79 | 55293 | US |
| 104.24.121.146 | 0 / 86 | 13335 | US |
| 95.76.153.115 | 6 / 86 | 6830 | RO |
| 172.67.189.103 | 0 / 86 | – | US |
| 104.24.120.146 | 0 / 86 | 13335 | US |
| 14.177.232.31 | 1 / 87 | 45899 | VN |
| 104.168.154.203 | 0 / 87 | 54290 | US |
| 109.73.164.58 | 1 / 87 | 33182 | IN |
| 192.168.0.1 | 0 / 98 | – | – |
| 118.38.110.192 | 6 / 86 | 4766 | KR |
| 181.136.190.86 | 7 / 86 | 13489 | CO |
Emotet new wave : IoC
Swascan ha identificato una nuova .dll relative al malware Emotet:
https://www.virustotal.com/gui/file/389fd7dd8a8acc2ecf6dd040100f0577a5d5967d019be8d43d1f03ebc18ca822/details
Contacted URLs
| Scanned | Detections | URL |
|---|---|---|
| 2020-12-23 | 3 / 83 | http://202.187.222.40/a6ye49bn0jyfbfv89yw/ilvxr0w1wx/zn3q59lqle1v989dkn/x166m/ |
| 2020-12-23 | 3 / 83 | http://202.187.222.40/6899gac3f5q6v/r0dxhmcgfmhpl/ |
Contacted IPs
| IP | Detections | Autonomous System | Country |
|---|---|---|---|
| 202.187.222.40 | 4 / 86 | 9930 | MY |
| 184.66.18.83 | 5 / 86 | 6327 | CA |
Nello specifico si segnala che l’IP 184.66.18.83
Command & Control IP
- 184.66.18.83:80
- 202.187.222.40:80
- 167.71.148.58:443
- 211.215.18.93:8080
- 1.234.65.61:80
- 80.15.100.37:80
- 155.186.9.160:80
- 172.104.169.32:8080
- 110.39.162.2:443
- 12.162.84.2:8080
- 181.136.190.86:80
- 68.183.190.199:8080
- 191.223.36.170:80
- 190.45.24.210:80
- 81.213.175.132:80
- 181.120.29.49:80
- 82.76.111.249:443
- 177.23.7.151:80
- 95.76.153.115:80
- 93.148.247.169:80
- 51.255.165.160:8080
- 213.52.74.198:80
- 178.250.54.208:8080
- 202.134.4.210:7080
- 138.97.60.141:7080
- 94.176.234.118:443
- 190.24.243.186:80
- 46.43.2.95:8080
- 197.232.36.108:80
- 77.78.196.173:443
- 59.148.253.194:8080
- 212.71.237.140:8080
- 46.101.58.37:8080
- 110.39.160.38:443
- 83.169.21.32:7080
- 189.2.177.210:443
- 81.214.253.80:443
- 51.15.7.145:80
- 172.245.248.239:8080
- 177.85.167.10:80
- 178.211.45.66:8080
- 5.196.35.138:7080
- 71.58.233.254:80
- 168.121.4.238:80
- 149.202.72.142:7080
- 185.183.16.47:80
- 191.241.233.198:80
- 209.236.123.42:8080
- 190.114.254.163:8080
- 70.32.84.74:8080
- 138.97.60.140:8080
- 68.183.170.114:8080
- 192.232.229.53:4143
- 62.84.75.50:80
- 113.163.216.135:80
- 46.105.114.137:8080
- 177.144.130.105:8080
- 192.232.229.54:7080
- 192.175.111.212:7080
- 35.143.99.174:80
- 81.215.230.173:443
- 1.226.84.243:8080
- 187.162.248.237:80
- 152.169.22.67:80
- 137.74.106.111:7080
- 191.182.6.118:80
- 181.61.182.143:80
- 202.79.24.136:443
- 50.28.51.143:8080
- 85.214.26.7:8080
- 170.81.48.2:80
- 111.67.12.222:8080
- 177.144.130.105:443
- 188.225.32.231:7080
- 185.94.252.27:443
- 12.163.208.58:80
- 191.53.80.88:80
- 87.106.46.107:8080
- 122.201.23.45:443
- 181.30.61.163:443
- 104.131.41.185:8080
- 190.195.129.227:8090
- 45.184.103.73:80
- 186.146.13.184:443
- 45.16.226.117:443
- 187.162.250.23:443
- 2.80.112.146:80
- 60.93.23.51:80
- 24.232.228.233:80
- 190.251.216.100:80
- 105.209.235.113:8080
- 217.13.106.14:8080
- 190.64.88.186:443
- 118.38.110.192:80
- 111.67.12.221:8080
- 201.75.62.86:80
- 70.32.115.157:8080
- 188.135.15.49:80
Come difendersi da un attacco malware Emotet
In caso di Data Breach causato dal Trojan Emotet o in caso di attacco phishing con file malevsi consiglia di:
- Identificare le email aziendali compromesse tramite il servizio di Domain Threat Intelligence
- Effettuare un attività di Cyber Threat Intelligence per identificare eventuali Botnet
- Implementare sistemi di Network Detection Response e Endpoint Detection Response
- Attivare un servizio di Soc as a Service
- Bloccare le email con allegati che hanno estensioni .dll, .exe,… .
- Bloccare gli allegati con estensioni file .zip o .rar che gli antivirus non possono scansionare
- Attivare le Group Policy Object e le regole del firewall.
- Aggiornare il sistema antivirus
- Effettuare una attività di network scan e relato piano di remediation e aggiornamento dei sistemi
- Effettuare attività di penetration test e vulnerability assessment della rete esposta
- Attivare filtri di security nei gateway di posta elettronica
- Bloccare tramite il firewall indirizzi IP sospetti.
- Adotta il principio del minimo privilegio.
- Segmentare e isolare le reti.
- Disabilitare i servizi di condivisione sistemi, filesharing e stampanti.
- Verificare e controllare l’Active Directory ( group policy, utenti e privilegi)
- Scansionare e rimuovere di allegati di posta elettronica sospetti.
- Prestare attenzione ai supporti rimovibili (USB unità esterne, …).
- Formazione e awareness dei dipendenti
- Attività di Phishing simulation
