Glimpsing inside the trojan horse: An insider analysis of Emotet

Max Heinemeyer, Director of Threat Hunting | Thursday January 10, 2019

While both traditional security tools and the attacks against them continue to improve, advanced cyber-criminals are increasingly exploiting the weakness inherent to any organization’s security posture: its employees. Designed to mislead such employees into compromising their devices, computer trojans are now rapidly on the rise. In 2018, Darktrace detected a 239% year-on-year uptick in incidents related specifically to banking trojans, which use deception to harvest the credentials of online banking customers from infected machines. And one banking trojan in particular, Emotet, is among the costliest and most destructive malware variants currently imperilling governments and companies worldwide.

Emotet is a highly sophisticated malware with a modular architecture, installing its main component first before delivering additional payloads. Further increasing its subtlety is the fact that Emotet is considered to be ‘polymorphic malware’, since it constantly changes its identifiable features to evade detection by antivirus products. And, as will be subsequently discussed in greater detail, Emotet has advanced persistence techniques and worm-like self-propagation abilities, which render it uniquely resilient and dangerous.

Since its launch in 2014, Emotet has been adapted and repurposed on numerous occasions as its targets have diversified. Initially, Emotet’s primary victims were German banks, from which the malware was designed to steal financial information by intercepting network traffic. By this past year’s end, Emotet had spread far and wide while shifting focus to U.S. targets, resulting in permanently lost files, costly business interruptions, and serious reputational harm.

How Emotet works

(Image courtesy of US-CERT)

Emotet is spread by targeting Windows-based systems via sophisticated phishing campaigns, employing social engineering techniques to fool users into believing that the malware-laden emails are legitimate. For instance, the latest versions of Emotet were delivered by way of Thanksgiving-related emails, which invited their American recipients to open an apparently innocuous Thanksgiving card:

These emails contain Microsoft Word documents that are either linked or attached directly. The Word files, in turn, act as vectors for malicious macros, which must be explicitly enabled by the user to be executed. For security reasons, running macros by default is disabled in most of the latest Microsoft application versions, meaning that the cyber-criminals responsible must resort to tricking users in order to enable them — in this case, by enticing them with the Thanksgiving card.

Once the macros are enabled, the Word file is executed and a PowerShell command is activated to retrieve the main Emotet component from compromised servers. The trojan payload is then downloaded and executed into the victim’s system. As mentioned above, Emotet payloads are polymorphic, often allowing them to slip past conventional security tools undetected.

How Emotet persists and propagates

Once Emotet has been executed on the victim’s device, it begins deploying itself with two main objectives: (1) achieving persistence and (2) spreading to more machines. To achieve the first aim, which involves resisting a reboot and various attempts at removal, Emotet does the following:

  • Creates scheduled tasks and registry key entries, ensuring its automatic execution during every system start-up.
  • Registers itself by creating files that have randomly generated names in system root directories, which are run as Windows services.
  • Typically stores payloads in paths located off AppData\Local and AppData\Roaming directories that it masks with names that appear legitimate, such as ‘flashplayer.exe’.

Emotet’s second key goal is that of spreading across local networks and beyond in order to infect as many machines as possible. To this end, Emotet first gathers information on both the victim’s system itself and the operating system it uses. Following this reconnaissance stage, it establishes encrypted command and control communications (C2) with its parent infrastructure before determining which payloads it will deliver. After reporting a new infection, Emotet downloads modules from the C2 servers, including:

  • WebBrowserPassView: A tool that steals passwords from most common web browsers like Chrome, Safari, Firefox and Internet Explorer.
  • NetPass.exe: A legitimate tool that recovers all the network passwords stored on the system for the current logged-on user.
  • MailPassView: A tool that reveals passwords and account details for popular email clients, such as Hotmail, Gmail, Microsoft Outlook, and Yahoo! Mail.
  • Outlook PST scraper: A module that searches Outlook’s messages to obtain names and email addresses from the victim’s Outlook account.
  • Credential enumerator: A module that enumerates network resources and attempts to gain access to other machines via SMB enumeration and brute-forcing connections.
  • Banking trojans: These include Dridex, IceID, Zeus Panda, Trickbot and Qakbot, all of which harvest banking account information via browser monitoring routines.

Whilst the WebBrowserPassView, NetPass.exe and MailPassView modules are able to steal the compromised user’s credentials, the PST scraper module can ransack the user’s contact list of friends, family members, colleagues and clients, enabling Emotet to self-propagate by sending phishing emails to those contacts. And because such emails are sent from the hijacked accounts of known acquaintances and loved ones, their recipients are more likely to open their infected attachments and links.

Emotet’s other self-propagation method is via brute-forcing credentials using various password lists, with the intent of gaining access to other machines within the network. When unsuccessful, the malware’s repeated failed login attempts can cause users to become locked out of their accounts, and when successful, the victims may become infected without even clicking on a malicious link or attachment. These tactics have collectively made Emotet remarkably durable and widespread. Indeed, in line with Darktrace’s discovery that incidents related to banking trojans have increased by 239% from 2017 to 2018, Emotet alone recorded a 39% increase, and the worst may be yet to come.

How AI fights back

Emotet presents significant challenges for traditional security tools, both because it exploits the ubiquitous vulnerability of human error, and because it is designed specifically to bypass endpoint solutions. Yet unlike such traditional tools, Darktrace leverages unsupervised machine learning algorithms to detect cyber-threats that have already infiltrated the network. Modelled after the human immune system, Darktrace AI works by learning the individual ‘pattern of life’ of every user, device, and network that it safeguards. From this ever-evolving sense of ‘self,’ Darktrace can differentiate between normal and anomalous behaviour, allowing it to identify cyber-attacks in much the same way that our immune system spots harmful germs.

Recently, Darktrace’s AI models managed to detect a machine on a clients’ network that was experiencing active signs of an Emotet infection. The device was observed downloading a suspicious file and, shortly thereafter, began beaconing to a rare external destination, likely reporting the infection to a C2 server.

The device was then observed moving laterally across the network by performing brute force activities. In fact, Darktrace detected thousands of Kerberos failed logins, including to administrative accounts, as well as multiple SMB session failures that used a range of common usernames, such as ‘admin’ and ‘exchange’. Below is a graph showing the SMB and Kerberos brute-force activity on the breached device:

In addition to the brute-forcing activity performed by the credential enumerator module, Darktrace also detected another payload that was potentially functioning as an email spammer. The infected machine started to make a high number of outgoing connections over common email ports. This activity is consistent with Emotet’s typical spreading behaviour, which revolves around sending emails to the victim’s hijacked email contacts. Below is an image of Darktrace models breached during the reported Emotet infection:

By forming a comprehensive understanding of normalcy, Darktrace can flag even the most minute anomalies in real time, thwarting subtle threats like Emotet that have already circumvented the network perimeter. To counter such advanced banking trojans, cyber AI defenses like Darktrace have become an organizational necessity.

Flying under the radar: How Darktrace detects ‘low and slow’ cyber-attacks

Dave Palmer, Director of Technology | Monday December 3, 2018

Introduction

The speed of today’s most advanced threats can be devastating. In the few minutes it takes a security analyst to step away from her screen to grab a coffee, ransomware can take down thousands of computers before human teams or traditional tools have the chance to respond. And while big, fast threats are more likely to grab the headlines, cyber-attacks which do the opposite can be just as dangerous. The latest escalation in the cyber arms race sees attackers choosing stealth over speed and cunning over chaos.

As defenders work to rapidly deploy new security and detection technologies, malware authors have been similarly innovative, working to find a means of evading them. New ‘low and slow’ attacks are able to bypass traditional security tools because each individual action compiling the larger threat is too small to detect. These attacks are designed to operate over a longer period of time – and by minimizing disruption to any data transfer or connectivity levels, they blend into legitimate traffic.

For advanced and well-resourced actors like nation states in search of valuable intellectual property or sensitive political records, subtle and prolonged exposure to the systems they attack is a significant benefit. When it comes to the most sophisticated threats, slow and steady really can win the race.

Nevertheless, detection of low and slow attacks is possible with advanced machine learning techniques. To do so, contextual knowledge is critical; by modeling the subtle and unique ‘patterns of life’ of every user, device, and the network as a whole, AI-powered defenses are, for the first time, winning this battle.

This blog explores how attackers use low and slow techniques during multiple stages of the kill chain to achieve their eventual goal. We examine three real-world case studies, drawn from over 7,000 deployments of the Enterprise Immune System, to demonstrate how cyber AI detects low and slow reconnaissance, data exfiltration, and command-and-control activity.

Low and slow reconnaissance

By monitoring the behavioral pattern of devices and users, Darktrace AI is able to learn an evolving profile for expected activity. Armed with this understanding of ‘normal’ for the network, it can then identify significant anomalies indicative of a threat. It does all this without relying on training sets of historical data, enabling the technology to spot threats that other tools miss.

On the network of a European financial services firm, Darktrace discovered a server conducting port scans of various internal computers. This type of network scanning is regularly performed for legitimate testing purposes by administrative devices, but it is also a tactic for attackers to identify vulnerabilities and points of compromise – an early stage of an attack.

Over a duration of 7 days, the server made around 214,000 failed connections to 276 unique devices. However, only a small number of ports were targeted per day. The attack was sequential, but slow over time. Measured in one day, the level of disturbance was minimal enough to evade all rules-based defenses. Nevertheless, by learning ‘self’ across the entire digital business over time, cyber AI can detect even the subtlest deviation from ‘normal’ relative to the individual device, user, or network. Darktrace recognized the longer pattern of network scanning and alerted the customer immediately.

Advanced search view showing regular connections to closed ports over the scanning period.

Low and slow data exfiltration 

At an industrial manufacturing company, a desktop was identified establishing over 2,000 connections to a rare host over a 7-day period. During this time, a total of 9.15GB of data was transferred externally. No single connection transmitted more than a few MB of data – an amount which, if viewed in isolation, would not be cause for concern. However, the destination for these connections was 100% rare for the network and maintained that level of rarity for the entire period of exfiltration. This not only flagged the activity as initially suspicious, but also prevented it from being absorbed into legitimate traffic. Combined with the accumulated volume of data leaving the network, Darktrace AI identified this as significant deviation in the device’s behavior, indicating a threat in progress.

Steady exfiltration of data over a 7-day period.

A series of model breaches (orange circles) occurring throughout the period of steady external data exfiltration (blue line).

Low and slow command and control

Darktrace is extremely successful in finding malware infections before they appear on open-source threat lists, a crucial ability when stopping the most serious, never-before-seen threats. This is achieved in large part by detecting beaconing patterns rather than relying on signatures. Beaconing occurs when a malicious program attempts to establish contact with its online infrastructure. Similar to network scanning, it creates a surge in outgoing connections.

Darktrace was deployed in a corporate network where a device was found making connections at steady intervals to a malicious browser extension. The average rate of connection was 11 connections every 4 hours – a low activity level which could easily have blended into legitimate internet traffic. Having identified the regularity of these connections, Darktrace’s AI assigned a high beaconing score, which indicated that they were likely initiated by an automated process. If we include the fact that the destination was rare, it became clear that this was caused by a malicious background program that was running unbeknownst to the user.

Regular low-level beaconing over a 7-day period.

As cyber security advances, attackers will develop increasingly sophisticated methods to operate under the radar. Traditional cyber security tools which work in binary ways based on historical data – either the upload exceeded a predefined limit or not – cannot keep up. This new era will see AI proven crucial because of its ability to learn a constantly-evolving ‘pattern of life’ for a network over the duration of its deployment. This allows Darktrace AI to effectively locate the disturbances in connectivity levels – no matter how small – that have been caused by malicious or non-compliant activity. Fundamentally, this enables Darktrace to discover in-progress attacks and then autonomously respond, neutralizing them before they become a crisis.

High-profile, fast-moving attacks like NotPetya and WannaCry have encouraged some organizations to focus on preventing certain types of threat, at the expense of others – and hackers are catching on. By leveraging powerful AI, Darktrace empowers customers to prevent not just the fastest-moving attacks, but also the slowest and subtlest.

Blog Archive

Thursday January 10, 2019
Monday December 3, 2018
Thursday November 22, 2018
Thursday October 25, 2018
Thursday October 4, 2018
Monday August 20, 2018
Monday July 16, 2018
Friday June 22, 2018
Wednesday May 9, 2018
Monday April 16, 2018
Wednesday March 7, 2018
Tuesday February 13, 2018
Friday February 2, 2018
Monday January 22, 2018
Friday December 8, 2017
Monday November 27, 2017
Monday October 30, 2017
Wednesday October 25, 2017
Thursday October 12, 2017
Monday October 2, 2017
Monday September 18, 2017
Monday July 31, 2017
Thursday June 29, 2017
Wednesday June 21, 2017
Wednesday May 17, 2017
Monday May 8, 2017
Wednesday April 5, 2017
Monday March 6, 2017
Monday February 13, 2017
Monday January 30, 2017
Monday January 9, 2017
Friday December 16, 2016
Monday December 5, 2016
Friday November 18, 2016
Friday November 4, 2016
Monday October 24, 2016

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. He has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. He was most recently featured on BBC World, BBC Morning and Al Jazeera to comment on the news regarding the GRU.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.