Defense in depth: The resurgence of Emotet, as seen in the email and network layers

Max Heinemeyer, Director of Threat Hunting | Dan Fein, Director of Email Security Products | Wednesday August 26, 2020

The Emotet banking malware first emerged in 2014, and has since undergone multiple iterations. Emotet seeks to financially profit from a range of organizations by spreading rapidly from device to device and stealing sensitive financial information.

Darktrace’s AI has detected the return of this botnet after a five month absence. The new Spamware campaign has hit multiple industries through highly sophisticated phishing emails, containing either URLs linking to the download of a macro-containing Microsoft Word document or an attachment of the document itself. This iteration uses new variants of infrastructure and malware that were unknown to threat intelligence lists – thus easily bypassing static, rule-based defenses.

In this blog post, we investigate the attack from two angles. The first documents a case where Emotet successfully infiltrated a company’s network, where it was promptly detected and alerted on by the Enterprise Immune System. We then explore two customers who had extended Darktrace’s Cyber AI coverage to the inbox. While these organizations were also targeted by this latest Emotet campaign, the malicious email containing the Emotet payload was identified and blocked by Antigena Email.

Case study one: Detecting Emotet in the network

Figure 1: A timeline of the attack

This first case study looks at a large European organization spanning multiple industries, including healthcare, pharmaceuticals, and manufacturing. Darktrace’s AI was monitoring over 2500 devices when the organization became a victim of this new wave of Emotet.

The attack entered the business via a phishing email that fell outside of Darktrace’s scope in this particular deployment, as the customer had not yet activated Antigena Email. Either a malicious link or a macro-embedded Word document in the email directed a device to the malicious payload.

Darktrace’s Enterprise Immune System witnessed SSL connections to a 100% rare external IP address, and detected a Kernel crash on the device shortly afterwards, indicating potential exploitation.

Following these actions, the desktop began to beacon to multiple external endpoints using self-signed or invalid SSL certificates. The observed endpoints had previously been associated with Trickbot C2 servers and the Emotet malware. The likely overall dwell time – that is the length of time an attacker has free reign in an environment before they are eradicated – was in this instance around 24 hours, with most of the activity taking place on July 23.

The device then made a large number of new and unusual internal connection attempts over SMB (port 445) to 97 internal devices during a one-hour period. The goal was likely lateral movement, possibly with the intention to infect other devices, download additional malware, and send out more spam emails.

Darktrace’s AI had promptly alerted the security team to the initial rare connections, but when the device attempted lateral movement it escalated the severity of the alert. The security team was able to remediate the situation before further damage was done, taking the desktop offline.

This overview of the infected device shows the extent of the anomalous behavior, with over a dozen Darktrace detections firing in quick succession.

Figure 2: A graph showing unusual activity in combination with the large number of model breaches on July 23

Figure 3: A list of all model breaches occurring over a small time on the compromised device

Case study two: Catching Emotet in the email environment

While Darktrace’s Enterprise Immune System allows us to visualize the attack within the network, Antigena Email has also identified the Emotet phishing campaign in many other customer environments and stopped the attack before the payload could be downloaded.

One European organization was hit by multiple phishing emails associated with Emotet. These emails use a number of tactics, including personalized subject lines, malicious attachments, and hidden malicious URLs. However, Darktrace’s AI recognized the emails as highly anomalous for the organization and prevented them from reaching employees’ inboxes.

100%
Wed Jul 29 2020, 10:52:13
From:CaixaBank Informa <[email protected]>
Recipient:<[email protected]>
Avís de transferència
Email Tags
Suspicious Link
New Contact
Actions on Email
Lock Link
Move to Junk
Hold Message
Double Lock Link

Figure 4: An interactive snapshot of Antigena Email’s user interface. The subject line reads ‘Notice of transfer.’

Despite claiming to be from CaixaBank, a Spanish financial services company, Antigena Email revealed that the email was actually sent from a Brazilian domain. The email also contained a link that was hidden behind text suggesting it would lead to a CaixaBank domain, but Darktrace recognized this as a deliberate attempt to mislead the recipient. Antigena Email is unique in its ability to gather insights from across the broader business, and it leveraged this ability to reveal that the link in fact led to a WordPress domain that Darktrace’s AI identified as 100% rare for the business. This would not have been possible without a unified security platform analyzing and comparing data across different parts of the organization.

Figure 5: The malicious links contained in the email

The three above links surfaced by Darktrace are all associated with the Emotet malware, and prompt the user to download a Word file. This document contains a macro with instructions for downloading the actual virus payload.

Another email targeting the same organization contained a header suggesting it was from Vietnam. The sender had never been in any previous correspondence across the business, and the single, isolated link within the email was also revealed to be a 100% rare domain. The website displayed when visiting the domain imitates a legitimate printing business, but appears hastily made and contained a similar malicious payload.

In both cases, Darktrace’s AI recognized these as phishing attempts due to its understanding of normal communication patterns and behavior for the business and held the emails back from the inbox, preventing Emotet from entering the next phase of the attack life cycle.

Case study three: A truly global campaign

Darktrace has seen Emotet in attacks targeting customers around the world, with one of the most recent campaigns aimed at a food production and distribution company in Japan. This customer received six Emotet emails across July 29 and July 30. The senders spoofed Japanese names and some existing Japanese companies, including Mitsubishi. Antigena Email successfully detected and actioned these emails, recognizing the spoofing indicators, ‘unspoofing’ the emails, and converting the attachments.

57%
Thu Jul 30 2020, 19:31:57
From:藤沢 昭彦様 三菱食品(株) <[email protected]>
Recipient:<[email protected]>
請求書の件です。 0484111-2020_07_30
Email Tags
Suspicious Attachment
No Association
Spoofing Indicators
New Contact
Actions on Email
Convert Attachment
Unspoof

Figure 6: A second Emotet email targeting an organization in Japan

Revealing a phish

Both the subject line and the filename translate to “Regarding the invoice,” followed by a number and the date. The email imitated a well-known Japanese company (三菱食品(株)), with ‘藤沢 昭彦’ as a common Japanese name and the appended ‘様’ serving a similar function to ‘Sir’ or ‘Dr,’ in a clear attempt to mimic a legitimate business email.

A subsequent investigation revealed that the sender’s location was actually Portugal, and the hash values of Microsoft Word attachments were consistent with Emotet. Crucially, at the time of the attack, these file hashes were not publicly associated with any malicious behavior and so could not have been used for initial detection.

Figure 7: Antigena Email shows critical metrics revealing the true source of the email

Surfacing further key metrics behind the email, Antigena Email revealed that the true sender was using a GMO domain name. GMO is a Japanese cloud-hosting company that offers cheap web email services.

Figure 8: Antigena Email reveals the anomalous extensions and mimes

The details of the attachment show that both the extension and mime type is anomalous in comparison to documents this customer commonly exchanges by email.

Figure 9: Antigena Email detects the attempt at inducement

Antigena Email’s models are able to recognize topic anomalies and inducement attempts in emails, regardless of the language they are written in. Despite this email being written in Japanese, Darktrace’s AI was still able to reveal the attempt at inducement, giving the email a high score of 85.

Figure 10: The six successive Emotet emails

The close proximity in which these emails were sent and the fact they all contained URLs consistent with Emotet suggests that they are likely part of the same campaign. Different recipients received the emails from different senders in an attempt to bypass traditional security tools, which are trained to blacklist an individual sender once it is recognized as bad.

A defense in depth

This new campaign and the comeback of the Emotet malware has shown the need for defense in depth – or having multiple layers of security across the different areas of a business, including email, network, cloud and SaaS, and beyond.

Historically, defense in depth has led companies to adopt myriad point solutions, which can be both expensive and challenging to manage. Security leaders are increasingly abandoning point solutions in favor of a single security platform, which not only makes handling the security stack easier and more efficient, but creates synergies between different parts of the platform. Data can be analyzed across different sources and insights drawn from different areas of the organization, helping detect sophisticated attacks that might attempt to exploit a business’ siloed approach to security.

A single platform ultimately reduces the friction for security teams while allowing for effective, company-wide incident investigation. And when a platform approach leverages AI to understand normal behavior rather than looking for ‘known bad’, it can detect unknown and emerging threats – and help prevent damage from being done.

Thanks to Darktrace analyst Beverly McCann for her insights on the above threat find.

Darktrace Immune System: Read the White Paper

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Dan Fein

Based in New York, Dan is the Director of Email Security Products for the Americas. He joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s world-leading Cyber AI Platform and products. Dan has a particular focus on Antigena Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.