Emotet is a common information stealer that targets Windows-based computer systems and functions as a downloader or dropper, allowing additional malware to be installed.
The Fujitsu Cyber Threat Intelligence Team (CTI) have been tracking Emotet malicious spam (malspam) campaigns for many years, and in the past months, we have observed an increase in the amount of campaigns delivering it.
Research conducted across multiple sources and industry verticals allowed us to analyse and investigate this particular malware in more detail.
The prolific malware was reportedly developed by malware authors – Mealybug – a threat group, who have been active since 2014. When Emotet first appeared, the primary targets were mostly banking customers in Europe, specifically Germany, and focused on delivering its own malware.
More recently we have observed Emotet increasing in distribution and velocity, globally targeting sectors from utilities to retail.
Emotet is a polymorphic malware variant, constantly changing its features to evade detection. The Banking Trojan uses modular Dynamic Link Libraries (DLLs) to ensure it evolves and updates its own abilities, evading simple signature-based detection.
It is therefore inherently more difficult to detect and prohibit the malware from reaching end users by deploying email security solutions alone.
In this report we highlight the dangers of Emotet, its evolution, the behaviour of the campaigns distributing it and its prevalence for bypassing email security systems.
The Dangers of Emotet
In 2014, Emotet was first identified as a Banking Trojan but later evolved as a loader for other malware. In January and June of this year, researchers observed malware variants including IcedID, Qackbot and Zeus Panda Banker were subsequently installed after an initial Emotet infection.
In recent weeks, Emotet is once again a headline topic amongst cyber security researchers due to the evolution of campaigns which are now distributing Trickbot, another Banking Trojan, alongside it as part of the infection chain. The latest version of the malware contains a payload containing a packed file including the main malware components and an anti-analysis module for evasion.
Research conducted by Symantec found that once the payload is delivered, Emotet moves itself to its preferred directory, creates a LNK file in the start-up folder and then collects user machine information which is sent to the Command & Control (C&C) server. It then proceeds to download new executables, including infostealer modules with the capability to harvest banking, email, browser and PST details. In addition, Emotet has a DDoS module that can add the infected machine to a botnet to carry out DDoS attacks.
US-Cert recently reported that Emotet infections have cost governments up to $1million to remediate due to its worm like propagation capabilities, meaning that it can spread rapidly across a network. The diversity of the malware, coupled with the continuous updating of its capabilities, means that campaigns are more likely to bypass traditional email security controls.
The Trojan is dangerous due to the advanced nature of the information stealing modules, worm-like behaviour, persistence in evading detection and its ability to drop other Trojans, making it challenging to detect and remediate.
Emotet campaigns are commonly distributed via a malicious link or via an email containing an attachment, such as a malicious word document. The majority of campaigns contain financially themed subject lines and documents.
Figure 1 – Campaign from July 2018 distributed as an attached file.
Another common tactic used by the campaign authors was including names of legitimate employees of the targeted companies supply chain. For example “John Smith – xyz : Invoice # 42O37641”. John Smith being a legitimate employee of supply chain company XYZ. These details were most likely gathered from social media and sites such as LinkedIn. This adds further credibility and legitimacy to the spoofed emails.
We also noted in July, Independence Day themed subject lines where legitimate employee names were also used in some instances.
Some Indicators of Compromise in relation to Subjects can be found at the end of this report.
The volume of emails delivering Emotet increased drastically in May 2018 and continued throughout July. Below is a graph showing the number of emails containing Emotet delivered to two separate UK based targets throughout July.
Figure 2 – Hits on Emotet across two targets for July
Notable analysis shows the clear mirroring of campaigns between two separate UK based entities, highlighting that the majority of campaigns are not targeted, and are likely to be sent out on mass via a spam botnet. This differs from early Emotet campaigns that were sent to a relatively small and selected number of target. We believe this reflects the malware distributer’s evolving their TTPs to maximise profits.
Furthermore, the distribution represents a standard working week, Monday to Friday being the most popular days to distribute campaigns, and the average peak operating times lasting 8 hours a day. We have observed similar campaign spikes being delivered on a Friday and this is clearly a tactic by the campaign authors as they seek to capitalise on people being more relaxed as they head into the weekend. The delivery of the largest campaign observed on Friday 13th could indicate dark humour on the author’s behalf.
The graph below shows an average day for Emotet campaign distribution throughout July. The chart below plots the number of campaigns per average hour throughout July.
When compared against the monthly average volume – the dotted line – it can be noted the volume increases above average between 3:00am – 4:00am BST and decreases below average between 11:00am – 12:00am (BST). Assuming attacking parties would launch campaigns during an average working day, between 9am and 5pm, this puts the time zone of operation as +6 (BST), plus or minus 1 hour.
Figure 3 – Average hits for Emotet in July against time
Another interesting insight is that the campaigns spreading Emotet on Friday 13th increased by 4 times when compared with the previous day, the graph below indicates the hours of delivery for that day.
Figure 4 – Hits on Emotet on Friday 13th
Security vendors vs Emotet?
As discussed earlier, Emotet is polymorphic and is continuously evolving in order to evade security products and solutions. Its modular makeup has seen the evolution in delivering the primary Banking Trojan function to incorporating “wrapper” modules such as the “WebBrowserPassView” which is dedicated to mining credentials stored in the web browser of the infected user.
Our CTI team compared a number of campaigns attributed with Emotet to see how they fared against a range of email security vendors. Our analysis compared the number of quarantined emails against the number that had successfully been delivered to user’s mailboxes. All of the vendors had at least some form of signature / heuristics based detection in place.
Our research focused on email campaigns, as this is the most predominant method of distributing this type of malware. The data was split into two categories, campaigns containing attachments and campaigns containing links.
Figure 5 – % of Campaigns bypassing security containing malicious attachments
The graph above shows vendor A performing the worst when it comes to detecting Emotet campaigns containing attachments. Vendor A on average failed to block around 28% of all Emotet campaigns containing attachments. Vendors B and C fared much better, only failing to detect around 5% of the campaigns containing an attachment.
Figure 6 – % Campaigns bypassing security containing malicious links
The graph above shows vendor B performing the worst when it comes to Emotet campaigns containing links. Vendor B on average has failed to block around 12% of all Emotet campaigns containing links. Vendor A fared much better, only failing to detect around 3% of the campaigns, whilst Vendor C outperformed both in this area by blocking every single campaign.
Vendor Comparison Attachments vs Links
Figure 7 – % of Campaigns bypassing security containing malicious links vs malicious attachments
This data intends to show that not all vendors perform equally!
Vendor A and B seem to be weaker in different areas, whereas vendor C performed well in both detecting malicious attachments and links. However all these vendors do let campaigns through, and it only takes one email and one user in order for an infection to take place. We have specifically not named vendors in this exercise as the dataset is only small and relates to a handful of campaigns.
Fujitsu’s CTI team work extremely hard to fill this gap, focusing on the campaigns that bypass these security solutions, trying to ensure end users are protected by proactively tracking and removing emails from user mailboxes when a bypass is detected. We do this several times a week across customers from different industry sectors.
The similarity between the distribution of Emotet to the 2 UK targets discussed, along with the increase in velocity of these campaigns, indicates recent attacks are less targeted than previously thought, and are more aimed at mass delivery.
The delivery time analysis of distribution suggests an organised operation. From our analysis throughout July, peak operation times lasted on average 8 hours a day with the height of its activity between 3am-4am and 11am-12pm (BST).
Even though organisations with mature spam filters lower the risk of infection, it is evident from our analysis, these campaigns do successfully bypass Email security solutions. This highlights the importance of tracking such campaigns to add a much needed additional human guided layer of analysis and protection, as no security vendor can claim to stop 100% of malware campaigns.
Indicators of Compromise
Below are some examples of email subjects which contained Emotet either as a link or attachment:
Note: Int<2> represents 2 integers, whereas char<3> would represent 3 characters
- Acknowledgement char<2>-int<2>-int<5>
- Billing Invoice – Job # string<6>
- Cust char<3>-int<2>-int<5>
- Customer Invoice — Supply chain company name
- Customer No int<6> rand name/company
- Final notice
- no. char<2>int<2>int<5>
- INVOICE char<2>-int-<2>-int<5>
- Invoice from supply chain company
- Invoice char<2>int<2>int<5>
- Invoices, payments and questions char<2>int<2>int<5>
- Latest invoice – 640453
- New invoice char<2>int<2>int<5> from rand name
- Notification de facture
- Notification de facture du 20 juillet 2018
- char<3>-int<2>-int<5> rand name
- Outstanding invoice
- Payment on Invoices char<3>-int<2>-int<5>