Infection Immunity: Has Banking Trojan Emotet Outsmarted Itself?

Banking Trojans are now commonplace. Cybercriminals rely on them because they generate reliable profits. Although users are getting wise to basic techniques, new variants ensure that attackers always have another avenue of compromise.

Consider the ongoing threat of Emotet, which has been making the rounds since 2014. According to Minerva, its latest campaign includes a host of upgrades that make it hard to detect and even harder to stop. The silver lining? Current versions of the code also include a loophole users can leverage to keep their systems clear.

Emotet’s Threat Evolution

The Trojan made a name for itself in 2014 by intercepting network activity and stealing data via DLL injections. Later the same year, the Trojan was upgraded with modular capabilities and code, allowing it to initiate automated banking transfers from victims’ accounts to command-and-control (C&C) servers. Emotet’s authors also ensured that Russian-speaking users were left alone.

By 2015, it included the ability to detect if it was running on a virtual machine used for security testing and contacted fake C&C servers to mislead researchers.

2017 has been a busy year for this Trojan. It gained features including:

  • Sandbox evasion — Download URLs are encrypted, making it harder for security teams to grab malware samples.
  • Exploit inclusion — The Trojan was first to use EternalBlue/DOUBLEPULSAR as part of an organized attack campaign.
  • Improved modules — Recently added modules now steal browser and email credentials.
  • Machine mining — New code lets the malware grab details about victims’ machines, including process names and specifications, and then decides how to proceed.

Now Emotet is staging yet another comeback, this time using a new infection vector: emails that contain a link to malicious documents, rather than attachments. This lets the malware evade standard email security solutions. If users download the malicious file and enable Word macros, the code executes a batch script and PowerShell command with an encrypted script, denoted by an “iex” instruction.

When that proved too obvious, Emotet evolved in less than a week to obscure the encrypted string. Once the Trojan gains a foothold, it may compromise financial and email account information and siphon money directly from bank accounts.

Too Smart for Its Own Good?

Emotet isn’t just popular in isolation; other Trojans such as IcedID also leverage the tool as a distribution mechanism. It makes sense — the rapid pace of evolution makes this malware almost impossible to stop.

But as noted by Help Net Security, work done by the code’s creators to detect sandbox machines and avoid security monitoring has created an opportunity for users.

It works like this: Emotet carries a list of common sandbox-related usernames and hostnames — such as TEQUILABOOMBOOM, admin or SystemIT. If any of these names are detected on user systems, the malware won’t run. In addition, it looks for two file clusters: C:\a\foobar.bmp, C:\a\foobar.gif, and C:\a\foobar.doc; or C:\email.doc, C:\email.htm, C:\123\email.doc and C:\123\email.docx.

If all three files from the first cluster or all four files from the second are detected, the malware assumes it’s being analyzed and does not execute. The result is a kind of cybercriminal catch-22: Running on sandboxes opens the malware up to analysis and detection. Avoiding detection by using highly specific criteria, meanwhile, provides a way for users to sidestep system compromise.

Bottom line? Emotet has effectively outsmarted itself. By creating new usernames or adding file clusters, users can force the Trojan to abort installation. But given its history of rapid iteration and improvement, current tactics are workarounds, not total solutions. Expect Emotet to evolve again.

Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and...