Summary

The Hornetsecurity Security Lab observed a 1000 % increase in downloads of the Emotet loader. The increase in Emotet loader downloads is linked to a change in Emotet’s packer, which causes the loader to be less frequently detected by AV software. The data we have gathered suggests that the increase in Emotet loader downloads stems from the fact that it’s less frequently being detected. This makes security mechanisms to less likely to block its download URLs. Our data, however, also suggests that AV vendors are already closing the gap in detection, so the detection rates for the Emotet loader should increase, and the amount of downloads should decrease again. This analysis shows the impact of the changes made to the packer of the Emotet loader.

Background

The malware now commonly known as Emotet was first observed in 2014. Back then, it was a banking trojan stealing banking details and login credentials from its victims. Later, however, it pivoted to a malware-as-a-service (MaaS) operation providing malware distribution services to other cybercriminals.

We have already reported on Emotet multiple times in previous blogposts. The following timeline shows its recent developments:

Emotet event timeline

On 2020-08-18, changes to Emotet’s loader were observed. The Emotet loader is now packed with a different packer. Various researchers have observed that this packer change has led to a lower detection rate of the Emotet loader by AV software1. The unpacked loader has also received updates previously, but these have not caused any considerable impact on Emotet loader downloads. The changes performed on 2020-08-07 in order to fix a buffer overflow problem exploited by an Emotet “vaccine” called EmoCrash had no impact on the presented Emotet loader download statistics, since the “vaccine” only comes into effect after the Emotet loader has been downloaded.

Technical Analysis

We gathered download statistics from the Emotet download URLs by the methods outlined in our previous article about Emotet webshells2. For those that have not read our previous article, the PHP code Emotet uses to facilitate its downloads returns a JSON output stating the number of downloads of the Emotet payloads on that particular domain. We did not change our acquisition or analysis methods from the previous article to ensure our results are directly comparable and any observed changes are caused by the distribution operation of Emotet and not a collection of analysis artifacts caused by methodological changes.

There are two types of Emotet download URLs: those pointing to an Emotet maldoc and those pointing to the Emotet loader. The Emotet maldocs, which can be sent by email, contain download URLs. A VBA macro code uses them to download the Emotet loader, the actual Emotet malware that installs itself on the victim’s computer.

In our previous analysis, the share of download URLs pointing to the Emotet loader was of 15 %. Now, on 2020-08-19, its share is of 20 %. This is due to the fact that Emotet maldocs now use 6 or sometimes even 7 Emoter loader download URLs instead of the “classic” 5, as can be seen from this decoded PowerShell command issued by a recently released Emotet maldoc:

Emotet using 6 download URLs

However, the number of downloads of the Emotet loader we have gathered from hidden statistic pages on compromised websites has increased more than 5 %.

The Emotet download statistics from 2020-07-29 indicated that the Emotet loader was downloaded at a rate of around 2500 times per hour in average. The following plot shows the ratio between loader and maldoc downloads as well as their volume for 2020-07-29:

Old Emotet download statistics

Two days after the packer change, on 2020-08-19, the Emotet download statistics indicate that the Emotet loader was downloaded at a rate of around 25000 times per hour on average, a 1000 % increase. The following plot shows the ratio between Emotet loader and Emotet maldoc downloads as well as their volume for 2020-08-19:

New Emotet download statistics

We attribute this increase to the recent changes to the Emotet packer. The new packer is not detected very well by AV vendors yet. So, most of the new download URLs after the Emotet packer change were not detected by any vendors listed on VirusTotal:

Emotet loader download URL undetected on VirusTotal

Emotet loader download URL undetected on VirusTotal

While VirusTotal results do not represent the true dynamic detection of AV software of Emotet, the lower detection rates, especially when analyzing the download URLs for the Emotet loader, clearly suggest that the updates to the Emotet packer has indeed decreased the detection likelihood. Since many of the Emotet loader download URLs used to be flagged as malicious immediately, many security products were likely to block downloads by potential victims, thus leading to very few downloads of the Emotet loader overall.

On 2020-08-20, the Emotet loader downloads dropped to 7500 per hour, which constitutes a decrease of 70 % compared to 2020-08-19:

Download statistics with improved Emotet detection

This is likely because AV vendors are now starting to improve the detection of the new Emotet packer. At least, VirusTotal detections of new Emotet loader download URLs have started to be flagged again by AV vendors:

Emotet loader download URL detected again on VirusTotal

This further supports our hypothesis that the increase in Emotet loader downloads was caused by the new packer and, to a lesser extent, by the increase of Emotet loader download URLs inside the Emotet maldocs.

Conclusion and Countermeasure

Our analysis has shown the impact caused by the changes to the Emotet packer. We observed a 1000 % increase in Emotet loader downloads which was closely related to the detections of the Emotet loader download URLs by AV vendors.

To protect against Emotet the US CERT recommends to “implement filters at the email gateway to filter out emails with known malspam indicators”3.

Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market, is not impacted by the updates to the Emotet packer (as the packer is never sent directly via emails) and will thus continue to block all Emotet malspam indicators, such as macro documents used for infection as well as known Emotet download URLs. Hornetsecurity’s Advanced Threat Protection extends this protection by also detecting still unknown malicious links by dynamically downloading and executing the potentially malicious content in a monitored and sandboxed environment. Thus, even in the event the Emotet loader changes is accompanied by a change in delivery tactics, Hornetsecurity will be prepared.

In addition to blocking the incoming Emotet emails, defenders should use the publicly available information by the Cryptolaemus team, a voluntary group of IT security people banding together to fight Emotet. They provide new information daily on their website4. There you can obtain the latest C2 IP list for finding and/or blocking C2 traffic. For real-time updates, you can follow their Twitter account5.

References