Friday 30 September 2022, 09:30 - 10:00 Red room
Jason Zhang (VMware)
Oleg Boyarchuk (VMware)
Stefano Ortolani (VMware)
Since the takedown in 2021 by multiple law enforcement agencies, the threat actors behind Emotet have recently regained their ability to launch large-scale attacks. Over the first few months of 2022, VMware Threat Analysis Unit (TAU) has started seeing a series of spam campaigns spreading new Emotet samples. The resurfaced Emotet exhibits novel tactics, techniques, and procedures (TTPs), including Elliptic Curve Cryptography (ECC) public encryption keys (rather than RSA keys), and the way the configuration is encrypted. While prior to the takedown the Emotet botnet was organized into three different groups, or “epochs”, the resurfaced botnet introduces two new epochs: Epoch 4 and Epoch 5. Each epoch, or botnet, relies on a different set of encryption keys and an ever-changing set of hosts to guarantee its resiliency to take-down actions; as the information required to track both epoch and network infrastructure is concealed as a configuration setting, the ability to extract and decode the encryption keys and configuration data from an Emotet payload is of paramount importance to analyse the evolution of the underlying network infrastructure as deployed by the threat actors.
This presentation provides the first large-scale study of configuration data extracted from payloads dropped by Emotet Epoch 4 and Epoch 5 samples as collected by VMware TAU research telemetry. First, we introduce a process to extract the configuration data via a combination of dynamic and static analysis, including decryption and dumping of the internal DLLs from the initial payloads (as dropped by the documents attached to the spam emails), followed by extraction of the configuration data from the decrypted DLLs. We also detail how to automate the configuration extraction in a controlled environment, allowing us to extract configuration data at scale. We then present a comprehensive analysis of the key aspects of the configurations used in recent Emotet attacks, which includes (i) mapping botnet epochs based on the extracted ECC keys and command and control (C2) IP addresses and ports; (ii) examining the C2 IP address and port distributions to understand which countries are used to host the Emotet infrastructure and gain insights on which ports are commonly used by the C2 servers; (iii) showing how the botnet topology evolves over time; and (iv) providing a JARM fingerprint analysis to cluster the compromised hosts.
Jason Zhang recently joined Anomali as Director of Cyber Intelligence. As a highly motivated cyber threat researcher and a proven product and technology pioneer, Jason has a wealth of experience in technology and product R&D. Prior to joining Anomali, Jason worked at VMware (where the work presented at VB2022 was conducted), Lastline, Sophos and Symantec, specialising in cutting-edge research and automation in threat detection and intelligence analysis. Jason is a regular speaker at leading technical conferences including Black Hat, Virus Bulletin and InfoSec. Jason earned his Ph.D. in signal processing from King's College London & Cardiff University in the UK.
Oleg Boyarchuk is a threat researcher at VMware. Oleg is passionate about malware, vulnerabilities, reverse engineering, and Windows internals. Prior to joining VMware he worked as a reverse engineer at Lastline where he was responsible for malware research and detection improvements. Before that he worked as a kernel driver developer at Avira, developing the core functionality of the Avira Antivirus.
Stefano Ortolani is Threat Research Lead at VMware, formerly Director of Threat Research at Lastline, where he joined in 2015 as a security researcher. In his current role, Stefano focuses on finding novel approaches to investigate, classify, and detect unknown cyber tradecraft. Prior to Lastline, he was part of the Global Research and Analysis Team at Kaspersky Lab, in charge of fostering operations with CERTs, governments, universities, and law enforcement agencies, as well as conducting research of the global threat landscape. He received his Ph.D. in computer science from VU University Amsterdam. Stefano is a regular speaker at technical conferences and has authored / co-authored numerous research papers presented at venues such as Virus Bulletin, Security Analyst Summit, Underground Economy, and Black Hat.