A DEEP DIVE INTO EMOTET’S NEW 64-BIT MODULES Emotet ramps up activity, goes 64-bit!

Emotet is often delivered by way of SPAM campaigns that include doc recordsdata. This self-propagating Trojan is a downloader malware that often downloads and executes extra payloads. Round January 2021, Emotet operations have been reportedly shut down. Nonetheless, it confirmed its guise once more in late 2021. In latest months, Emotet appears to have switched to 64-bit. This weblog will deal with discussing the brand new variant and its variations from earlier beauty variations.

ANALYSIS (Newest variant) and Variations with earlier variations:

Let’s focus on the most recent variant of Emotet which has MD5 da045fce83afdcb9920a0a38b279d33d. Right here, we are able to simply discover that the primary export perform is getting used.

Fig: 1 DLL export capabilities (64 bit newest)

The next picture reveals a compiled Delphi file with excessive entropy within the useful resource part with encrypted knowledge.

Fig: 2 Encrypted useful resource knowledge

Beneath is a picture containing knowledge saved in variables. These values ​​are copied onto the stack.

Fig.3 Encrypted knowledge saved as variables

This knowledge is decrypted into shell code in just about mapped reminiscence, as proven within the picture beneath:

Fig: 4 decryption loop

Cracked shell code

Fig: 5 Cracked shell code

This shellcode hundreds the DLL and APIs for later use.

Fig: 6 shellcode hundreds the DLL and APIs

The encrypted knowledge within the useful resource part is now decrypted and types a PE file. Beneath is the decryption loop associated to it.

Fig: 7 Decryption Loop

Beneath is the decrypted inside file

Fig: 8 Inner File Decrypted

This decrypted inside file is moved to a different just about mapped reminiscence with no PE header. This reminiscence is just about protected.

Fig: 9 File with out PE header

Let’s now discover the inner DLL. This has solely an export perform.

Fig: 10 inside DLLs

This Dll is executed by calling the Loader 1 DllSt. export, which not directly calls the inner Dlls 1St. export perform.

Fig: 11 Dlls 1St. export perform.

Right here we witness that the highlighted assertion [rsp+20] factors to the primary inside DLL export, proven within the determine above (RVA Perform of CFF)

This DLL makes use of Management Circulation flattening and API hashing to make reverse engineering troublesome.

On this approach, code is flattened with a number of statements positioned inside a loop inside a single swap assertion that controls the circulate of this system.

Fig: 12 Management Circulation Flattening Method

Creates the copy of the loader dll (MD5:da045fce83afdcb9920a0a38b279d33d) with a random identify in %Appdata% inside a randomly named folder after which runs from that location.

By setting a breakpoint on jmp raxwe may get all of the C2 and the APIs, that are decrypted runtime (current encoded contained in the file) utilized in all communication.

These new Emotet samples use Bcrypt crypto capabilities, that are a part of bcrypt.dll. Earlier variants used advapi32.dll crypt capabilities.

The malware collects data reminiscent of laptop identify, quantity ID, model data, execution path, and so on., and sends it to C2. This transmitted knowledge is encrypted by way of the ECC (Elliptic Curve Cryptography) algorithm. Within the above samples, RSA was used.

By trying on the key, we establish that this pattern belongs to Epoch5, which has a typical key for encryption throughout all samples. Allow us to now see the encryption course of and C2 communication:

  1. BCryptFinalizeKeyPair: ECC key pair is finalized
  2. BCryptExportKey: the generated key’s exported to the reminiscence blob
  3. BCryptSecretAgreement: The AES key’s generated based mostly on the key settlement between the malware and C2
  4. BCryptDeriveKey: Derive a key from the key settlement worth utilizing SHA256 as KDF
  5. BCryptGetProperty: retrieve a property for a CNG object
  6. BCryptImportKey: To import the reminiscence blob key
  7. BCryptCloseAlgorithmProvider: shut algorithm supplier identifier
  8. BCryptDestroySecret: The key is destroyed generated from BCryptSecretAgreement

Fig: 13 ECDH Public Key

Summarizing the steps:

  1. The general public key EDCH (ECK1 curve) is decrypted and used to encrypt the info despatched, and ECDSA (ECS1 curve) is used for knowledge verification
  2. A secret settlement is generated between the malware and C2. This settlement worth is created from the private and non-private key of ECDH
  3. The AES key’s derived from a secret settlement worth utilizing SHA 256 because the KDF
  4. Now the message to be despatched is constructed and a hash worth is generated.
  5. The hash worth, together with the message, is encrypted utilizing AES256
  6. Information consisting of the ECK1 public key, AES knowledge, and random bytes is base64 encoded and despatched.

Fig: 14

Checklist C2 decrypted:

103[.]8[.]26[.]17

134[.]122[.]119[.]23

103[.]133[.]214[.]242

93[.]104[.]209[.]107

37[.]44[.]244[.]177

196[.]44[.]98[.]190

116[.]124[.]128[.]206

88[.]217[.]172[.]165

62[.]171[.]178[.]147

185[.]148[.]168[.]220

103[.]85[.]95[.]4

195[.]77[.]239[.]39

159[.]69[.]237[.]188

190[.]90[.]233[.]66

85[.]214[.]67[.]203

217[.]182[.]143[.]207

203[.]153[.]216[.]46

103[.]42[.]58[.]120

59[.]148[.]253[.]194

68[.]183[.]91[.]111

110[.]235[.]83[.]107

54[.]38[.]242[.]185

85[.]25[.]120[.]4. 5

37[.]59[.]209[.]141

54[.]37[.]106[.]167

103[.]41[.]204[.]169

66[.]42[.]57[.]149

175[.]126[.]176[.]79

54[.]37[.]228[.]122

87[.]106[.]97[.]83

4. 5[.]71[.]195[.]104

195[.]154[.]146[.]35

139[.]196[.]72[.]155

36[.]67[.]23[.]59

5[.]56[.]132[.]177

202[.]134[.]4[.]210

78[.]46[.]73[.]125

202[.]29[.]239[.]162

210[.]57[.]209[.]142

118[.]98[.]72[.]86

207[.]148[.]81[.]119

68[.]183[.]93[.]250

103[.]56[.]149[.]105

178[.]62[.]112[.]199

54[.]38[.]143[.]246

51[.]68[.]141[.]164

104[.]248[.]225[.]227

78[.]47[.]204[.]80

202[.]28[.]3. 4[.]99

188[.]225[.]32[.]231

194[.]9[.]172[.]107

IOC

da045fce83afdcb9920a0a38b279d33d

Detections

Trojan.Emotet.S28135758

Conclusion:

Emotet has now advanced and turn out to be extra highly effective after his return. Amongst different issues, it modified from 32-bit to 64-bit, used CFF at the side of API hashing, and adjusted its encryption mechanism from RSA to ECC. It additionally used the Crypt APIs from bcrypt.dll, whereas beforehand it used ADVAPI.DLL. It is without doubt one of the prime malware that results in extra extra malware.

Tejaswini Sandapolla

Tejaswini Sandapolla