The EMOTET Evolution – How Barac detect it ?

Emotet is one of the most dangerous malware threats active today. Emotet (Trojan.Emotet) began life as a banking Trojan but evolved several years ago to act as a malware loader for other threats — Emotet infects a machine and then downloads another threat e.g. the TrickBot information stealer, onto the infected system. Emotet is now one of the biggest threat distributors out there, renting its infrastructure out to all sorts of other threats, including ransomware, information stealers, and cryptocurrency miners. According to the U.S. Department of Homeland Security, Emotet continues to be among the most costly and destructive malware threats affecting state, local, and territorial governments and its impact is felt across both the private and public sectors.

In recent months, The Barac team has observed a resurgence of cyberattacks involving the Emotet malware. Emotet is a variant of the banking Trojan family, with polymorphic characteristics, able to evade traditional antivirus (AV) products and signature-based detection, uses TLS/SSL to connect with the Command and Control server (C&C) and hide from traditional detection tools. According to a September 2019 FBI Flash Alert, Emotet has recently been observed trying to connect to more than 500 C2 IP addresses as opposed to the approximately 10 IP addresses it previously employed. Additionally, Emotet can even avoid advanced behavioral detection algorithms by going dormant during scans. Not even sandboxing will catch the Emotet malware — its sandbox detection module will cause the malware to go dormant in virtual environments as well

Emotet Functionality

  • Emotet establishes a connection with the C2 server using TLS or SSL to hide, it reports a successful new infection, receives configuration data, downloads and runs additional payloads, receives instructions, and exfiltrates acquired/stolen data to the C2 server.*
  • Emotet creates randomly named files in the system root directories that are run as Windows services.* When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares, stolen windows credentials, Server Message Block (SMB)  shares and system vulnerabilities that are exploitable depending on patch strength and levels within an organization.
  • Emotet aims to saturate victim networks with the ability for attackers to gain unauthorized remote access capabilities to steal additional information. Some infected victims become part of a larger botnet, some are used for malspam campaigns, and others are used to stage and push ransomware as a final attack against the corporate infrastructure. 
  • We also observed actor groups moving to deploy ransomware after network saturation to
    • cover their tracks and
    • further monetize their intrusion through ransomware payments after having stolen stored web browser credentials and email threads from hundreds of internal users. 

How Barac ETV can Detect it using only metadata ?

There are open source methods to fingerprint Emotet on the network layer using JA3 and JA3S but attackers keep changing the TLS information to hide and the open source approach of JA3 makes it easy to bypass and hard to adapt to the changing behavior

Barac works on the network layer, we collect TLS and traffic metadata then combine them with machine learning and behaviroal analytics to be able to detect detect malware (including Dridex) and abnormal behaviors.

We noticed that even when changing the C&C IP, the toolkit used to connect or the tool used on the affected server, there are signs and behaviors that stay the same for all the connections. These metrics or indicators combined with powerful machine learning algorithms can be used to detect a signature of EMOTET on encrypted traffic without decryption:

Feature Description
Advanced DNS Scoring Detecting any abnormal or phishing like DNS using scoring methodology
Bytes Distribution The distribution of all the bytes from both the client and servers
TLS_Cipher The cipher proposed by the client and their strength distribution in order. The cipher response by the server and it’s order on the proposed ciphers.
TLS_Handshake_size The size of the TLS handshake for the flow
Initial_Packet_size The size of the initial sent for the flow
Top 5 Metrics for Detection

For Emotet detection, the Barac platform uses 200 metrics that we combine to detect signature of encrypted traffic without decryption. The presented above are the top 5 metrics/indicators used for Emotet detection.