24 NovembER 2017

new emotet banking trojan variant avoids sandbox and analysis

Threat actors have been observed distributing a new variant of the banking trojan ‘Emotet’ that contains changes in its usual behaviour and new routines that allow it to evade sandbox and malware analysis.

What’s Changed in the New Emotet Variant?

Emotet’s dropper has changed from using RunPE to exploiting CreateTimerQueueTimer, which is a Windows Application Programming Interface (API) that creates a queue for timers. This is not the first time CreateTimerQueueTimer has been exploited, it has previously been seen abused by Hancitor, a banking trojan that dropped Pony and Vawtrak.  Although, in this instance the callback function of the API becomes Emotet’s actual payload due to it being lesser known, making it more difficult to detect by security scanners.

The re-emerged Emotet banking trojan includes an anti-analysis technique which helps threat actors avoid detection by checking when an analysis platform scans for malicious activity. The API CreateTimerQueueTimer helps Emotet do the job every 0x3E8 milliseconds.

Not only does Emotet include anti-analysis, it also contains an anti-sandbox technique, which allows the malware to check if it’s inside a sandbox environment at the second stage of its payload. This provides Emotet with the information on whether to proceed with the attack or not; if it sees that it’s running inside a sandbox environment the loader will not proceed.

An Example of a Phishing Email Used to Begin the Process