28 NOVEMBER 2018
EMOTET BANKING TROJAN Seen Taking Advantage of Privileges of Local Administration Shares
In the month of November, a UK law firm learnt the hard way the importance of limiting privileges of the local administration shares on their endpoints when the popular Emotet malware appeared in their estate.
The first indicator of a potential incident was malware quarantining action in the customers next-generation antivirus which affected 44 endpoints. To build up a better understanding of the event and any associated activities, R17 collections of the endpoints were requested so that Secrutiny could conduct initial forensic analysis. Whilst the R17 collections were being processed, more files were seen being quarantined on the same 44 endpoints and also being contained by the customer’s antivirus.
Using the file hash, Secrutiny also obtained further samples of the malware from OSINT and executed it in a sandbox environment. A number of IOC’s were correlated and an early assumption of an Emotet infection was reached. Once the forensic collection data was processed the infection was confirmed as Emotet delivering with the Trickbot banking trojan as the secondary attack.
The following technical findings were also ascertained:
The malware operated at the Layer 5 “Session Layer” and spread from endpoint to endpoint taking advantage of SMB access to local hidden administrative shares Admin$, IPC$ and C$.
Most file artefacts were found in the C:\Windows directory and others were also found in user data paths.
The infection was constrained to the single site and did not jump across the routed boundary to affect any other site.
After the initial infection, further files were quarantined by the organisation’s antivirus.
Following the initial forensic analysis, a further 51 files were identified; proving that a large number of malicious files were not identified or quarantined by the antivirus product.
What is R17?
R17 was created to assist forensic investigators in quickly collecting forensic artefacts from a live Windows endpoint for offline analysis.
Written in C++ and statically linked, the tool is lightning fast and does not require any external shared libraries or other dependencies. It runs on all Windows platforms from Windows XP forwards.
More About Emotet Malware
Emotet is an advanced banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. It has several methods for maintaining persistence, including auto-start registry keys and services and uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities (in November 2017 we blogged about the addition of anti-analysis and anti-sandbox techniques). Furthermore, Emotet evades typical signature-based detection and is Virtual Machine-aware and can generate false indicators if run in a virtual environment.
It continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.
Emotet is distributed through
Remediation and Mitigation
The R17 analysis conducted by Secrutiny allowed for a complete list of IOCs to be compiled to facilitate the clean-up of malicious files and services on the hosts. This was achieved using a custom written command batch script, deployed and executed using a GPO, that located and purged the files and local services from the endpoint before conducting a reboot.
To mitigate future exploitation of privileges of the local administration shares on endpoints, a GPO was written to remove “Domain Users” from the local administration $ shares on all endpoints within the estate.
The remediation process further included adding additional tooling to allow advanced monitoring of the site for the purpose of identifying future infection/reinfection:
A DNS sinkhole was deployed organisation wide whereby all URL indicators gathered from the investigation were configured to resolve to loopback addresses. DNS monitoring was then implemented to gain live visibility of name resolution and a dashboard built to visualise hits against the known IOC’s.
A Network Deep Packet Inspection sensor was deployed to watch traffic flows into and out of the network.
Centralised firewall traffic logging has also been implemented.
Fortunately, the malware was caught very early, at the first stage of