28 NOVEMBER 2018

EMOTET BANKING TROJAN Seen Taking Advantage of Privileges of Local Administration Shares

In the month of November,  a UK law firm learnt the hard way the importance of limiting privileges of the local administration shares on their endpoints when the popular Emotet malware appeared in their estate.

Incident Overview

The first indicator of a potential incident was malware quarantining action in the customers next-generation antivirus which affected 44 endpoints. To build up a better understanding of the event and any associated activities, R17 collections of the endpoints were requested so that Secrutiny could conduct initial forensic analysis. Whilst the R17 collections were being processed, more files were seen being quarantined on the same 44 endpoints and also being contained by the customer’s antivirus.

Using the file hash, Secrutiny also obtained further samples of the malware from OSINT and executed it in a sandbox environment. A number of IOC’s were correlated and an early assumption of an Emotet infection was reached. Once the forensic collection data was processed the infection was confirmed as Emotet delivering with the Trickbot banking trojan as the secondary attack.

The following technical findings were also ascertained:

The malware operated at the Layer 5 “Session Layer” and spread from endpoint to endpoint taking advantage of SMB access to local hidden administrative shares Admin$, IPC$ and C$.

Most file artefacts were found in the C:\Windows directory and others were also found in user data paths.

The infection was constrained to the single site and did not jump across the routed boundary to affect any other site.

After the initial infection, further files were quarantined by the organisation’s antivirus.

Following the initial forensic analysis, a further 51 files were identified; proving that a large number of malicious files were not identified or quarantined by the antivirus product.

What is R17?

R17 was created to assist forensic investigators in quickly collecting forensic artefacts from a live Windows endpoint for offline analysis. 

Written in C++ and statically linked, the tool is lightning fast and does not require any external shared libraries or other dependencies. It runs on all Windows platforms from Windows XP forwards.

More About Emotet Malware

Emotet is an advanced banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. It has several methods for maintaining persistence, including auto-start registry keys and services and uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities (in November 2017 we blogged about the addition of anti-analysis and anti-sandbox techniques). Furthermore, Emotet evades typical signature-based detection and is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

It continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.

Emotet is distributed through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules. For more detail, please refer to the US-CERT website.

Emotet Infection Process

US-CERT

Remediation and Mitigation

The R17 analysis conducted by Secrutiny allowed for a complete list of IOCs to be compiled to facilitate the clean-up of malicious files and services on the hosts. This was achieved using a custom written command batch script, deployed and executed using a GPO, that located and purged the files and local services from the endpoint before conducting a reboot.

To mitigate future exploitation of privileges of the local administration shares on endpoints, a GPO was written to remove “Domain Users” from the local administration $ shares on all endpoints within the estate.

The remediation process further included adding additional tooling to allow advanced monitoring of the site for the purpose of identifying future infection/reinfection:

A DNS sinkhole was deployed organisation wide whereby all URL indicators gathered from the investigation were configured to resolve to loopback addresses. DNS monitoring was then implemented to gain live visibility of name resolution and a dashboard built to visualise hits against the known IOC’s.

A Network Deep Packet Inspection sensor was deployed to watch traffic flows into and out of the network.

Centralised firewall traffic logging has also been implemented.

Additionally, a Cyber Risk Audit was initiated to help identify any other rogue/anomalous components within the endpoint estate.

Fortunately, the malware was caught very early, at the first stage of attack, thanks to the close level of vigilance by the organisation’s administrator and the system monitoring checks conducted by Secrutiny. This was fortuitous and thwarted a wider issue. Emotet has been known to deliver Ransomware if a malware analysis techniques are detected, as a means of either interrupting the analysis or providing a false flag.