An analysis on the Emotet Trojan and Mealybug [2018]

Mealybug, the group behind Emotet has changed their business model from maintaining the malware to distributer of the malware. This cybercrime as a service has obtained the interest of other threat actor groups.

Mealybug is a threat actor group which surfaced in the year 2014.

Characteristics Emotet Trojan

The Emotet Trojan has the functionality to perform brute force password attacks – this often results in failed logins, which again can lead to locked out accounts. The effect of this can be seen at IT helpdesks – they will get spammed with messages from users that have been locked out.

The second characteristic of the Emotet Trojan is the fact that it will use obtained company information to spread itself – it will use it’s spam module, and this spam module will often send out emails which contain words like ‘Invoice’ and ‘Urgent’.

The Emotet Trojan also contains the following modules:

  • Banking module; This module is responsible for intercepting netwrok traffic from the browser to steal banking details which are entered by the user.
  • Email client infostealer module; This module will search the device for credentials that are bound to mail applications.
  • Browser infostealer module; This module steals data like browsing history and stored passwords.
  • PST infostealer module; This module reads Outlook messages archives and extracts personal information which can be used in future campaigns.
  • DDOS module: This module is used to command Emotet bots to target a specific environment with DdoS attacks.

The threat actor Mealybug might also be behind the following malware:

  • Trojan.IcedID
  • Trojan.TrickyBot
  • Ransom.UmbreCrypt

Meatybug has evolved its business model towards an end-to-end-service.

Emotet anti-analysis techniques

The threat actor behind Emotet has implemented multiple anti-analysis techniques in order to reduce the risk of the malware being caught by convential anti-virus solutions. The techniques which are used:

  • Performs mulitple checks to see if it is not running in an malware analysis machine
  • It uses powershell to download the trojan
  • It uses javascript to download the trojan

Once on a machine, the latest version of Emotet, will first move itself towards a preferred directory, once it has been moved, it will create a LNK file which will be run on start-up, and once that has been setup, the victim machine will start sending out information towards the Emotet command and control server.

Best practices

  • Employ two-factor authentication
  • Educate employees
  • Use strong passwords

Indicators of compromise

Dateadded (UTC) URL Status Tags
2018-08-04 04:45:21 psatafoods.com/ojason/doc/PO%20SA09464-2.exe Online emotet
2018-08-04 04:45:23 acadaman.com/tmp/pdf/rici.exe Online emotet
2018-08-04 06:13:12 mega360.kiennhay.vn/wp-content/uploads/s2UFJ Online emotet
2018-08-04 06:13:26 kamin-sauna.com.ua/whVeJ8l Offline emotet
2018-08-04 06:13:27 ekuvshinova.com/udfQrgHr Online emotet
2018-08-04 06:13:29 timlinger.com/rM Offline emotet
2018-08-04 06:13:31 cm2.com.br/oS Offline emotet
2018-08-04 10:58:02 kamin-sauna.com.ua/whVeJ8l/ Offline emotet
2018-08-05 16:45:05 34.212.46.198/3dC072F/Emotet1.doc Offline emotet
2018-08-05 22:45:03 files.catbox.moe/tply68.doc Offline emotet
2018-08-05 22:45:07 files.catbox.moe/tply68.doc Offline emotet

 

Recommended For You

About the Author: CWZ

Founder of Cyberwarzone.com.