On 15 November 2021, Emotet returned after an almost 10-month hiatus and is currently being spread again in large malicious spam campaigns. The malware operation behind Emotet was disrupted in January 2021 by law enforcement, leading to a dramatic reduction in activity. However, this lull has proven temporary, with Emotet’s return demonstrating the resilience of botnets and their operators. The malware’s resurgence raises questions about what has changed in the new binaries being distributed, which we briefly explore in this article.
Campaign Isolated by HP Wolf Security, November 2021
In November, HP Sure Click Enterprise – part of HP Wolf Security – isolated a large Emotet campaign against an organization. Figure 1 shows how a user opened an Excel email attachment containing a malicious macro. The macro spawned cmd.exe, which attempted to download and run an Emotet payload from a web server. Since malware delivered over email is extremely common, HP Sure Click automatically treats files delivered via email as untrusted. When the user opened the attachment, HP Sure Click isolated file in a micro-virtual machine (micro-VM), thereby preventing the host from being infected. HP Sure Click also detected potentially malicious behavior in the micro-VM, so generated and sent an alert to the customer’s security team containing an activity trace describing what happened inside the VM (Figure 2).
Figure 1 – Alert timeline showing user opening a malicious Emotet spreadsheet.
Figure 2 – Snippet from behavioral trace captured by HP Sure Click.
Finding code similarities
Using two unpacked Emotet samples, one from January 2021 and a second from mid-November 2021, we wanted to highlight the code differences to focus analysis on any new code. For this we used Threatray, which analyzes the structure of malware and classifies it based on code similarities. The service can also find function differences between two malware samples and highlight them.
Using Threatray’s API to retreive code similarities returns a table of function addresses from both samples. If there are function addresses in the columns of both samples, this means a similar function was found. Analyzing our two Emotet samples identified 80 of 246 functions that were similar. This means that the remaining functions could be code changes or obfuscation.
Figure 3 – Threatray output table showing similar functions.
To streamline our analysis even further, we wrote an IDC script based on Threatray’s results, which colors known functions green. This way, we can concentrate on the unknown areas when reversing the malware.
Figure 4 – IDA Pro disassembly of the November 2021 Emotet sample with known functions in green.
Windows API function resolution technique
One of the ways Emotet hides its capabilities is by resolving Windows API functions at runtime. This means function names are hidden from the Import Address Table or as strings. To find the desired API function, Emotet instead uses hashes. A hash is passed to a resolution routine, where it is compared to the hashes of all the exported functions of a DLL. If the two hashes match, the correct function and address in the DLL is found, enabling it to be called without referencing its name.
Figure 5 – Emotet’s Windows API wrapper function.
Since these wrapper functions are not classified as similar, we wrote a Python script that resolves the Windows API functions. For the Emotet sample from 16 November, we were able to resolve and annotate 109 different functions. We also resolved the functions of the sample from January 2021 to compare the differences in API functions between the samples. The following table lists the API functions that are unique to each: