Emotet Trojan Authors Experiment with a Worm Component Enabling New Spreading Methods

The WannaCry and (Not)Petya outbreaks showed the world how easily a rather crude malware family can be turned into a seriously dangerous threat. The success of these two ransomware strains stems from the fact that they came with worm components that enabled them to spread to other computers. In the case of WannaCry, the ransomware scanned for vulnerable systems all across the globe while (Not)Petya was aimed at neighboring machines on the same network. Seeing how much damage the two attacks caused, other threat actors set about including worm-like features in their own malware. We've seen this trend in some rather obscure cryptocurrency miners like Adylkuzz, and now we're seeing it with the much more popular Emotet Trojan.

First discovered in 2014, Emotet is best known for its functionality as a banking Trojan, and researchers believe that it's linked to Dridex, one of the most infamous malware families of this kind. In other words, it has a lot to live up to. In that respect, the approach Emotet's authors took when they decided to make the malware wormable might seem somewhat strange. Researchers from Fidelis Security provided the details.

Emotet has relied on spam emails as a distribution method since the very beginning, and this, it seems, isn't about to change anytime soon. The messages come with some JavaScript that either carries the payload (a self-extracting RAR file) on board or has the functionality to download it from a remote server. The RAR contains a couple of files – bypass.exe and service.exe. The first one is responsible for spreading Emotet to neighboring endpoints.

Emotet Trojan Gains New Crafty Features To Spread

First, bypass.exe enumerates all the network resources and checks to see if what it has found is a server or a regular PC. Then, it tries to connect to IPC$ - a hidden share that facilitates the communication between computers and applications on the same network. If it fails to establish a connection, it enumerates all the usernames on the network and tries to guess their passwords using a dictionary. The same brute-force attack is also launched on Administrator accounts. If it's successful in guessing the password, bypass.exe copies service.exe inside the C:\ drive of the remote PC and creates a service that executes it. In the samples Fidelis analyzed, the service was called "Windows Defender System Service."

So, instead of borrowing the highly advanced NSA-derived exploits found in The Shadow Brokers' leaks like the crooks behind WannaCry and (Not)Petya did, Emotet's authors decided to implement a much more simplistic worm mechanism. Or did they?

According to Fidelis' experts, there are quite a few things to suggest that at the moment, the Emotet gang are simply experimenting. The researchers noted that in many of the cases they've observed, once service.exe is installed on a machine, it would do nothing more than grab the computer name and send it to the Command and Control (C&C) server. Sometimes, Emotet would download additional payloads based on the victim's geolocation and use them for stealing usernames and passwords. In other words, it would act as a humble dropper – not exactly the purpose it was originally designed to serve.

In the future, we might see Emotet go back to using its own credential-stealing capabilities, and we might also see a much more sophisticated worm component. Considering the woeful password policies of some organizations and users, however, even the current one might prove to be horrifyingly effective.