Season 1, EP 3

Emotet Unbound: Understanding the Risk

April 13, 2022 | Paul Roberts

In this podcast, we dig deep on the Emotet malware with two noted experts: Dado Horvat of ReversingLabs and Dragan Damjanovic of KPMG and talk about the evolution of the threat and the latest Emotet IOCs.

EPISODE TRANSCRIPT

PAUL ROBERTS
Hey, everybody, how are you doing? My name is Paul Roberts, and I am the cyber content lead here at ReversingLabs and the host of our regular podcast, ConversingLabs. And this is the third episode of ConversingLabs. Thank you, everybody who is joining us, we've got a pretty amazing show for you today. Last episode, if you were with us, we were talking about the Conti malware and we were going into what's going on with Conti malware. This episode is somewhat related. We're talking about Emotet, which is a piece of malware that actually the Conti group is promoting and out there using very actively, but that has its own kind of history and capabilities and is really a growing threat out there. Even though it's been around for a while, it's a growing threat that folks need to know about. So we've invited two folks who are really experts not just in malware, but really have a lot of familiarity with Emotet on the cyber defense and threat detection side. I want to take a second and introduce them. First up is Dragan Damjanovic, who is a threat intelligence manager and at the Global SOC at KPMG. Dragan, welcome to ConversingLabs.

DRAGAN DAMJANOVIC
Nice to have you too. Thank you.

PAUL ROBERTS
Tell the folks. Well, our other guest is Dado Horvat, a senior threat analyst here at ReversingLabs. Dado, welcome. How are you?

DADO HORVAT
Excellent.

PAUL ROBERTS
Okay, so before we get going, let's just kind of get you guys introduced to our audience. Dragan, tell us a little bit about yourself and your background.

DRAGAN DAMJANOVIC
So I do threat intelligence, for more than five years now in KPMG, globally, my role spends in sabotage gathering, creation retardance, malware reversing, and standard SOC duties. I work with a few charity organization that helps mostly hospitals and small businesses to fight the cyber crime.

PAUL ROBERTS
Great. Dado, tell us about yourself.

DADO HORVAT
Hi, everybody. My name is Dado Horvat. I'm based in Zagreb, Croatia. I joined ReversingLabs in 2018 as a senior threat analyst, currently serving in a role of solution architect for this region. And previous to that, I was part of management board office for security in financial institution. And that takes me back in a time where I first encountered Emotet.

PAUL ROBERTS
Yeah, and we're going to talk about that. I'm Paul Roberts. I'm the host. I wanted just a little bit of housekeeping before we dive into Emotet. We are taking questions from the audience, and so we very much want to know what's on your mind. There is a Q&A feature at the bottom of kind of your zoom webinar screen, and feel free to pose questions there. Carolynn, who is one of our cyber content writers here at ReversingLabs, is going to be helping to kind of moderate the questions, and so she will present those when we're kind of done with our conversation. And so please do that. Another thing is we do have ConversingLabs T-shirts to give away to the lucky few of you who can correctly answer some polling questions that are going to be kind of loosely based on the stuff that we talk about here in our conversation. So pay attention, we're going to have a short series of questions at the end and for folks who answer, I think most of those right, they will get a ConversingLabs T-shirt, very exclusive, very high demand, so stick around. Okay. Gentlemen, Emotet, this is a threat. I mean I've been writing about cybersecurity for a long time and Emotet is on the one hand not a new malware threat. It's been around for a number of years, I think around eight years. Either one of you could you just maybe Dragan, tell us what do we need to know about Emotet, what does it do? I know it started as a piece of banking malware but it does much more now. So just tell us kind of what this malware is and what it does.

DRAGAN DAMJANOVIC
So Emotet is not new. As you said, it started in 2014 as a banking Trojan but pretty fast is changed to modern malware and it's used to download additional malware after that like TrickBot. And we know that in 2021 there was a take down happened from the Europol and Interpol and it took them a few months to get back and now it's the same. They continue to be a modern malware used for enabling other malware and other groups to do their hacking or infection ransomware. Depends on what they pay, what they want to have.

PAUL ROBERTS
Right. Does it still function as banking malware? Is that part of part of what...

DRAGAN DAMJANOVIC
It still has that functionality, but that module is not much used. I didn't saw any usage for more than eight months to ten months at all. There is still there options to download but it's not the main purpose anymore to be a banking Trojan anymore.

PAUL ROBERTS
Okay, what do we know about where Emotet comes from, what the origins of it are? Who is behind the development of this malware, either back when it was started or now that's changed? What can you tell us about where this malware comes from?

DRAGAN DAMJANOVIC
So based on the country logs that was shared by researchers, there is some indications that developers or runners of Emotet are based in ex-Soviet Union countries. As we know in the first take down, administrator was arrested in Ukraine so I think they're mostly ex-Soviet countries because still criminal ties between all criminal organizations in Soviet Union are still strong and I think that is where they're running from. Our developers there based on the other malware that we have, TrickBot and others, we saw that few developers are in different countries. So I don't think that they are exclusively everyone's sitting in the Soviet Union but I think operators, the owners are there.

PAUL ROBERTS
And kind of if you look under the hood at this like how it's developed, this is basically a for profit development organization, right, who's managing the software? Dado or Dragan?

DADO HORVAT
Yeah. So what we're seeing lately is that primary objective of Emotet is not committing crime per se. The bigger income for them would be reselling access or serving as a dropper for third party tools and third party payloads like TrickBot, et cetera. And what's very interesting is the simplicity of the whole delivery chain hasn't changed much in last eight years. It always relies on office documents. The lures are not particularly well crafted, I would say not spearfishing some APT-level stuff. But again, they are in game of numbers that's they are into a distribution. We are seeing on our back end from ReversingLabs. They only need like a fraction of users to enable macros and start the infection chain. And obviously it still works like eight years after it first emerged, it's still going strong. I remember reading January 2021 when the first disruption effort took place from Europe and authorities said, well, Emotet is done for good. And to be honest, I was a bit sad when that occurred because when I was working in financial Institution, we were seeing daily Emotet campaigns and they were working like clockwork. Very precise, very I would say predictable. And again, it obviously works because they wouldn't continue as they did. The downtime for Emotet took like in November 2021, we have headlines embedded back and we see steadily that Emotet, in the volume, it doesn't represent like a very large percentage of daily C malware code, but it's very consistent. So it's very steady and I don't think it's gradually changing. I would say business model where they are dropping different tools and the driver will share some insights later what he's seeing on his endpoints.

PAUL ROBERTS
Got it. And when we call it a dropper, obviously, as the name suggests, that means one of the functions that performs is to deposit other payloads on target networks like ransomware.

DRAGAN DAMJANOVIC
Yes. To enable other malware to run on the host. Yes, ransomware is the one of them that we noticed in the last few months, they're using as a second payload, Cobalt Strike, that is mostly used for lateral movement and post exploitation pays. Before, I think they work with Ryuk. Again, now with the Conti. I think they are now just selling access and enabling ransomware groups to have more targets.

PAUL ROBERTS
It's one of the interesting things about the Cybercriminal Underground is that there's a supply chain, right? And there are groups that are really just kind of tools providers to other groups, whether ransomware groups or what have you, right? And that's kind of the role that the Emotet organization plays. So you both mentioned this takedown that happened in, I think, early 2021 that was coordinated by Europol. Can you just talk about what happened back then and what prompted it? So there was this effort to take out Emotet. What happened? And was there some specific incident that prompted the authorities to do that operation?

DRAGAN DAMJANOVIC
Not sure if there's a specific incident that prompted them, but in that point of time Emotet was the biggest email distribution malware. Then they decided okay, it's too much. I think the Microsoft had statistics that every third email that they come to there was part of Emotet.

PAUL ROBERTS
Right.

DRAGAN DAMJANOVIC
So in that point they say we have enough and they work together with Europol and other protection agencies to do synchronized destruction, synchronized takeover of the domains IPs that Emotet is using. This is the first time that they uninstalled malware from infection PCs. I know legally if it's right to do that or not because you're removing files from users on the web. 

PAUL ROBERTS
Right, other people's computers.

DRAGAN DAMJANOVIC
Right but as I said, I support direction 100%. When Emotet stopped it was really - it was really like site out from our SOC analyst.

PAUL ROBERTS
So you saw a drop off after that event?

DRAGAN DAMJANOVIC
Drop off is only short because in their place TrickBot came in on that place and take the...

PAUL ROBERTS
The business.

DRAGAN DAMJANOVIC
and BazaarLoader, then we have a take down of the TrickBot now that happened it was just temporarily.

PAUL ROBERTS
And you said that over a period of months basically within I forgot six or ten months basically reemerged. What do we know about what happened or what changed between the takedown and the reemergence? Was this just we got new infrastructure but we're basically distributing the same code or were there changes to the malware itself?

DRAGAN DAMJANOVIC
So there was a changes in the malware, not much functionality, but there was a change on ways how they encrypt their copy files where they store first layer of C2 servers that is the whole rebrand with totally new encryption. I think the last sample they have obfuscation of the flow. Execution flow and that's more for two stop previous engineers to figure it out. But the rest is the same. Conti was new when they started. Luckily for them or by someone maybe who they know Log4j came out and they use that to ramp up their spamming campaigns and to ramp up their infrastructure and that helped them a lot to get faster back because when they came up the first time in November. I think they have only five C2 servers and now have more than 15 in the Conti.

PAUL ROBERTS
So the Log4j vulnerability helped them rebuild their compromised infrastructure that they use to distribute. Right. Interesting. Dado, you were saying that from a detection standpoint for defenders basically that Emotet generally is not a targeted attack on your organization and by targeted we mean targeted phishing where they've done a fair amount of open source research and they're going after specific employees. This is just sort of casting a wide net, is that right?

DADO HORVAT
Yeah incredible thing is it still works. In my previous day job, financial institution, they were targeting approximately 95% of our address list and if something happened that our controls or detection mechanisms didn't work and some of the files got delivered. You'd always see several people, like three, four or five clicking on the link and that created, well, a mess from our side. Because we're expecting when you're seeing day in and day out the same thing, same behavior, different hashes, but same threat family, you would expect for detection mechanisms to get better. So, on our side, our solution to the problem was basically creating our own set of IoCs. By that meaning we would start with a single hash that we received, we detonated dynamically and extract all the seat information, then put that seat information first. We would block the proxies every attempt of outbound connections and also we would search for our logs to see if any of the machines actually has been infected. And we were quite successful with that. So we're trying to keep step ahead of bad guys. It was very tedious job because there was only a handful of samples that you could analyze and create your own set of IoCs. When I joined ReversingLabs, we encountered numerous customers, especially from FI world, asking us could we help with extraction or generating meaningful IRCS for them for Emotet. And this is something that I would like to share my screen and just show you. This is our platform, the A1000. It's used for analyzing samples, we start with simple Emotet hash. As you can see, there's a storyteller about what this particular file does. Everything is more or less known. So as an analyst, what I want to see now I have a single sample. So I would like to see first all the Emotet samples that they have in my database, universal app database. And then I would like to see extraction of network information. So for that, obviously by a static analysis, it's very difficult to extract information because a lot of times it's been generating on the fly. So what we do is we will use a set of dynamic solutions, we use our proprietary ReversingLabs' sandbox, we use Google, we use FireEye. And we use Joe Sandbox. So where this takes us is the following place. So what I'm doing, it's highly automated, it is done by APIs. So what we're doing is first we're searching for our database for all traces of Emotet seen. For example, in last two weeks, as the square is loading, we will see that it will probably have around 2000 samples in last week. Actually, I can share my screen with distribution of Emotet that's been seen on our side. This is from January 1 this year. These are not extreme numbers, but obviously, first of all, this does not correspond with honeypots and end points. This is indicative it represents number of...

PAUL ROBERTS
These are samples that were found on real production environments.

DADO HORVAT
But there is a trend and you can more or less, Dragan can confirm the stuff that he's seeing on his endpoints, that Emotet is steadily being seen in the wild.

PAUL ROBERTS
And those kind of waves those just correspond to basically campaigns, right?

DADO HORVAT
Yeah. So you will not see Emotet campaigns during the weekend, you will not see campaigns flushing out at the same time. So one of the things that we know this in international institution and Dragan can attest to that is they will follow the bedroom of a certain time zone. So they will not deliver emails for US-based victims in the middle of night because that would be very suspicious. They will not do it during the weekend. So they're quite aligned with the targets and that adds to the conclusion that they're probably plus minus several hours from India region. So that corresponds with Dragans conclusion that they're probably in Russia. So, for example, what we see now in our advanced search is like we found 11,000 samples of Emotet in our database. What we will do now is I can take everything I want them detonate it in dynamic solution and extract network information. Fortunately, these are pre processed from our side. So what's happening behind the scenes now is first of all we are doing the advanced search for Emotet and then we're looking for our advanced analysis. So the entry within our API query would be result of this would be your sandbox analysis and it will extract URLs, IPs, et cetera. So when you change this action and run this over a larger set of data and you will end up with something looking like this. So this is something obviously there will be some false positives here, there will be some local addresses, there'll be a lot of the things that we are seeing with malicious payloads when they're trying to mimic and hide within legit traffic. But on the other hand, you will see a lot of IPs that use distractions with lots with your seam and hopefully it will help you stay a bit ahead of the game. So there are a lot of awesome tools, a lot of repositories online that you can search. For example, I took example of one IP address that can be found on GitHub and again you can cross reference that with samples in our database. So I'm looking for this particular IP address and the result is we see that it's like 1200 Emotet samples that are using that particular setting.

PAUL ROBERTS
Was that taken actually from the code, from the Emotet code? Or was that taken just from a sample?

DADO HORVAT
Very solvable, fine IPs, hard coded input. It happens dynamically. It needs to be executed. In this example we just use public available IoCs on GitHub. As you can see. There will be like 135 addresses and that will not take you very far. Yeah. While with extraction like this would be two weeks data you end up with more than 1000 lines of different IPS. And after you clean up the whole process, you will end it with really? I would say relevant threat intelligence that you can work with and then you can create your own controls and hopefully eradicate any signs of.

PAUL ROBERTS
So just connecting the dots, you would take those IP addresses that you got from the associated with the Emotet samples. And again, this is from ReversingLabs platform. And that would be data that you could then use to interrogate your own traffic logs to see am I seeing traffic to or from this IP address that I know is associated with the Emotet?

DADO HORVAT
I suggest we jump to Dragan. And if you could share some of his telemetry. Dragan is being modest here. So he's in charge of 4 million endpoints. So I would say he's the best authority.

PAUL ROBERTS
That's a big platform. Yeah.

DADO HORVAT
So if anybody's seeing Emotet, that would be Dragan.

DRAGAN DAMJANOVIC
Can you see my screen?

PAUL ROBERTS
Yes, maybe just make it a little bit bigger, but yeah. Perfect.

DRAGAN DAMJANOVIC
So this is the data that we get for 4th of April. This is directly from our email gateway provider that we use, so global metrics. So there's around 63,000, and 20, almost 18,000 different attachment parameters. And it's targeted more than 100 different companies in different verticals as we saw from Dado, it was part of the epic five that he checked. I think there's 46 summary here. This is the rest of them. This is the change in encryption in conflict. They use two keys to encrypt the config, not like before, but they use that Cobalt Strike they are trying to dump after running. And this is where they're getting their second stage and third stage.

PAUL ROBERTS
Okay, that would be post-Cobalt Strike.

DRAGAN DAMJANOVIC
Yeah. So if you are lucky to be chosen, you get the Cobalt Strike, yes.

PAUL ROBERTS
And just to clarify, so over the years, Emotet's been associated with different types of deliverables first stage malware. And you're saying these days what you're seeing a lot is that it's dropping Cobalt Strike.

DRAGAN DAMJANOVIC
In the last month and a half. It's primarily Cobalt Strike directly.

PAUL ROBERTS
And just for attendees that don't know, what is Cobalt Strike, what does it do?

DRAGAN DAMJANOVIC
Cobalt Strike is legitimate pen testing tool made by the company. I think they will now bought a different one. It's legitimate tool. You can buy it online for I think four grand. And it's already linked to the underground and it's shared for free between groups. It's really good tool for post exploitation if anyone of the knows about, similar to Metasploit, just much more powerful, much more stealthier than Metasploit.

PAUL ROBERTS
Right.

DRAGAN DAMJANOVIC
It's always not good sign if you have something in your environment.

PAUL ROBERTS
Right. So like a Metasploit or a Mimicats. Cobalt Strike is one of these kind of dual use tools that can be used by internal red teams, pen test teams to assess your wrist posture and your security. But it is also used as an offensive tool by malicious actors.

DRAGAN DAMJANOVIC
Yes, it can be used for offensive. Yes.

DADO HORVAT
The importance of mentioning Cobalt Strike in Emotet context is the following picture. So this is statistics are shared by Semantic and they will list most frequently seen pre-ransomware tools. So obviously Cobalt Strike is very, very high and as we see Emotet dropping Cobalt Strike. It's fairly obvious what's going to happen for you on third step. So this is a topic that was discussed by my colleague Patrick Knight, and you can see his analysis on connection between Cobalt Strike and recent ransomware attacks. So this is like as we see, Emotet is not evolving as much as it's positioning with buyers. So obviously there is a great demand for high targeted strikes on I'd say, lucrative targets that are capable of paying out large amounts of ransom. And $4,000 for Cobalt Strike is not really expensive. And seeing that Emotet is dropping Cobalt is indication that they're really good in adapting the current landscape and the whole ecosystem of underground where bad guys are simply purchasing access to various endpoints.

PAUL ROBERTS
Let's talk about some of the indicators of compromise that we know are associated with the Emotet. Again for folks on the line who are looking to defend their environments, prevent infection by Emotet or at least lessen the damage if there is an infection. What do we know about sort of the telltale signs? You mentioned some of the IP addresses that are associated that are pushing Emotet. So that's good. What are some of the other telltale signs of this malware?

DRAGAN DAMJANOVIC
So after the execution of the malware, after a user double clicks on attachments and enables...

DADO HORVAT
Dragan, just... The most important measure is not to click on enable macros. 90% of everything starts with enabling macro on office documents.

PAUL ROBERTS
Click an email attachment and it tells you you have to enable macros. Do not do that.

DADO HORVAT
User Awareness, yes.

PAUL ROBERTS
Or at least it's a big red flag, right?

DRAGAN DAMJANOVIC
Yeah, user awareness is the first way to do it. The second in case if the user clicks for who knows reason why. What is good to look for is process creation from any Excel, Word, PowerPoint, Microsoft Office applications to like PowerShell, CMD, VPScript or something like that, that is not usually used in conjunction with an Office document. Just to say Google Suite doesn't have that much, doesn't have that problem that much because mostly it's online and doesn't allow macro running and it's running different ways.

PAUL ROBERTS
G suite.

DRAGAN DAMJANOVIC
Yeah, so you can use that and the skills if you want to change, but that is the sum of the TPP. So after execution and if you miss that, process creation always will be start standard recon. So to check if the user is part of the domain, if the user is admin, it will try to query domain for domain controllers for a forest, if there is a part of forest and it will try to pull all the users from domain and send to the C2 servers. So this is something that you should look in case you miss everything before then.

DADO HORVAT
If I may add, Dragan. So we're discussing previously on how do you see some unusual traffic going towards C2 servers of Emotet. Contrary to popular belief, those will not be hosted in Russia, they will not be hosted in China. Incredibly like 80%, the biggest number of C2 servers for Emotet are based are hosted in the United States. So geolocation is not a good way of detecting something that is happening. I would say start with IPs with threat intelligence with majority of the list is publicly available. Create your own threat intelligence. Create alerts on your team if you see any traffic going towards those locations. It might not be too late, but I would say the biggest problem for financial institutions at the moment is first data exfiltration more or less with ransomware.

PAUL ROBERTS
More than ransomware you mean?

DADO HORVAT
Yeah. So solid organizations will be able to recover from backup, et cetera. But if you lose data, your customers, your PEIs, it creates a big problem for you. And we are seeing constantly that companies are paying up to those demands and in effort to dodge the bullet and maybe not get fined by GDPR and similar parties. 

PAUL ROBERTS
On one hand you think like well yeah, of course if your attachments asking you to enable macros or whatever. But I guess one thing to note is in industries like financial services, it actually might be pretty common that you're going to be getting spreadsheet attachments that have scripts embedded in them or macros just as part of your job. So in those environments maybe it isn't that unusual to see something like that, right?

DADO HORVAT
Yeah, if that kind of attachments is originating from outside your organization, it should up to SOC teams and security teams to make sure that those files are sanitized properly before ending up on endpoints.

PAUL ROBERTS
Can organizations, most organizations I'm guessing already have some kind of email gateway that they're using, but it sounds like you really can't count on that catching all of these dodgy attachments before they get to your user's inbox.

DRAGAN DAMJANOVIC
There is no silver bullet. So if there is a silver bullet, everyone will use it. There's a few options in Microsoft Office that you can enable and disable macros. In the financial institution where I work we cannot disable micros, there is too much usage of them. We only check for ones that are not normal, like not seen every day, same like PowerShell or something like that. There is additional options, but that will do a strain to IT teams is to enable sign micros but that you need a team who can if the client sends a new micro you will need to do reconnaissance on it, sign it yourself and send to your user. That takes time, cost money and time is money in audit industry, so in smaller industries you will be able to do it but in the big ones it's not that easy. But there is always ways to do it. Is there any way to disable I said it depends on industry.

PAUL ROBERTS
Before we go, I got one or two more questions for you. I just want to remind the folks who are attending we are going to be taking questions. Dragan and Dado are both open to taking questions. So you got two malware and threat analyst experts on the line. They don't come cheap. So if you got questions, go ahead and pose them and we will ask them before we break. And use the Q&A feature on Zoom to do that. So you mentioned that Cobalt Strike is the new drop of choice for Emotet. What should our viewers know about that particular drop, that piece of malware and what they should be monitoring for or looking out for with Cobalt Strike. So this is assuming they're not able to detect Emotet it executes, somebody clicks on a link, and it drops cobalt strike, what then from a threat detection and response standpoint?

DRAGAN DAMJANOVIC
If they're not able to detect Emotet, I'm not sure they would be able to detect Cobalt Strike too. Because Cobalt Strike is much more sophisticated than the Emotet malware. Cobalt Strike telltale signs for the name pipes that he creates, it's always random names and it's not creatable by humans so that's a pretty easy way to detect and it's like for four to eight letters and numbers and it's always random. But for that you need to have EDR capable to reading that or sismone with the name pipe collections. Additional that you can check is unusual process creating different other processes or trying to execute memory dumps or going from one machine to another with a service account or user account. Something that tells you that there is possibility of the malware but our tools didn't detected it and with the memory snapshot of affected the machines or a machine that they tried to move on. There are tools on the GitHub online that will detect cobalt strike in memory because most times they run only in memory and they don't run from the hard drive. So I think that is the best way to detect that.

PAUL ROBERTS
Dado, anything to add on that?

DADO HORVAT
I recently spoke to a colleague who's still active within FI. When you get an alert that Cobalt Strike has been detected in your environment and you're not performing pen testing at the moment, you are already in big trouble. So I can only imagine what kind of cases the SOC teams have when hit alerts on 40 Cobalt Strikes detected in their network, it's really not a pretty sight. So the best way is even stopped that section of the chain to occur you need to be preventive even to floors - there are enough tools, there are enough indicators to prevent Emotet from ever making the destination foothold. Today we're talking about Cobalt Strike. I've seen news that the Emotet group has already chose some new tools for reconnaissance. So today it's Cobalt Strike, tomorrow it will be something else. So definitely with something that's basically a legacy and commodity in our field of work. After eight years of seeing Emotet, a decent organization should be able to create controls and prevent these instances from happening.

PAUL ROBERTS
Again, you mentioned it may be used for data theft or ransomware these days, what are we seeing mostly? Is Emotet, we know the Conti group is using it. They're a ransomware outfit. Is Emotet mostly a precursor to a ransomware attack? Or...

DADO HORVAT
I remember that Emotet when it was dropping dradex, it was 2017 and I was still working at FI. So the infection is happening on the client side, obviously. And amount of work that's needed from an organization from bad guy side is, I would say, an effort to conduct bank fraud via stealing OTPs, injecting browser sessions, et cetera.

PAUL ROBERTS
Credentials, right. 

DADO HORVAT
It's larger than you... and banks have stepped up. They've seen the losses that they were taking from 2017. I would say that the new game is ransomware. The payouts are much bigger. All the middlemen are excluded. Like there is no need for money mules, there is no need for funneling actual money through...

PAUL ROBERTS
Cryptocurrency took care of all that for us.

DADO HORVAT
Cryptocurrency really is... Everything that's happening previously. As the losses progress, as the losses become unacceptable and this risk appetite becomes unacceptable for all organizations, I believe that they will step in and more effectively battle the whole ransomware space.

PAUL ROBERTS
Before we go to questions, is there anything I didn't ask you, either of you, Dragan or Dado that you want to say, any points you want to make?

DRAGAN DAMJANOVIC
If you can disable macros...

PAUL ROBERTS
Do it.

DRAGAN DAMJANOVIC
If you can.

PAUL ROBERTS
Okay. Carolynn.

CAROLYNN VAN ARSDALE
Hi there, everybody. My name is Carolynn van Arsdale. I'm a cyber content creator here at ReversingLabs. So I guess it's time for some questions. How about that?

PAUL ROBERTS
Yeah, sounds good.

CAROLYNN VAN ARSDALE
Okay, sounds good. We do have a few questions. First off, is EDR reliable to detect Emotet or Cobalt Strike?

DRAGAN DAMJANOVIC
Yes. Short answer is yes. You will need to do some depend on EDR. You will need to create some additional rules if there's not already existing for stuff like that. But yes, that's the short answer. It will help you prevent Emotet and other malware, but need to be set up correctly.

PAUL ROBERTS
So both the gateway protection around your email in particular, but then also on the end point.

DRAGAN DAMJANOVIC
Yeah, because user can always download Emotet from their Gmail account or any other email provider that they use. It's not always good to detect yourself because every user has their own private email that they can download sample if they get sent. So EDR is a good solution to help.

DADO HORVAT
I would say the prevention on email gateway would be step one. Emotet is almost exclusively delivered by email. There are large chunks. You'll see 90% of your address book being spammed with the same or very similar subject, all containing I understand the need for office documents containing macros, but do we need like 10,000 people in your organization? Do they need the exact same thing? There are a lot of custom rules that you can if your mail gateway allows you to create. And when you see combinations of different senders, same subject, large chunks of data being delivered simultaneously to large number of recipients. These are all things that any decent SOC should be able to prevent or analyze for releasing them to the endpoints.

PAUL ROBERTS
Okay.

CAROLYNN VAN ARSDALE
Great, thank you both. Next question for you both. So to talk about the international operation that happened to take down Emotet, obviously resurged in late 2021, do you two think that the Conti Ransomware group is a big player in this resurgence? Do you think that if Conti had not stepped up to the plate to bring them back, it would have had that resurgence?

PAUL ROBERTS
So is Conti responsible for the resurgence in Emotet?

CAROLYNN VAN ARSDALE
Right.

DRAGAN DAMJANOVIC
I don't think so. I think they had most likely Log4j, not due to Conti, to extend their network. When they started there was some overlap in infrastructure, but most of that is just because they are hosting the same data center. But I don't think that Conti in that time helped Emotet to rebuild. I think they rebuild it by themselves. It took them more than ten months to do it, so I think they were not ready for take down, but they have contingency plan in case stuff happens. And I think now it's much harder to take them down fully than before because they learn, okay, if they take our servers, we need to rebuild. And I think that will be much more harder now to do it. But if that happens, I will support them. 100% law enforcement, not Emotet.

DADO HORVAT
Yeah. If everybody recalls the pictures that were shared by Europol, I would say hopefully they are paying their operators and admins a bit more than you.

PAUL ROBERTS
This is from one of the arrest sites I think? From the takedown...

DADO HORVAT
They need to pay more for their workers. This doesn't look like a kind of operation.

PAUL ROBERTS
It's not a lambo-type of operation.

DADO HORVAT
It almost assembles some kind of decoy. I would say. When I first saw the pictures I was like no way. This was behind all the trouble, all the pain, all the sleepless night that we had. Like there's no way in hell that this could end up being the whole Emotet. Yeah, unfortunately you were right. So resurrections of Emotet...

PAUL ROBERTS
So do you think that that was just a low level operator basically and not the folks who are running the Emotet?

DADO HORVAT
I would say obviously the traffic went down, so something happened. Maybe it was just as people got arrested. Probably the kingpins, the guys who are higher on the scale, maybe just lay low for some time to see what will be the follow up and all the actions that will be taken from your ball side. And when they saw that there is clear, obviously Emotet resurrected stronger than they were previously.

PAUL ROBERTS
Yeah, I mean we kind of think of malware operations as just swimming in cash and driving Lambos on yachts and stuff, but for a lot of people it's just like a nine to five job. They might not be making much more than they'd make working in the private sector.

DADO HORVAT
That is absolutely true. Like, we saw the latest relations about malware groups of how much they were paying their personnel, like, all the structure that was organized. One of the things that I noticed when I used to work for Financial Institution was those guys who were conducting the tax on our platform, our online banking platform, they needed to manually interact with our screens. And what we saw that they started almost aligned with our time zone. And they also had their coffee break. They also had their lunch break, like, from twelve to 02:00 p.m... Nothing was happening. Bad guys came back and they finished their work at 5:00 p.m... So for them, it's also like nine to five work. I would say that the bad guys will obviously follow the money. They will go into sections where with the least effort, they can yield a bigger return. So I would say Emotet is here to stay unless something dramatically happens in the meantime. But obviously the focus has shifted to other issues these days, so I'm not seeing that Emotet is priority for anybody these days.

PAUL ROBERTS
Great. Carolynn, any more questions or should we move ahead to our poll?

CAROLYNN VAN ARSDALE
Why don't we go ahead to the poll? Okay, great.

PAUL ROBERTS
Okay, so this is for the T-shirt. This is for all the money guys for the ConversingLabs T-shirt. And Carolynn has pushed the first question, which is what was actually I think all the questions are on here, which is great. First one is, what was the name of the international effort to take down Emotet in early 2021? Global Defenders, Operation Ladybird, Project Take Down? All right.

CAROLYNN VAN ARSDALE
I think we're going to be nice today and say two out of three questions. You get two out of three questions, right? We'll see... how everyone does.

PAUL ROBERTS
The second question is, which Cybercrime group resurrected Emotet in late 2021? And the third question, when was Emotet first discovered? Okay, give people another minute or two, and then we'll review the answers.

DADO HORVAT
Somebody calling for answers.

PAUL ROBERTS
Okay, about 30 more seconds. This is for the T-shirt.

CAROLYNN VAN ARSDALE
Okay, I'll go ahead and end the poll.

PAUL ROBERTS
Sounds good.

CAROLYNN VAN ARSDALE
All right.

PAUL ROBERTS
Okay, so number one, what was the name of the international effort to take down Emotet in early 2021? We had two people say Operation Ladybird. One, Project Take Down. Carolynn, the correct answer?

CAROLYNN VAN ARSDALE
Operation Ladybird. We did not mention that at all during the discussion.

PAUL ROBERTS
I know. I was thinking that.

CAROLYNN VAN ARSDALE
That'll be the freebie. 

PAUL ROBERTS
That would be... right. That was a test question, just like in your SATs. That was one of the experimental questions. Two, which Cyber Crime group resurrected Emoter in late 2021? I think everybody answered the same Conti, and that is, of course, the correct answer. And three, when was Emotet first discovered? 2020, 2018, 2014. And once again, everybody seems to think 2014. And in fact, that is when Emotet was first merged, was in 2014. It's almost been eight years, which is really amazing. Thanks, everyone, for participating, and we will reach out to you to get information so that we can send you an exclusive ConversingLabs T-shirt. I wish I had the design that I could show you, but I'd have to go digging on my hard drive for it. But it's cool looking, and you won't regret it. Gentlemen, any closing words? Any final advice for folks on the call in terms of defending themselves against Emotet, Cobalt Strike? We have one additional question, actually. Yeah, an important one, and Carolynn just pushed that out, which is, if you're interested in any of the information and intelligence that we've been talking about here, I think we've got YARA rules, as well as some interesting threat intel on Emotet, let us know, and we will get that out to you.

PAUL ROBERTS
So, gentlemen, any final questions, any final comments or advice for the folks who are listening in?

DRAGAN DAMJANOVIC
Be vigilant and always keep looking.

PAUL ROBERTS
Okay? And Dado, any final thoughts?

DADO HORVAT
I consider myself lucky not to be on a side of targets for Emotet and just more comfortable position where we can just observe how defenders are tackling the problem of Emotet and other strains that are attacking higher high value targets. And hopefully we were interesting enough and everybody liked this section about our threat intelligence.

PAUL ROBERTS
Contact ReversingLabs. Yeah, we'll have information for you on doing that. And I think one thing that's really clear is, like, Emotet is something that is out there right now. It's not, if you're just a big financial services company, that this is something you're going to see, that these attacks are pretty wide ranging and targeting companies across different industry verticals and companies of different sizes. So you've got a really good chance of running into Emotet out there. If you've got any kind of presence.

DRAGAN DAMJANOVIC
If you have an email, you will get them.

PAUL ROBERTS
All right? Hey, Dragan, Dado, thank you so much for joining us and telling us all about educating us on this really important thread Emotet. It's been a pleasure.

DRAGAN DAMJANOVIC
Thank you for having us.

PAUL ROBERTS
Great. And for those of you who are online, this will be available offline. So we've recorded it, and we'll be posting it shortly. And you'll get a link if you registered, you'll get a link to the video, and if you got other folks you'd like to see, have watch it. We'll have a page up where they can register and watch the video afterwards. So thank you. Thanks, everyone, for joining, and be back in a couple of weeks with another episode of ConversingLabs. Bye, everyone.

Paul Roberts

About Author: Paul Roberts

Content Lead at ReversingLabs. Paul is a reporter, editor and industry analyst with 20 years’ experience covering the cybersecurity space. He is the founder and editor in chief at The Security Ledger, a cybersecurity news website. His writing about cyber security has appeared in publications including Forbes, The Christian Science Monitor, MIT Technology Review, The Economist Intelligence Unit, CIO Magazine, ZDNet and Fortune Small Business. He has appeared on NPR’s Marketplace Tech Report, KPCC AirTalk, Fox News Tech Take, Al Jazeera and The Oprah Show.

Related episodes

Subscribe

Sign up now to receive the latest weekly
news from ReveringLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company.

REQUEST A DEMO