tl;dr: Emotet
The (slighty) longer story:
On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Please find first results and IOCs below. Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.
We are still conducting more in-depth analyses to raise the confidence even further. New information will be provided as they become available.
Initial Analysis
Sunday, November 14, 9:26pm: first occurence of the URLs being dropped; the URL we received was hxxp://141.94.176.124/Loader_90563_1.dll
(SHA256 of the drop: c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01
). Internal processing detected Emotet when executing the sample in our sandbox systems. Notably, the sample seems to have been compiled just before the deployment via several Trickbot botnets was observed: Timestamp : 6191769A (Sun Nov 14 20:50:34 2021)
The network traffic originating from the sample closely resembles what has been observed previously (e.g. as described by Kaspersky): the URL contains a random resource path and the bot transfers the request payload in a cookie (see image below). However, the encryption used to hide the data seems different from what has been observed in the past. Additionally, the sample now uses HTTPS with a self-signed server certificate to secure the network traffic.
A notable characteristic of the last Emotet samples was the heavy use of control-flow flattening to obfuscate the code. The current sample also contains flattened control flows. To illustrate the similarity in the style of the obfuscation, find two arbitrary code snippets below. Left side is a sample from 2020, on the right is a snippet from the current sample:
Conclusion (so far)
As per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet – seems to be Emotet.
We are currently updating our internal tooling for the new sample to provide more indicators to strengthen the claim that Emotet seems to be back.
IOCs
URLs: hxxp://141.94.176.124/Loader_90563_1.dll Hashes: c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 - Loader_90563_1.dll Server List: 81.0.236.93:443 94.177.248.64:443 66.42.55.5:7080 103.8.26.103:8080 185.184.25.237:8080 45.76.176.10:8080 188.93.125.116:8080 103.8.26.102:8080 178.79.147.66:8080 58.227.42.236:80 45.118.135.203:7080 103.75.201.2:443 195.154.133.20:443 45.142.114.231:8080 212.237.5.209:443 207.38.84.195:8080 104.251.214.46:8080 138.185.72.26:8080 51.68.175.8:8080 210.57.217.132:8080 String List: SOFTWARE\Microsoft\Windows\CurrentVersion\Run POST %s\rundll32.exe "%s",Control_RunDLL Control_RunDLL %s\%s %s\%s %s\%s%x %s%s.exe %s\%s SHA256 HASH AES Microsoft Primitive Provider ObjectLength KeyDataBlob %s\rundll32.exe "%s\%s",%s Content-Type: multipart/form-data; boundary=%s RNG %s%s.dll %s\rundll32.exe "%s",Control_RunDLL %s%s.dll %s\regsvr32.exe -s "%s" %s\%s %s%s.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run %s\rundll32.exe "%s\%s",%s ECCPUBLICBLOB ECDH_P256 Microsoft Primitive Provider ECCPUBLICBLOB Cookie: %s=%s %s\rundll32.exe "%s\%s",%s %s:Zone.Identifier %u.%u.%u.%u %s\%s %s\* %s\%s WinSta0\Default %s\rundll32.exe "%s",Control_RunDLL %s %s%s.dll ECCPUBLICBLOB ECDSA_P256 Microsoft Primitive Provider %s\%s SHA256 Microsoft Primitive Provider ObjectLength