Emotet Malware Resurfaces: Cyber Threat Intelligence Roundup

Up first in the latest CTI Roundup is a look at the resurgence of the notorious Emotet malware and its botnet following its 2021 disruption at the hands of international law enforcement. Next, we investigate the various ways in which IcedID malware operators are experimenting with delivery tactics. Finally, we end things with a summary of recent reporting from Cisco Talos, which details the discovery of a new attack framework featuring the Alchimist C2 tool and new Insekt malware.

1. Emotet malware is back in the spotlight

A new report from VMware alleges that the threat actors behind the Emotet malware-delivery botnet have rebooted the notorious malware-as-a-service (MaaS) offering and equipped it with advanced evasion capabilities and other features.

The malware’s resurgence, which researchers observed beginning in January of 2022 following Emotet’s coordinated takedown in early 2021 at the hands of international law enforcement, signals its return to the landscape in the form of a persistent global threat – armed with lessons learned from its battle with the authorities.

Among other notable takeaways, VMware’s research highlights Emotet’s technological improvements in the wake of its period of forced inactivity. Those include:

• Better infrastructure
• Better anti-analysis countermeasures
• Ability to support various attack goals
• Constantly evolving attack patterns

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It’s been a while since Emotet made headlines. While most of the activity analyzed by VMware’s Threat Analysis Unit was observed starting in early 2022, the significance of Emotet’s resurgence should not be understated. If the assembly of an international task force made up of multiple global law enforcement agencies with a singular goal of taking down Emotet and its botnet wasn’t evidence of its status as a worldwide cyber threat, the fact that it survived the task force’s efforts and came back stronger — and more evasive than ever — surely is.”

“The ESET Research Twitter account recently published a thread in which its author acknowledged that the tweet represented the firm’s first Emotet update after three months of inactivity. The threadcontains new indicators of compromise for one of Emotet’s updated modules. It’s not clear whether Emotet has been inactive for as long as the industry seems to think. Its operators may not have been launching constant attacks, although with so many advances in its evasive capabilities, they were most likely busy updating their product.”

#BREAKING Another day at #ESETresearch, another #Emotet campaign with a new technique. Instead of the usual Office macros, operators use PowerShell in LNK attachments – filename “form.lnk”. If the victim runs the file, Emotet binary (.DLL) is downloaded and executed. 1/4 pic.twitter.com/iLzFl5t8M5

— ESET research (@ESETresearch) April 26, 2022

2. Hackers behind IcedID malware attacks diversify delivery tactics

According to Team Cymru, the threat actors behind the IcedID malware phishing campaigns are now leveraging a wide array of distribution methods.

Several recent IcedID campaigns have been observed using slightly different infection pathways, which researchers believe is the threat actors’ attempt to determine what method works best against different targets.

What is the IcedID malware family?

IcedID malware, also known as BokBot, was first observed in early 2017 as a simple banking trojan. The malware later evolved, as such malware often does, to include malware dropping capabilities that enable it to download and deploy additional malicious payloads. IcedID is usually delivered via phishing campaigns or dropped as a secondary payload by other malware, most notably Emotet.

Recent IcedID campaigns leverage an assortment of different lure types and execution processes. Team Cymru researchers compared the different campaigns (all from September 2022) in an attempt to understand what metrics the threat actors may be trying to gather themselves — i.e., which methods have the greater return or work best in each campaign.

How is IcedID malware delivered?

Of the campaigns analyzed in September 2022, several different malware delivery methods were observed, including:

• Password-protected ZIP with LNK
• Password-protected ZIP without LNK
• Maldoc
• PrivateLoader

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Team Cymru observed that the campaigns contained many grammatical errors, which has resulted in fewer victims. This observation serves as further evidence of the value provided by robust phishing training and awareness programs which teach users to recognize such indicators of inauthenticity in emails, proving that such knowledge can make recipients far less likely to fall for phishing campaigns.”

“The other side to this is that the threat actors also realize the same thing, hence the decision among many of the more advanced threat actors to diversify delivery methods over a short time and evaluate the effectiveness of each.”

“Researchers believe that the zip file-to-iso file-to-lnk file was the most successful delivery method tried by the threat actors. Is this the method the threat actors will now rely on the most to deliver IcedID malware going forward? Maybe. Or maybe they’ll try something entirely different to catch researchers and security professionals off-guard. Time will tell, but the latter scenario coming to pass wouldn’t be surprising.”

“The only question left to ask is this: what will we learn from any of this, and how will we use it?”

3. New Alchimist attack framework targets Windows, macOS, and Linux

A recent report by Cisco Talos details the discovery of a new attack framework, including a command and control (C2) tool called Alchimist and a new malware called Insekt.

The all-inclusive framework is being actively used in attacks targeting Windows, macOS, and Linux systems. This discovery comes just a few months after the discovery of the Manjusaka framework, which researchers noted is similar to Alchimist.

What is Alchimist?

Alchimist is a 64-bit Linux executable written in the ever-popular GoLang. Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution, and run arbitrary commands.

About the Insekt implant

Insekt is a 64-bit implant written in GoLang that is compiled for Windows and Linux environments with many RAT capabilities – all of which are directed to execute by the Alchimist C2 server. The implant sets up multiple handlers for seven primary capabilities:

• Get file sizes.
• Get OS information.
• Run arbitrary commands via cmd[.]exe.
• Upgrade the current Insekt implant.
• Run arbitrary commands as a different user.
• Sleep for periods of time defined by the C2.
• Start/stop taking screenshots.

Insekt has other capabilities, such as shellcode execution, port and IP scanning, SSH key manipulation, proxying connections, etc. The Linux variant of Insekt has the functionality to list the contents of the “.ssh” directory in the victim’s home directory and adds new SSH keys so that the attacker can communicate with the victim’s machine from the C2 over SSH. Insekt includes a module that can implement the different commands that can be issued by operators and a module that can conduct specific RAT actions on the infected endpoint.

Additional tools to be aware of

Cisco Talos highlighted some other tools for the elevation of privileges and eventual exploitation of MacOSX platforms. Two of the tools’ source code can be found on GitHub, including Fast reverse proxy (frp) which is used for data exfiltration, and Fscan, which is an intranet scanning tool.

• MacOSX exploitation: The Mach-O file discovered in the open directory is another GoLang executable that is embedded with an exploit and a bind shell backdoor. The dropper has an exploit for privilege escalation in polkit’s pkexec utility. However, this utility is not installed on MacOSX by default, meaning the privilege escalation is not a guarantee.
• Scriptlet: Alchimist can also generate scripts to be used in the first stage of infections. One script found by researchers was called “down[.]sct” which downloads the Insekt implant from a particular URL.
• Shellcode: Researchers discovered a meterpreter shellcode on a file with the name “shell[.]msi”. It has the malicious configuration containing the host and port details for the shell code to connect to a specific IP address.

Alchimist shares similarities with Manjusaka, another attack framework

Cisco Talos discovered a standalone C2 server, which the authors call Alchimist, and its corresponding implants that the authors call the Insekt RAT family. And just a few months ago, Cisco Talos discovered another self-contained framework called Manjusaka. Both frameworks, although implemented in separate ways, follow the same overall design philosophy, and seem to have the same list of requirements. The frameworks have been designed and implemented to operate as standalone GoLang-based executables that can be distributed with relative ease, both leverage a Simplified Chinese web interface, and both mention the uncommon protocol SNI.

The largest differences between Manjusaka and Alchimist are in the approach taken to implement the web user interface and the way they implement the single-file feature. Manjusaka developers take advantage of the Gin web framework and use packr, an asset bundling framework, to embed and store the implants. Alchimist authors took a more basic approach, using only the basic GoLang features to implement the same features.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The many similarities between Manjusaka and Alchimist along with the short amount of time between the emergence of each framework may point to a new trend, which is the use of all-inclusive or ready-to-go C2 frameworks.”

“These frameworks are attractive to cybercriminals due to their ability to be used for a wide variety of functions, including both remote administration and command and control.”

“Cisco Talos sums it up nicely, ‘A threat actor gaining privileged shell access on a victim’s machine is like having a Swiss Army knife, enabling the execution of arbitrary commands or shellcodes in the victim’s environment, resulting in significant effects on the target organization.”

“Evidence of the attractiveness to threat actors of such all-inclusive frameworks could be seen in various reporting released over the past week or so. CTI also covered a Trend Micro story describing how QAKBOT — an effective malware loader/dropper — has begun facilitating the delivery of second-stage payloads such as Brute Ratel, a commercially available adversary emulation framework, and the ubiquitous Cobalt Strike, a more established framework, all in support of the eventual deployment of Black Basta ransomware.”

“As the various leaked versions of Cobalt Strike have inevitably led to less fruitful campaigns (a high detection coverage rate for Cobalt Strike is the unavoidable result of an over-used and over-publicized tool being repeatedly leveraged by threat actors), attackers have begun to turn to newer frameworks with increased capabilities. Newcomers like Alchimist and Brute Ratel are becoming increasingly attractive options for use in attacks in which threat actors seek to remain undetected for longer periods of time. We expect to see such frameworks continuing to take an increasing share of the C2/adversary emulation framework market.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.