Payload extractor6/12/2023 Though Emotet samples of different epochs keep their configuration data in different formats, they all share one common approach: their configuration is stored in an encrypted DLL (hereinafter referred to as “the internal DLL”) that is embedded into the executable payload (called “the payload”).įigure 1 illustrates the C2 configuration extraction process for a given Emotet attack. The epoch number of a sample is typically identified by the public encryption key(s) contained in the C2 configuration of the sample. Epoch 4 and Epoch 5 were introduced after Emotet resurfaced. Epoch 1, Epoch 2, and Epoch 3 were mostly seen before the botnet was taken down in early 2020. At the time of writing, there are five epochs (labeled as Epoch 1, Epoch 2, and so on). As discussed in a report published in 2019, different epochs may be used to target different countries with different payloads. Characterization of the network infrastructure of the botnets.Įmotet is a sophisticated botnet that comprises a few subgroups or sub-botnets, called “epochs.” Each epoch has its own C2 infrastructure and distribution methods.Analysis of the C2 configuration data extracted from over 2000 DLL dropped payloads.How to extract C2 configuration contained in the internal DLL.How to decrypt and dump the internal DLL from the initial Emotet DLL payload.This is a technical report containing our analysis on some Emotet attacks taking place in Q1 2022. In the final part, we provide an analysis of the most distinctive aspects of the C2 configurations extracted from recent Emotet campaigns. We then propose a process to automate the configuration extraction steps by leveraging the NSX Sandbox, which allows us to extract the C2 configuration from Emotet payloads at scale. In this report, we first discuss the steps on how to extract the C2 configuration from Emotet payloads via a combination of dynamic and static analysis, including decrypting and dumping the embedded Emotet payload from the initial DLL payload dropped by documents, and the actual extraction process of C2 configuration contained in the decrypted Emotet payload. Providing visibility into the C2 configuration of Emotet payloads can help in many ways, from detection to threat hunting. The Emotet botnet is known to use many command-and-control (C2) servers to keep communication open between the infected machines and the botnet’s herders. More details about the attacks can be found in our recent reports (Emotet Is Not Dead (Yet) part 1 and part 2.) VMware’s NSX Sandbox detected a series of attack waves of such attacks in January of this year. The Emotet actors have re-gained their power to launch attacks since the Emotet botnet was taken down in 2021.
0 Comments
Leave a Reply. |