Introduction to Malware Analysis and Emotet
Introduction
Malware analysis is the art of examining malware to realize how it works, methods of identification, and methods of elimination / mitigation. In an industrial context, the goals of malware analysis would be to determine how the infection took place, and to locate all the infected machines within the network. In a real-world scenario, the Malware Analyst will only be in possession of the malware executable which is not human-readable. As such, with the use of several tools and techniques, a bigger picture regarding the malware executable in hand, can be obtained. To do this, there are two possible analysis types that can be used, namely, static analysis and dynamic analysis.
Static Analysis
Under basic static analysis, the malware executable is examined without actually running it. This technique is very straightforward and quick. However, in the face of very complex and advanced malware, this technique deems to be very ineffective as it can miss important behaviors shown by the malware. Basic static analysis can be used to:
- Confirm whether a file is malicious.
- Obtain information about a malware’s functionality.
- Produce simple network signatures.
Under advanced static analysis, reverse engineering of the malware takes place by loading the executable into a disassembler and shows the Malware Analyst, exactly what the malware does. However, as compared to basic static analysis, conducting advanced static analysis is a bit more complex since it requires specialized knowledge on areas such as disassembly, code constructs and operating system concepts.
Dynamic Analysis
Under basic dynamic analysis, the malware executable is run in order to examine its behavior in the system to:
- Remove the infection.
- Produce effective signatures.
Under advanced dynamic analysis, a debugger is used to observe the internal state of a running executable.
Emotet
Emotet can be considered as one of the most dangerous malwares recorded in the recent history. First discovered as a banking Trojan in 2014, Emotet has since contributed to the world of cybercrime by spreading through spam emails, victimizing both individuals and organizations mercilessly alike. The goal of this banking trojan was to access devices, spy on sensitive information, and then communicate this information to the criminal mastermind working behind the scenes. Since it is built like a computer worm, this malware is capable of spreading in a network, trying to infiltrate other computers as well.
The malware Emotet mostly spreads through spam mails. However, since Emotet has evolved from being a mere banking Trojan into a Dropper / Loader, meaning that Emotet is now capable of reloading other malware into infected devices which are then responsible for the actual damage to the system, Emotet is now more than a simple malware.
Emotet’s Architecture
Emotet is polymorphic in nature, meaning that it changes its code each time it is called. Most antivirus programs search for known malware codes. As a result, it is highly possible for Emotet to go undetected.
Initially, the victims of Emotet were only detected among more recent versions of Microsoft Windows. However, with time, it was found out that Apple computer users also fell into victims of Emotet.
Emotet is mostly dangerous because it comes with a multitude of smaller modules that it downloads upon initial infection. Most of these modules are capable of wreaking havoc within organizations (e.g., Server Message Block (SMB) based spreaders). Furthermore, to make matters worse, they drop even more potent threats to an infected computer like remote access trojans and ransomware.
Emotet’s Chain of Infection
Emotet can spread in three main ways as follows:
- By enabling macros in a word document attached to an email as shown below.
- By downloading a word document through a link in an email and enabling macros as shown below.
- By downloading a word document through a link that was embedded in a PDF that was attached in an email and enabling macros as shown below.
Until it was taken down internationally by the Interpol, Emotet had an impeccable presence in the malware world. Throughout its evolution, Emotet became more and more advanced, becoming one of the worst nightmares to Cyber Crime Analysts globally. From a being a mere Trojan, it ended up becoming a dropper that facilitated multiple other malicious modules to carryout criminal activities. Although Emotet is now considered to be “gone”, it will only be a matter of time before it resurfaces, more advanced and more equipped than ever, to claim its rightful place as the most dangerous malware to ever exist. Therefore, instead of letting their guard down, Cyber Crime Analysts should still be vigilant and be on the lookout for any potential sign that denotes the return of Emotet. Since any organization is only as safe as its weakest link — humans, it is vital that organizations prioritize good cyber hygiene and user awareness as vital components in their cyber security strategy.
This review was done as an assignment submission for the 4th Year — 2nd Semester module, Information Warfare (IW) of Sri Lanka Institute of Information Technology.