A Cyber ‘Vigilante’ is Sabotaging Emotet’s Return

Emotet trojan

During Black Hat USA 2020, Threatpost talks to Sherrod DeGrippo, with Proofpoint, about Emotet’s recent return -and how a cyber vigilante is attempting to thwart the malware’s comeback.

The banking trojan Emotet has returned after a five-month hiatus. But, in an amusing twist, one cyber vigilante is thwarting the malware’s comeback. Researchers say a mysterious vigilante is fighting the threat actors behind the malware’s comeback by replacing malicious Emotet payloads with whimsical GIFs and memes.

“Emotet was finding default username and password WordPress installs and hosting its payload there. What our vigilante hero is doing is they’re going around finding those WordPress installs where the Emotet payload has been hosted,” Sherrod DeGrippo, senior director of threat research and detection for Proofpoint, told Threatpost. Then, “They log in with that same username and password that the Emotet did, they delete a payload and they put up a hotlink to GIPHY.”

During a Black Hat USA 2020 virtual interview this week, DeGrippo talks to Threatpost about Emotet’s resurgence and why the botnet is expanding its partnership with the TrickBot malware to include QakBot – as well as critical infrastructure, election infrastructure and “people”-related phishing threats that you can expect to be discussed at Black Hat USA this week.

Listen to the full video interview below or click here.

Below find a lightly edited transcript of this interview.

Lindsey O’Donnell-Welch: Hi, everyone. This is Lindsey O’Donnell Welch with threat post and I am joined today by Sherrod DeGrippo. Sherrod is the senior director of threat research and detection for Proofpoint and she leads a worldwide malware research team that investigates advanced threats including phishing, emails and malware and everything else. So Sherrod, thank you so much for joining me today.

Sherrod DeGrippo: It’s good to see you Lindsey, I’m sorry we’re not in person.

LO: I know, hopefully next year. Black Hat USA 2020 is this week and one of the main tracks of the show is the malware track. And I know that this year, there’s a ton of discussion around, remote access trojans and malware that’s targeting MacOS. And there’s a really interesting session around Cobalt Strike being used by an APT org operation that’s targeting semiconductor vendors, for instance. So a lot of really cool things that we’re seeing at the show. So I think this gives us a little bit of pretext into looking at some of the top malware trends that we’ve been seeing this past year, and really how those are evolving. So just to start Sherrod, you know, Black Hat USA 2020 is a little different being virtual this year. But is there anything related to malware or other threats that we’re seeing that you’re really looking forward to seeing more discussion about at the show this year?

SD: I think that in terms of malware I think we’re really interested in seeing how the threat actors are evolving as the network perimeter becomes less and less of an easy target. I think that’s something that – not to be overly optimistic – But I do think that the information security industry has been successful in securing our perimeters, securing our technology, securing our systems, the tools are there, the technology is there. If we leverage it and implement it, we’re doing really well. It’s the “people” aspects that we continually find is that spot that seems to be where a lot of attackers are able to get in. Leveraging social engineering, they can then you know, launch a lot of attacks at scale, get into places they never could have gotten into before, simply by somebody being tricked into clicking on something. So we do see that still be an issue. And from the malware perspective, you mentioned the semiconductor side of it. Right after Black Hat last year, we detected clear state sponsored activity targeting U.S. hydro electric utility providers, and we’ve written about that extensively on FlowCloud and LookBack malware. And that’s something that I’m interested in understanding as well. We’re in a new situation where I think everyone really thought all the threat research is going to be around the election. Well, little did we know we have a global pandemic on our hands, that’s leveraging the social engineering side of the pandemic. The election has almost taken a backseat in terms of COVID-19 being so omnipresent. So I’m interested in seeing that, I’m interested in seeing the targeting for critical infrastructure, for election infrastructure … and I want to know what else is out there.

LO: That’s such a good point about kind of the emotional side of things too, and the human toll here because as you mentioned, with the pandemic and with the increase of remote workforces and everything else, that’s really creating an evolved threat landscape, particularly from one that’s much different from what we saw in previous years at Black Hat USA and at DEF CON. I think that’s interesting. And, you know, I’m hearing we’re seeing a lot of the same malware and ransomware families that we’ve seen in the past but that the attacks have become much more sophisticated, playing on those emotions of kind of high level of stresses and uncertainty. And attackers are really honing in on current events. Are you seeing that and, what are you really seeing with cyber attacks and how they’re evolving around the pandemic?

SD: So I think that’s absolutely right. It’s something that we started seeing at the end of January last year when a lot of the social engineering lures really ended up talking about COVID-19. We saw everything from “your test results are ready” to “attached in the list of people who have been found positive for the virus that you have interacted with.” All the way to “your COVID-19 bill is attached.” So we’ve seen really the gamut of leveraging the pandemic as part of social engineering attacks that then come along with the malware. And in terms of the different threat types ransomware the change so much in the way that it operates. We were previously seeing Locky two, three years ago in massive volumes, one to 3 million messages a day, a lot of the times, spreading ransomware as an attachment or a link that you would click. What we see a lot more now are these modular flexible downloaders that the threat actors use to get them on a machine. And then they start to understand what that machine is, who’s using it, who the person that owns it might be and then they make a decision of what that next stage payload should be. I think in cases where they determined that other sheen has some sort of high value or is at an organization or a government specifically that will pay. That’s when they deploy the ransomware. Now, they see that as maybe a desktop machine that somebody uses for graphic design or tracking some kind of sales or something not as vital to the business, that’s when they might choose a different next stage payload like a Trojan or it may feel, or like you mentioned remote access Trojans to get other things later.

LO: Right. Yeah, that definitely makes sense. Well, I want to ask too, let’s take a step back, and you know, in terms of Emotet, because I know that at Black Hat USA 2019, that was a big point of discussion when we had last talked, and I believe that in 2019, they had gone on this “hiatus” and then came back right after Black Hat USA 2019. And now with Black Hat USA 2020 coming up they have also returned after a bit of a five month disappearance. And so talk a little bit about Emotet, how it’s evolved over the past year and how it continues to evolve.

SD: Sure. So Emotet is one of those classics, I guess we could call it a classic at this point. It’s been around in various stages since 2014, when we started really tracking it at a scale. And in the past year, they have had those breaks, they’ve said they’re going on holiday, and they don’t say that, but you know, they’ve taken that time off, and we don’t know where they go, of course, and they have not done a campaign since February 6 of 2020. And then came back July 17, for 161 days off the landscape in email. The botnet, and the infrastructure was occasionally showing signs of life, but they weren’t inboxing, and inboxing is how they attempt to get their payload onto those machines. … What we’ve seen is that over the past 10 days or so since July 17, they’ve done a million and a half plus messages over that time span, primarily on Monday through Friday, nine to five for the local geography, and they are widespread. I have never seen them target vertically. I’ve never seen them target a specific type of person or a specific country, they send across the board with each of their campaigns. So US, UK, Canada, but we’ve also seen Brazil, Italy, Spain, United Arab Emirates. They use a pretty generic type of lure. Only in the past couple of days have we seen something that is very interesting, and it’s in fact an old lure. So they’re bringing me back some of the tactics they used before, we haven’t seen a lot of evolution. We did see today, combining malicious Word documents with benign PDFs, probably an attempt to get some kind of evasion for technical controls, or to possibly trick people into clicking, more likely to click because they have two documents they need to review, one being bad, one being good. We also know that Emotet does testing. And so that is why it is one of those threats, that’s watched so closely. They’ll throw out a test before they get into their big campaigns. And so we want to watch really closely what they’re doing. Because if they do those tests, then hopefully we can get ahead of it for the next run that they do for those campaigns.

LO: Right. And I’ve been hearing too, that they have been, the Emotet botnet has also been downloading TrickBot and Qakbot, and some of the other ones. Is that what you’re seeing too, and it is that more of the same of what they’ve done in the past or is that different? What are you seeing there?

SD: So, you know, in the community that tracks Emotet – my researchers track it – We have sort of made jokes in the past that Emotet and TrickBot are best friends. They’re in a monogamous relationship. Emotet dropped TrickBot for so long, so consistently, that we just sort of started to say, “oh, Emotet is always going to drop TrickBot.” Well, now that they’re back, it’s doing more of Qakbot. And we’re not seeing any much TrickBot as we were seeing before. I don’t know why that is. Maybe they feel that Qakbot is a little bit more likely to get them the payload results that they want. But essentially, they haven’t been doing the TrickBot like they were before. And they’ve been using kind of the same email lures that they were before. So there isn’t a lot of evolution, which on the one hand seems – okay, they just came back as they were. But on the other hand, we sort of think, okay, if they didn’t evolve now. When will they evolve? And when will that start?

LO: Right, yeah, that’s a that’s a really interesting thing to note too. And I saw too, that there was reports of a vigilante hacker who was sabotaging the operations of the campaign and replacing Emotet payloads with animated GIFs, which I thought was kind of a funny little tidbit there.

SD: So, yes, that person is our hero. So a lot of people have talked about this because it’s really been around and out there. So basically, the way that they’ve done this is Emotet leverages a lot of WordPress. So WordPress installs tend to be installed. The owner maybe doesn’t change the username and password, they’re left default, or they install some kind of vulnerable plugin. WordPress tends to be relatively insecure. A lot of threat actors use it. In this case, Emotet was finding those default username and password WordPress installs and is hosting the payload there. What our vigilante hero is doing is they’re going around finding those WordPress installs where the Emotet payload has been hosted. They log in with that same username and password that the Emotet did, they delete a payload and they put up a hotlink to GIPHY. And the ones that I’ve seen have been the “WTF guy” from the Blink-182 video and a shot of James Franco from that movie that he did about Kim Jong-Un. So they have a great sense of humor. But what I find really interesting about it is that they’re hotlinking to GIPHY. GIPHY is owned by Facebook. Facebook has a very well known well respected security and intelligence team. What this means is that Facebook is now sitting on an incredible amount of telemetry about Emotet for every time that GIF is getting hit on the WordPress site. So if Facebook wants to share that back, I’m sure that people would be more than happy to enjoy the telemetry that Facebook now owns about Emotet.

LO: Wow. Yeah, that’s really interesting. I didn’t even think of that. So, we will see there but, I also wanted to ask, do you see Emotet continuing to evolve in some sort of way that may surprise people or what do you think the future is for Emotet in the coming year?

SD: It’s hard for me to imagine that they’ve lost their innovative spirit. I think that they will continue to evolve, they will continue to do testing and reinforce the things that work and discard the things that don’t, but it’s like anything, we have to sit and see. Ultimately when you’re talking commodity crimeware, the goal of these actors and the goal of these campaigns is to probably make some money. And so they’ll lean toward whatever get some of the best payout.

LO: Great. Well, we will definitely be looking out for that the rest of 2020. So, Sherrod, thank you so much for joining me today.

SD: Thanks for having me today, Lindsey, always good to see you.

LO: You as well. And to all of our viewers, thank you for listening in and if you liked what you heard or had any thoughts or questions, please comment below the video. Thank you.

Suggested articles