Emotet is a known banking trojan identified in August 2014 that remains active until nowadays. This malware family is designed to steal financial information from victims using a Man-in-the-Browser attack. The Emotet malware is also able to load the feature responsible for stealing Outlook address book and perform denial of service attacks against other network assets. In some of their variants, this trojan uses a time-based Domain Generation Algorithm.
The Maltiverse IoC search engine allows security researchers to get a set of indicators for this threat with this simple query:
We perform the first aggregation of data (equivalent to GROUP BY in SQL) to obtain the sum by type of documents that the search throws. To do this, in the multiple selector for aggregation we select to do it by the “field” type:
And we get a new tab with the results. Results of type Sample, Hostname, Ip, and URL are noticed:
Given this data grouped by IoC type, it is possible to filter the search for each of them and conduct several investigations in isolation in order to get some relevant findings based on information relationships
For the next investigation we are going to consider the filtering for observables of type hostname adding to the previous query the string “AND type:hostname“:
Next, we perform an aggregation for ALL possible fields in order to check if the set of hostnames has any common characteristic. To do this we click on “Select all” in the multi-selection field. This action will make a grouping tab for each of the fields of the data model and will only leave open those tabs that offer results:
In the results grouping tab for the field “as_name.keyword” we now can see a very remarkable concentration of hostnames in the autonomous system AS32748 Steadfast that have been blamed for being related to Emotet:
On the other hand in the TLD tab you can also see a high concentration of values especially in the .eu and also in the .com:
We again limit the search to filter by the TLD .eu “Emotet AND type: hostname AND tld: eu“:
From the review of the set of hostnames it can be concluded that they all appear to be 16 characters long and consist of a set of characters from “a” to “y”:
The regular expression that therefore defines this DGA is:
In fact adding the regular expression to the search still offers the same number of results:
A DGA algorithm is identified and defined for the Registered Emotet banking Trojan that uses the Top Level Domain .eu. The actors of the limited campaign are registering the effective DGA domains pointing to the same autonomous system (AS32748 Steadfast).
In the event that an organization may be repeatedly affected by this threat, the following actions could be considered:
1) Creation of a Snort/Suricata/IDS rule that detects name resolutions that meets the defined regular expression.
2) IoC blocking related to the threat. The list of indicators can be extracted from Maltiverse IoC search. Exports to commercial formats are in the development roadmap.
3) Search for these IoC’s in SIEM’s/Data Lakes for the retroactive identification of possible infections.