The old Emotet bank trojan has made headlines in recent weeks as a result of it being used to infect computers with QakBot bank malware. As of today, Emotet has been turned into a "dropper", as attackers have long been using this malware as a vector for entering and infecting computers.
Once the computer is infected with Emotet, this trojan is in charge of downloading the final malicious payload, which is generally another type of malware.
The malware family that had traditionally been used as the final payload was Trickbot, another modular banking trojan that steals bank credentials, in addition to stealing credentials from other services such as email accounts.
Due to the way in which it operates based on modules that allow it to easily expand its functionalities, Trickbot has also started to be used as a dropper, where it usually ends up infecting the computer with ransomware, in most cases Ryuk.
Although Trickbot can be used directly as a dropper without the need to use Emotet, which is often what takes place, in recent months Emotet has been frequently used as a dropper or loader of Trickbot, which is ultimately responsible for downloading and installing the Ryuk ransomware.
This loader-banker-ransomware trifecta has been one of the main threats in recent months, although it seems that this could change now that QakBot has entered the equation.
Different Players, Same Goal
Despite the fact that no ransomware attack has been detected at the end of recent infections in which the use of both Emotet and QakBot has been detected, there is a history of QakBot being used by attackers as an entry vector for ransomware, specifically we've seen ProLock ransomware infections that have occurred through initial QakBot infections, as we discussed a little while ago in one of our other posts.
QakBot may have entered the trifecta and is here to stay, but only time will tell if it will end up replacing Trickbot in this equation, with attacks that consist of a first phase in which Emotet acts as a dropper by downloading and installing QakBot, which could eventually infect the computer with ProLock to try to maximize the benefits obtained by the attackers after the possible theft of credentials and personal data.
It seems unlikely that Trickbot will be replaced by QakBot, due to all the possibilities offered by the first, seeing how the modularity of Trickbot seems to be more useful, especially if one of the final objectives is to end up carrying out a ransomware attack on the infected system.
This modularity makes this last step easier, although we already know that QakBot can also be used for the same purpose without any major difficulties.
As for the functionalities related to the theft of bank credentials, there don't seem to be any changes in the samples from the most recent campaigns in which it has been used together with Emotet.
The persistence and execution mechanisms remain the same, using an "explorer.exe" process in which malicious code is injected to avoid raising suspicions. We can see this clearly in the following analysis task of one of these samples carried out on the platform Any.run.
Execution of the sample on Any.run that leads to the execution of different threads
In the previous image of the execution on Any.run, we can see how different threads are being executed. The processes that include "/C" as the execution parameter are those that are in charge of executing the anti-analysis checks, which prevent the malware from running on a virtual machine.
As we can see, the process execution structure is repeated twice before executing the "explorer.exe" and injecting the malicious code into it.
This is because on the first occasion, the malware is installed in the "%APPDATA%" folder with a random name, while on the second occasion the binary copy is executed in said location.
Once this trojan is installed and running, it executes a console command that pings the local address of the machine itself, and ultimately copies the content of the "calc.exe" (Windows Calculator) binary to the initial malware binary, thus eliminating any visible trace for the user.
The "ping" command is used as an alternative to the "Sleep" function, achieving the same result by preventing the indicated timeout from not running in an automated analysis environment.
Emotet, a bank trojan that has been used as a dropper for months with the main objective of infecting the computer with another bank trojan called Trickbot, has started being used in a recent campaign to infect computers with a different bank trojan: QakBot.
However, this is nothing new, since we first saw a campaign in which attackers used Emotet and QakBot to infect their victims last year.
Although there have been no new campaigns until this most recent one in which both trojans have been involved, we can't rule out the possibility that this relationship between the two malware will continue to occur more frequently from now on.
Therefore, we must remain alert and closely follow all of the latest developments regarding Emotet and its new campaigns, since we never know when we will see new strategies and alliances by malware developers.