Blog

A l'intérieur du SOC

Darktrace AI détecte et répond à la campagne de malspam sortant d'Emotet

Darktrace AI détecte et répond à la campagne de malspam sortant d'EmotetDefault blog imageDefault blog image
28
Apr 2022
28
Apr 2022


In January 2021, it was lauded that an international collaborative law enforcement operation had successfully dismantled Emotet’s infrastructure. This was one of the most prolific malware and banking Trojans which led to sensitive data loss, significant financial loss and reputational damage for its victims since early deployment in 2014.1

However, since November 2021, there have been signs of Emotet’s resurgence. Emotet has supposedly leveraged its former partner operators such as Trickbot, also discussed in another Darktrace blog, to rebuild its infrastructure by using already infected machines to download the new Emotet binary.2

Early signs of Emotet’s return appear to be synonymous with its original kill chain and attack vectors. Malware is deployed, compromising a device as a zombie machine. This device is then used to send outbound malspam campaigns. These campaigns can be masked as application installer packages or fake reply email chains to give the spam credibility. Once the malware spreads through this spam, it then attempts to infect other devices – both internally and outbound in other networks.3

In February 2022, Darktrace detected elements of this kill chain in a customer’s environment, notably observing the large volume of SMTP connections which are characteristic of an outbound spam campaign.

Figure 1: Timeline of attack showing the Emotet intrusion progress along the kill chain
Figure 2: A screenshot from VirusTotal, showing that the rare endpoint has been flagged as malicious by other security vendors


Bypassing the rest of the security stack

The attack used Living-off-the-Land techniques by making PowerShell connections via pre-existing user agents within the network. As PowerShell connections can be used for legitimate reasons, this activity appeared to bypass the rest of the customer’s security stack and was likely seen as approved by their tools. However, Darktrace detected that the device was using the PowerShell user agent to connect to an external location. This is rare in comparison to wider network behavior.

The customer’s pre-existing security did not block the outgoing SMTP connections made by the compromised device on unusual ports. However, Darktrace Antigena blocked 71% of outgoing connections on mail ports 25 and 587, significantly reducing the scale of the spam dissemination.

Darktrace insights and services

Darktrace quickly detected a range of anomalous behaviors from the new PowerShell use, uptake in C2 beaconing activity and spam. This can be highlighted via the spike in model breaches (Figure 3). Darktrace’s Cyber AI Analyst also launched an investigation into the device’s suspicious network scanning activity. This was essential for generating an incident summary which outlined the investigation process and technical details needed for the organization’s security team to act quickly (Figure 4).

Throughout the incident, Antigena autonomously responded to the initial breach device to enforce its ‘pattern of life’ without interrupting business processes. This significantly reduced the scope of the compromise by halting further lateral movement. In response to the malicious outbound email spam, Antigena enforced the device’s usual ‘pattern of life’ for thirty minutes and blocked connections to ports 25, 80 and 587 for one hour (Figure 5). Against the command-and-control activity, connections to 91.207.181[.]106 via port 8080 were also blocked for three hours.

The customer’s subscription to Darktrace’s Proactive Threat Notification (PTN) and Ask the Expert (ATE) services meant that this compromise was assisted by additional triage and alerting. PTN ensured that the Darktrace SOC team were quickly alerted to the breach, enabling analysts to perform a detailed investigation alongside the customer’s own security team. Simultaneously, the ATE service ensured the customer was provided with additional information to ensure the threat was less likely to happen again. This equipped the team with the vital information needed for them to act, and to restore quickly and precisely.

Figure 3: Darktrace reveals an anomalous spike in the device’s activity and associated model breaches during the attack period, represented by the dots on the graph


Figure 4: Excerpt of the AI Analyst report of the breach device’s network scanning activity
Figure 5: Antigena Network blocking external connection activity and enforcing the device’s ‘pattern of life’


The resurgence of Emotet shows how email continues to act as a crucial attack vector and source of compromise. In particular, widespread malspam campaigns remain adaptable and effective. The incident in this blog is yet another example highlighting the alarming mutability and networked nature of malware organizations. This allows them to return, even long after their dismantling. Fortunately, in this incident, Autonomous Response enabled this Emotet compromise to be minimized, while PTN and ATE services alerted and further supported the security team throughout.

Appendix

Darktrace model breaches

·    Device / Multiple Lateral Movement Model Breaches

·    Device / Large Number of Model Breaches

·    Device / Suspicious Network Scan Activity

·    Device / Network Scan

·    Device / External Address Scan

·    Device / Multiple C2 Model Breaches

·    Device / Large Number of Connections to New Endpoints

·    Device / Increased External Connectivity

·    Device / New User Agent and New IP

·    Device / New PowerShell User Agent

·    Compromise / Suspicious Beaconing Behavior

·    Compromise / Beacon to Young Endpoint

·    Compromise / Agent Beacon to New Endpoint

·    Compromise / Sustained SSL or HTTP Increase

·    Compromise / Suspicious Spam Activity

·    Anomalous Connection / Possible Outbound Spam

·    Anomalous Connection / Suspicious Expired SSL

·    Anomalous Connection / Rare External SSL Self-Signed

·    Anomalous Connection / Suspicious Self-Signed SSL

·    Anomalous Connection / Anomalous SSL without SNI to New External

·    Anomalous Connection / PowerShell to Rare External

·    AI Analyst / AI Analyst Investigation

·    Unusual Activity / Unusual External Activity

IoCs

MITRE ATT&CK Techniques Observed

Footnotes

1. https://www.cisa.gov/uscert/ncas/alerts/TA18-201A

2. https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/

3. https://www.kaspersky.com/resource-center/threats/emotet

More in this series:

Aucun élément trouvé.

Vous aimez ça et en voulez plus ?

Recevez le dernier blog dans votre boîte de réception
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.
DANS LE SOC
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Zoe Tilsiter
Cyber Analyst
share this article
CAS D'UTILISATION
Aucun élément trouvé.
PLEINS FEUX SUR LES PRODUITS
Aucun élément trouvé.
Couverture de base
Aucun élément trouvé.
Cet article
Darktrace AI détecte et répond à la campagne de malspam sortant d'Emotet
Partager
Twitter logoLinkedIn logo

Articles connexes

Aucun élément trouvé.

Bonne nouvelle pour votre entreprise.
Mauvaise nouvelle pour les méchants.

Commencez votre essai gratuit

Commencez votre essai gratuit

Livraison flexible
Vous pouvez l'installer virtuellement ou avec du matériel.
Installation rapide
Une heure seulement pour la mise en place - et encore moins pour un essai de sécurité du courrier électronique.
Choisissez votre voyage
Essayez Self-Learning AI là où vous en avez le plus besoin - y compris dans le cloud, sur le réseau ou par courriel.
Aucun engagement
Accès complet à Darktrace Threat Visualizer et à trois rapports sur mesure sur les menaces, sans obligation d'achat.
For more information, please see our Privacy Notice.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.

Obtenez une démo

Livraison flexible
Vous pouvez l'installer virtuellement ou avec du matériel.
Installation rapide
Une heure seulement pour la mise en place - et encore moins pour un essai de sécurité du courrier électronique.
Choisissez votre voyage
Essayez Self-Learning AI là où vous en avez le plus besoin - y compris dans le cloud, sur le réseau ou par courriel.
Aucun engagement
Accès complet à Darktrace Threat Visualizer et à trois rapports sur mesure sur les menaces, sans obligation d'achat.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.

Check out this article by Darktrace: Darktrace AI detects and responds to Emotet outbound malspam campaign