Emotet is back in business and it’s revealing some new tricks. Not long ago, Emotet introduced a new module, the Google Chrome’s credit card grabber. More recently, the SMB spreader module has been brought back and is now, once again, part of the infection chain.
Loading the necessary DLLs
The very first step of the spreader module is to load and save pointers to the following DLLs:
shlwapi.dll userenv.dll crypt32.dll advapi32.dll shell32.dll urlmon.dll netapi32.dll bcrypt.dll wininet.dll mpr.dll wtsapi32.dll
These DLLs are used to resolve the Windows APIs as needed.
Getting the path of Emotet loader
The path of the Emotet loader is extracted directly from the command line of the current process. (This is possible since the modules run in the same process as the loader).
The path will be used when the spreader tries to copy the loader to a remote share.
Hardcoded usernames and passwords
The spreader contains a list of hardcoded usernames and a list of passwords and uses them to bruteforce the IPC$ share from servers on the same network as the infected machine.
Decrypting and building a linked list of usernames:
Decrypting and building a linked list of passwords:
Full list of hardcoded usernames:
Full list of hardcoded passwords:
Impersonating the logged on user
The token from the logged-on user account is duplicated using the
SecurityImpersonation level, which, according to MSDN, allows a process to impersonate the client’s security context on the local system:
After duplicating the user token, the spreader calls
ImpersonateLoggerOnUser to finally let its thread impersonate the security context of the logged-on user:
Finding remote servers
To find remote servers the spreader uses two WinAPIs,
WnetEnumResourceW. If the network resource is a server, the name gets saved to a linked list of remote server names:
The spreader iterates over the list of servers and bruteforces the IPC$ share with the hardcoded users and passwords:
The function fn_connect_2_network_resource uses the WinAPI
WNetAddConnection2W with the hardcoded credentials.
If no valid credentials are found, the spreader tries to fetch usernames from the target server using the WinAPI
All fetched usernames not present in the hardcoded list will be bruteforced with the hardcoded password list.
If the spreader finds valid credentials for the IPC$ share, it tries to connect to ADMIN$ and C$ shares:
If the spreader connects successfully to one of these shares, the Emotet loader gets copied to the share with a random filename (derived from the machine CPU counter) and launched as a service.
Paths to where the loader can be copied:
The newly created service will execute one of the following commands:
regsvr32.exe "C:\<random>.dll" regsvr32.exe "%SystemRoot%\<random>.dll"
- 3D8F8F406A04A740B8ABB1D92490AFEF2A9ADCD9BEECB13AECF91F53AAC736B4 - SMB spreader module