HP Threat Research Blog The Emotet Banking Trojan: Analysis of Dropped Malware Morphing at Scale

Hackers Keep it Simple: Malware Evades Detection by Simply Copying a File

December 3, 2017 Category: Uncategorized By: Joe Darbyshire Comments: 0

The Emotet Banking Trojan: Analysis of Dropped Malware Morphing at Scale

  • We analyzed samples containing the Emotet banking trojan and broke down the findings in a side-by-side comparison.
  • Malware authors are repacking their malicious software into a unique executable for each potential victim, avoiding any-and-all signature-based detection.
  • Repacked dropped executables on this scale are unprecedented, and this is why application isolation and control is so important. Protect before you detect is the only secure approach.

Recently, the Bromium Lab team uncovered a series of samples containing the Emotet banking trojan, which indicates that malware authors are rapidly rewrapping their packed executables and the documents used to distribute them. Based on feedback and further monitoring, we investigated the polymorphic dropped executables in more detail. The results are quite interesting; the samples don’t just feature trivial changes or the addition of random data. Rather, the sample appears like completely different software in many aspects. This allows the samples to avoid signature-based anti-virus as well as package detection and static analysis.

Extravagant repackaging hides the malware.

We have collected dozens of samples and analyzed several dropped from various malicious servers linked to this campaign. For ease of sharing, we will compare two samples side by side. Both were dropped from different malicious documents received in quick succession from the same malicious server.

Emotet Trojan analysis 1

As you can see, these samples are superficially very different. However, basi