Home Applications Bromium Emotet Banking Trojan polymorphic malware analysis

Bromium Emotet Banking Trojan polymorphic malware analysis

0
Bromium Emotet Banking Trojan polymorphic malware analysis
0
  • We analyzed samples containing the Emotet banking trojan and broke down the findings in a side-by-side comparison.
  • Malware authors are repacking their malicious software into a unique executable for each potential victim, avoiding any-and-all signature-based detection.
  • Repacked dropped executables on this scale are unprecedented, and this is why application isolation and control is so important. Protect before you detect is the only secure approach.

Recently, the Bromium Lab team uncovered a series of samples containing the Emotet banking trojan, which indicates that malware authors are rapidly rewrapping their packed executables and the documents used to distribute them. Based on feedback and further monitoring, we investigated the polymorphic dropped executables in more detail. The results are quite interesting; the samples don’t just feature trivial changes or the addition of random data. Rather, the sample appears like completely different software in many aspects. This allows the samples to avoid signature-based anti-virus as well as package detection and static analysis.

Extravagant repackaging hides the malware.

We have collected dozens of samples and analyzed several dropped from various malicious servers linked to this campaign. For ease of sharing, we will compare two samples side by side. Both were dropped from different malicious documents received in quick succession from the same malicious server.

As you can see, these samples are superficially very different. However, basic dynamic analysis using Procmon shows that, once unpacked, they execute the same sequence of system calls.

Watch application isolation in action: see Bromium contain malware.

To understand what’s happening, we disassemble and compare.

Shortly after the entry-point of each sample we reach the start of what could be considered a “dummy program.” This appears to be randomly generated code designed to look like a legitimate application. For example, Sample One calls CreateMetaFile [https://msdn.microsoft.com/en-us/library/windows/desktop/dd183506(v=vs.85).aspx] to make a file “ExwgBDryShtwACnd” that it doesn’t use. Sample Two calls EmptyClipboard [https://msdn.microsoft.com/en-us/library/windows/desktop/ms649037(v=vs.85).aspx] and neither appear to change the behavior of the program in any meaningful way. Since the two samples were received in quick succession, we have reason to believe that this process may be automated.

Read the entire article here, Bromium Emotet Banking Trojan polymorphic malware analysis

via the fine folks at Bromium

Categories:
Bromium Bromium was founded in 2010 with a mission to restore trust in computing. The company’s founders, Gaurav Banga, Simon Crosby, and Ian Pratt, have a long and deep history of innovation in virtualization and security. Inspired by the isolation principles of traditional virtualization, the Bromium team has created a game-changing new technology called micro-virtualization to address the enterprise security problem and provide protection for end users against advanced malware. Bromium has its headquarters in Cupertino, California, and an R&D center in Cambridge, UK. The company is backed by top-tier investors, including Andreessen Horowitz, Ignition Capital, Highland Capital Partners, Intel Capital, Meritech Capital and Lightspeed Venture Partners.

Share your view, leave a comment below:

Featured Resources:

Related Articles:

| LATEST FEATURED RESOURCES

White Papers

    Application Lifecycle Management with Stratusphere UX – White Paper

    Enterprises today are faced with many challenges, and among those at the top of the list is the struggle surrounding the design, deployment, management and operations that support desktop applications. The demand for applications is increasing at an exponential rate, and organizations are being forced to consider platforms beyond physical, virtual and cloud-based environments. Users […]

    Downloads

      Download Commvault VM Backup and Recovery: end-to-end VM backup, recovery and cloud management

      Commvault’s ability to provide end-to-end VM backup, recovery and cloud management creates a significantly better way to build, protect and optimize VMs throughout their lifecycle. Our best-in-class software for VM backup, recovery and cloud management delivers a number of significant benefits, including: VM recovery with live recovery options; backup to and in the cloud; custom-fit […]

      On-Demand Webinars

        What’s Going on in EUC Printing – A Technical Deep Dive!

        The IGEL Community and ThinPrint invite you to watch the following technical deep dive webinar. The agenda is to technically bring you up to speed on what’s going on in the EUC Printing space today along with a deep dive into new methods, technologies, printing scenarios and a discussion on why printing still matters. You […]

        Latest Videos

          Amazon WorkSpaces – Conditional application access from a secure Wi-Fi connection Video

          To meet the corporate security requirements, users are required to access the ‘Business Application’ within Amazon WorkSpaces if the endpoint uses a secure WPA2 or WPA3 encrypted Wi-Fi connection. This video is from the fine folks at deviceTRUST.

          Views All IT News on DABCC.com
          Views All IT Videos on DABCC.com
          Win big $$, visit ITBaller.com for more info!

          Visit Our Sponsors

          Close