Network Forensic Investigation: Identifying Malware in Network Traffic
By Matthew Grant, Lynnsey Graham Novak & James Kennedy
For OTU INFR 4690, Winter 2021
Introduction
Worldwide news reports of ransomware attacks have become an almost weekly occurrence in recent years and while some countries saw decreases in ransomware attacks over 2020, the U.S. saw a 139% year-over-year increase to 145.2 million recorded attacks (Help Net Security, 2020). The average ransomware payment rose 33% in 2020 to $111,605 USD and the average cost of a ransomware attack on businesses is $133,000 USD (Sobers, 2021). Canada has been no exception to this rash of attacks and Canada’s cyber defence agency has warned that “attacks against critical Canadian business and infrastructure are ‘almost certain’ to continue, as Canada has already seen its systems targeted by such attacks in recent years” (Gilmore, 2020).
One of the most effective tools for malware infection has been the Emotet malware; A malware that can itself collect and transmit data about the systems it infects while actively introducing other malware, such as ransomware, onto the system. The Emotet malware has been traditionally difficult to detect in systems and in its current form has been made available to malicious actors as a “Malware-as-a-Service” that can be customized with various malicious payloads (Petcu, 2021).
This report will explore Wireshark, a powerful network analyzer, as a forensic tool to examine and discuss the network traffic that is generated by an Emotet infection and suggest methods for early detection.
Tools & Threats
Wireshark & Network Analysis
Wireshark (https://www.wireshark.org) is a free network protocol analyzer that is a critical tool for any system administrator, security professional, or forensic investigator. This tool analyzes network traffic in real time and is used for analysis, troubleshooting and, as stated, forensic analysis. It’s analysis capabilities extend to dropped packets, latency issues, and of special interest to this project, malicious activity (Porup, 2018).
Understanding how Wireshark works is fundamental to truly appreciating its power. Wireshark intercepts the binary traffic that traverses networks and, though its intuitive GUI, translates that data into human readable, filterable, and exportable formats. Because of the large amount of TCP, UDP, and ICMP traffic that traverses a normal network, Wireshark’s ability to filter that captured traffic at a granular level is particularly useful, especially when investigating and tracing the activities of a malware infection.
Wireshark has two levels of filters: one that is applied at the initial ‘capture’ level, so that only the broader types of traffic that you are interested in are syphoned from all of the network traffic, and the other that is applied at the ‘display’ level to help isolate data of interest (Porup, 2018). One additional feature of Wireshark is that it also allows users to configure special ‘coloring rules’ that can highlight captured packets that contain specific signatures of possible malware that makes it easy to quickly identify potential threats (Bock, 2021).
Once traffic has been captured and, if necessary, effectively filtered, it can be exported and saved in a .pcap file that can be stored and analyzed at a later time. Especially useful in this project was Wireshark’s ability to export the captured data from an infected system as a TCP dump to the .pcap file, which we were then able to acquire and analyze, without risk of infecting our own systems for the sake of investigation (Duncan, 2021).
All in all, Wireshark is a ‘Swiss Army Knife’ type toolkit that enables powerful, critical analysis of network activity for many different applications.
Emotet: A Trojan Conduit to Ransomware
As a contraction of the words “malicious” and “software”, the word malware is an umbrella term that covers a vast number of unique variations. One of those variations is ransomware, a type of malware that is characterized by its holding the victim’s data for ransom. In many instances, after infection, the malware will encrypt the victim’s files and then demand a ransom payment in exchange for restoring access to the data (Fruhlinger, 2020).
In terms of attack vectors, ransomware can infect a system in a number of different ways, common among them is phishing spam and, according to Kaspersky, this is the most frequent way that Emotet infects computer systems. Emotet is often spread through spam emails that contain either a malicious URL or an infected document and after the victim either downloads the infected file or accesses the URL, more malware is then downloaded onto the system (Kaspersky, n.d.).
Source: Wireshark Tutorial: Examining Emotet Infection Traffic (Duncan, 2021)
Emotet is often associated with ransomware attacks however, it was first created as a Trojan whose original “goal was to access foreign devices and spy on sensitive private data” targeting banking institutions, and behaved similarly to a worm as it replicated itself and spread over connected networks in an attempt to infect more systems (Kaspersky, n.d.). Emotet has “evolved from a banking Trojan to a Dropper, which means that the Trojan reloads malware onto devices [which] are then responsible for the actual damage to the system (Kaspersky, n.d.). Some of the malware families often distributed by Emotet are Gootkit, IcedID, Qakbot and Trickbot (Duncan, 2021).
It is believed that behind the development of Emotet is a hacker group called Mealybug who now offer Malware-as-a-Service (MaaS) and have since “rented this framework to various ransomware ventures, including the infamous Ryuk gang” (Petcu, 2021). It is worth noting that Ryuk ransomware, itself available for ‘lease’ on the darkweb, was “behind one third of all [detected] ransomware attacks in 2020” (Help Net Security, 2020).
A Closer Look
When a victim opens an Emotet-infected file (such a MS Word document contained in a ZIP archive, or PDF containing embedded links), they are prompted to ‘enable macros’ which is the critical step that triggers the Emotet binary to execute (Duncan, 2021). In recent years, this binary has been a DLL file, while prior to 2020, it was a Windows EXE file. The execution of the binary generates encrypted HTTP traffic to and from Command & Control (C2) servers as well as additional traffic if Emotet drops secondary malware. Additionally, Emotet can be used to make the infected machine essentially into a spambot which will generate a host of SMTP traffic (Duncan, 2021).
Source: Wireshark Tutorial: Examining Emotet Infection Traffic (Duncan, 2021)
In one example, the initial Emotet malware script is executed by PowerShell in its base64-encoded format that, when examined, contains a variable that holds several (or more) URLs that point to the C2 servers (Lu, 2019).
Emotet then gathered the infected system’s data (such as host name, all running processes and more) and compressed it using the Deflate algorithm. The malware then “encrypts the compressed data … with a session key, and packs the session key (AES), that is encrypted using an RSA public key, along with a hash value and the encrypted data” (Lu, 2019). This encrypted data makes up the HTTP body data of POST requests sent to the C2 servers.
Emotet infections have remained especially challenging to detect and prevent in their earliest stages.
Traffic Analysis: Methods & Filters
Because Emotet spreads and further infects over HTTP, we can analyze the data sent over a network to identify and track the behaviour of the Emotet virus. We managed to obtain a series of .pcap files that contain the network packet data of a system that has been infected by the Emotet virus, and will be analysing it using Wireshark to further understand its behaviour (Duncan, 2021). Keep in mind that these network activities contain Windows-based malware, and you should be incredibly careful if following along on a Windows system.
HTTP & TLS Traffic
Through Wireshark we have a very detailed history of network activity involving this infected system, but a good deal of it is not very valuable to us. What we need to do now is filter out all the activity that we do not need so that we can find and isolate the data we are interested in more easily. A significant amount of data can be found in each of these pcap files, and each one only holds a few minutes of traffic on systems that were mostly stationary. Suspicious traffic can be easily camouflaged amongst regular traffic, so it is important that we can search for and identify unwanted or dangerous behaviour. Who can be bothered to analyze them one by one when we can filter out the unnecessary data to find exactly what we are looking for?
Since we know Emotet maneuvers through the web, we can apply a filter that will give us HTTP requests and TLS handshakes only. From there we may be able to determine where the infection might have come from.
Filter: (http.request or tls.handshake.type eq 1) and !(ssdp)
Now we can see a few web requests have been made that may have been used to retrieve the ransomware (although one of the URLs redirected to a suspended page) that still leaves 3–4 possible sources. We can edit the previously used filter to view the responses of these requests.
Filter: (http.request or http.response or tls.handshake.type eq 1) and !(ssdp)
Now we can see the responses that the infected system received from the web requests. The one that should stand out is the last request, seo.udaipurkart.com, as there is no response. We can use Wireshark to follow the TCP stream in order to discover more about it. By right-clicking the request and clicking follow TCP Stream, or by pressing Ctrl+Alt+Shift+T we can see the full exchange.
Extracting the DLL
Here we can see that seo.udaipurkart.com responded with a .dll file download. This is the file responsible for putting the Emotet malware on the system in the first place. Now that we have the transfer, we can extract the .dll file from the .pcap file for future analysis, by going to file export objects HTTP and saving the file named Sgms.
Now that we know where the malware came from, we should further determine what it is doing. Since this version of Emotet uses HTTP POST requests to command and control the system, we can filter traffic with the following filter to show us all these requests.
Filter: http.request.method eq POST
We can see there are a number of post requests being sent to the same IP addresses, 5.2.136.90:80 and 167.71.4.0:8080. Further analysis will later determine the first address to be an Emotet Botnet server that is communicating with this infected system. But the second address stands out as some of the post requests are URL encoded. Use the following command view all the URL encoded posts.
Filter: urlencoded-form
Alternatively, you can use the following command to view the post requests coming from the non URL encoded transfers.
Filter: http.request method eq POST and !(urlencoded-form)
Failed Connection Requests
Failed connection requests may also show in the .pcap file. In some cases, an infected host may try to connect with a server that has been taken off-line or is refusing a TCP connection. If that is the case, you can still analyze the requests being made to discover the destination. We used the following filter to find failed connection attempts.
Filter: tcp.analysis.retransmission and tcp.flags eq 0x0002
SMTP Traffic
As Emotet also works as a spambot, we can take a look at the system’s mailing traffic to learn even more. Use this filter to get a look at traffic using simple mail transfer protocol.
Filter: smtp
Most (if not all) of the data will be encrypted. If you are lucky enough, you might be able to find some unencrypted data. The following filter will give you results of unencrypted SMTP transfers that you can analyze.
Filter: smtp.data.fragment
Other filters can be used to analyze traffic that is commonly used by Emotet infections. For example, variations of Emotet that use Trickbot can be identified by searching traffic over Trickbots commonly used ports: 447 and 449. Additionally, Trickbot is also known to take binaries through .png image files. Either of these filters will be able to identify Trickbot behaviour in an Emotet infected system.
Filter: tls.handshake.type eq 1 and (tcp.port eq 447 or tcp.port eq 449)
Filter: http.request.uri contains .png
Infection Analysis: Detection & Prevention
For this portion of our discussion, the following addresses are utilized in the examples:
Infected Machine: 10.1.6.206
DLL Host: 103.92.235.25
C2 Server #1: 5.2.136.90
C2 Server #2: 137.71.4.0
Using the following filters from Palo Alto, we can see the GET request for the DLL which initially infects the target machine (Duncan, 2021).
(http.request or tls.handshake.type eq 1) and !(ssdp)
Connection to the C2 Server
The IP of the web server hosting the DLL is 103.92.235.25 which resolves to server27.hostingraja.org, an Indian hosting service. The hostname of the site that the DLL is served on is seo.udaipurkart.com which looks like a compromised online shopping platform.
The machine which receives the DLL and becomes infected with Emotet has the IP 10.1.6.206 and it communicates with two C2 servers. One of the C2 servers is 5.2.136.90 and the other is 167.71.4.0. The infected machine communicates with the C2 servers through POST requests with the commands sent through encrypted files.
The following filter can be used to see the traffic generated from those C2 servers.
Filter: (ip.dst_host==5.2.136.90 || ip.src_host==5.2.136.90) || (ip.dst_host==167.71.4.0 || ip.src_host==167.71.4.0)
Detection & Prevention Challenges
Due to the length of exchanges between the C2 and the infected machine, it can create a large number of requests in a single TCP stream, including a stream with a little less than eight hundred TCP packets to the 5.2.136.90 host. Unfortunately, this wouldn’t help much with the prevention of infection since there are certain cases where that much traffic could be generated along with POST requests legitimately.
Another difficulty in detecting the traffic generated by an Emotet infection is the likelihood of using hosting environments and changing them often. In the first minutes of infection, it hits three pages which are no longer hosting the malware before it hits a page that is still hosting it. First, it tries to get the malware from hangarlastik.com/cgi-bin/Ui4n/, which returns a 302 to an explanation that the account has been suspended. Then it sends a GET request to padreescapes.com/blog/0I/, which returns a 401 unauthorized for invalid credentials. Next, it sends a GET request to sarture.com/wp-includes/JD8/, which returns a 403 Forbidden. Finally, it sends a GET request to seo.udaipurkart.com/rx-5700–6hnr7/Sgms/ which returns the DLL.
Due to the traffic discussed above, it makes it difficult to find early warning signs of Emotet infection — at least through this actor’s implementation. An IDS could possibly detect it through a certain threshold of repeated GET requests that receive 401/403s but there is a possibility that traffic such as that could be generated legitimately. As well, that would not stop more sophisticated actors or earlier infections. Another possible way that an IDS might be able to detect it is based on lengthy TCP streams starting with a POST request containing an encrypted file. This would be less likely to be legitimate behaviour but it is not really an early detection, as the machine is already infected and will likely be crypto-locked shortly.
The best course of action would most likely be blocking DLLs from being downloaded or run at all, especially if they’re unsigned. The difficulty of identifying signatures for an Emotet infection is not just a difficulty that we are facing; Even the Snort rules for Emotet created by CISA are incredibly general and would only catch or alert one of the requests detailed above (Cybersecurity & Infrastructure Security Agency, 2020). There is the case where Emotet will use the infected machine to send out mass spam which would be easier to catch after infection but faces the same challenges for early detection.
Conclusion
An Emotet infection can lead to devastating consequences, especially if the payload is a malware as critical as ransomware. While challenging to detect in its early stages, this report has demonstrated how we can use a network analyzer like Wireshark to filter, identify and examine the network traffic that is generated by an Emotet infection to better understand its behaviour. We saw how after the initial execution of the Emotet binary, HTTP GET and POST requests are made to and from a remote C2 server that contain both critical data about the infected host machine as well as various malicious payloads to further infect it. Using the example of infection above, we saw that some methods of detection could easily flag an Emotet infection but would also likely trigger false-positive Emotet identifications by legitimate HTTP traffic as well. To avoid this, the most promising method of early prevention of the Emotet infection in the first place, would be to block unsigned DLLs from being downloaded or run.
Works Cited
Bock, L. (2021, February 8). Wireshark: Malware and Forensics. Lynda.com. Retrieved April 5, 2021, from https://www.lynda.com/Wireshark-tutorials/Wireshark-Malware-Forensics/624305-2.html
Cybersecurity & Infrastructure Security Agency. (2020, October 24). Alert (AA20–280A): Emotet Malware. CISA National Cyber Awareness System Alerts. Retrieved April 26, 2021, from https://us-cert.cisa.gov/ncas/alerts/aa20-280a
Duncan, B. (2021, January 11). pan-unit42/wireshark-tutorial-Emotet-traffic. GitHub. Retrieved March 29, 2021, from https://github.com/pan-unit42/wireshark-tutorial-Emotet-traffic
Duncan, B. (2021, January 19). Wireshark Tutorial: Examining Emotet Infection Traffic. Palo Alto Networks. Retrieved April 26, 2021, from https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/
Fruhlinger, J. (2020, June 19). Ransomware explained: How it works and how to remove it. CSO. Retrieved April 5, 2021, from https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove-it.html
Gilmore, R. (2020, November 18). Ransomware attacks on critical Canadian businesses ‘almost certain’ to continue. Global News. Retrieved April 5, 2021, from https://globalnews.ca/news/7470467/ransomware-attacks-cyber-security-canadian-intelligence/
Help Net Security. (2020, November 3). Ryuk ransomware behind one third of all ransomware attacks in 2020. Help Net Security. Retrieved April 5, 2021, from https://www.helpnetsecurity.com/2020/11/03/ryuk-ransomware-2020/
Kaspersky. (n.d.). Emotet: How to best protect yourself from the Trojan. Kaspersky Resource Center. Retrieved April 5, 2021, from https://www.kaspersky.com/resource-center/threats/emotet
Lu, K. (2019, June 6). A Deep Dive into the Emotet Malware. Fortinet. Retrieved April 5, 2021, from https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware
Petcu, A. G. (2021, January 27). Emotet Malware Over the Years: The History of an Active Cyber-Threat [Updated]. Heimdal Security. Retrieved April 5, 2021, from https://heimdalsecurity.com/blog/emotet-malware-history/
Porup, J. M. (2018, September 17). What is Wireshark? What this essential troubleshooting tool does and how to use it. CSO Network Security. Retrieved April 5, 2021, from https://www.csoonline.com/article/3305805/what-is-wireshark-what-this-essential-troubleshooting-tool-does-and-how-to-use-it.html
Sobers, R. (2021, March 16). 134 Cybersecurity Statistics and Trends for 2021. Varonis Data Security. Retrieved April 5, 2021, from https://www.varonis.com/blog/cybersecurity-statistics/
