Security researchers from Trend Micro have discovered a new variant of the EMOTET banking Trojan that uses new evasion features enabling it to evade sandbox and malware analysis.
EMOTET is a piece of malware program that is essentially used to steal financial information and other sensitive data, it can also be used as a Trojan downloader.
According to Trend Micro:
“We recently discovered that EMOTET has a new iteration (detected as TSPY_EMOTET.SMD10) with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis.”
Some malware are created to sleep for a period of time to evade detection from malware analysis products. The analysis program will switch its sleep period to a very short time to scan for malicious actions. The trojan’s anti-analysis technique includes checking when the scanner watches activities to evade detection. CreateTimerQueueTimer helps EMOTET do the job every 0x3E8 milliseconds.
The researchers said that EMOTET’s dropper shifted from using RunPE to using a Windows application programming interface (CreateTimerQueueTimer). This API generates a queue for lightweight objects called timers, which are intended to allow the selection of a callback function at a specified time.
EMOTET trojan is not the first malware to misuse this API, Hancitor banking Trojan also dropped PONY and VAWTRAK used it in its dropper as well.