Emotet is back for the holidays

By

Two weeks ago, SonicWall Threat Research Lab had researched and blogged about a large malspam campaign delivering Emotet. Emotet has come back again for holiday season with different tactics and better obfuscation techniques. These spam emails in Thanksgiving theme are sent in very large numbers with malicious XML attachment.

Infection Chain:

Email:

On November 20th, the below spam email is sent out with thanksgiving greetings. it pretends to be coming from valid email addresses with valid full names.

XML:

The malicious attachment is not a Word document, it’s an XML document. Looks like malicious word document with VB macros and shell code is converted to  XML to evade from signature based detection.

Later the malicious XML document extension has been altered from .xml to .doc in order to launch it in Microsoft word, the  default program for .doc extension

The attachment opens in Microsoft word and requests user to enable macro.

Upon enabling macros, the shell code shown below gets executed

ShellCode Deobfuscation:

Escape character (^), the caret is used in obfuscation by breaking up the command string to evade from signature based detection. By escaping the escape character and ignoring semicolon from the above shown shell code, we shall retrieve the below
Step 1: 
Here obfuscation is done through existing environment variable values.
cmd /c C%PrOgrAMfILES(x86):~  +9, +1%D; /v: /%APPdATA:~ 6,  1% “;

Environment variables:

ProgramFiles(x86)=C:\Program Files (x86)
APPDATA=C:\Users\user\AppData\Roaming

The Programfiles(x86) environment variable contains the character ‘m’ at the 9th index. so replacing “%PrOgrAMfILES(x86):~  +9, +1%” with ‘m’  and likewise replacing %APPdATA:~ 6,  1% with ‘r’ yields

 cmd /c CmD /v:/r
Step 2:
Set variable “cd1” as shown below.
Step 3:
“fOr /L %E IN ( +1559 -3 +2) do (sET uYi=!uYi!!cd1:~  %E,   1!) && If %E ==2 ((call %uYi:~ -520%))”
Reversal payload obfuscation is being used to encode commands. The reversed command is initially set in the environment variable “cd1” in step 2. The /L  flag instructs the for loop to iterate over a range of values starting from the first value (1559), decrement by the second value (-3) until it reaches the third value (i.e 2).
when it reaches 2, uYi will have the below string.
After applying all the above steps, we get
cmd /v:ON /r “<powershell command>”

PowerShell:

PowerShell script uses XMLHTTP object (MSXML2.XMLHTTP) to send an arbitrary HTTP request to download the payload. And it uses the stream object to save the binary contents to a file in the system temporary path. Finally starts running the payload

Payload:

Upon execution, the initial payload drops the Emotet malware which then connects to the C2C server

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • GAV: MalAgent.H_13035 (Trojan)
  • GAV: Emotet (Trojan)
  • GAV: MalAgent.H_13037 (Trojan)

Trend Chart:
Find below the hits for the GAV signature “MalAgent.H_13037”

Hash:

Email:

70f2001db275cd64b4479170e577256d9c23641254ef6f6bbc86a7da06027b82

XML:

947fd45284f627d42976f1dc2e17eb37dd43572801def4c6de4aa0b59468858a
c73a1ca2ea93c9dba1b6fd987fa1921890f51b87be5e792cc4184e250c0aeecf

Payload:

efe368ee739ef9ce068bdf624df783121fd84917bc69fcb0d9faaf8fda8a84f6
e00cd6e2a69ab6d8478951333fce0d834d5bf350a4add1bc11c7c209e002520b
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.