Emotet is back for the holidays
Two weeks ago, SonicWall Threat Research Lab had researched and blogged about a large malspam campaign delivering Emotet. Emotet has come back again for holiday season with different tactics and better obfuscation techniques. These spam emails in Thanksgiving theme are sent in very large numbers with malicious XML attachment.
On November 20th, the below spam email is sent out with thanksgiving greetings. it pretends to be coming from valid email addresses with valid full names.
The malicious attachment is not a Word document, it's an XML document. Looks like malicious word document with VB macros and shell code is converted to XML to evade from signature based detection.
Later the malicious XML document extension has been altered from .xml to .doc in order to launch it in Microsoft word, the default program for .doc extension
The attachment opens in Microsoft word and requests user to enable macro.
Upon enabling macros, the shell code shown below gets executed
The Programfiles(x86) environment variable contains the character 'm' at the 9th index. so replacing "%PrOgrAMfILES(x86):~ +9, +1%" with 'm' and likewise replacing %APPdATA:~ 6, 1% with 'r' yields
Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:
- GAV: MalAgent.H_13035 (Trojan)
- GAV: Emotet (Trojan)
- GAV: MalAgent.H_13037 (Trojan)
Find below the hits for the GAV signature "MalAgent.H_13037"