Emotet is back for the holidays

November 22, 2018

Two weeks ago, SonicWall Threat Research Lab had researched and blogged about a large malspam campaign delivering Emotet. Emotet has come back again for holiday season with different tactics and better obfuscation techniques. These spam emails in Thanksgiving theme are sent in very large numbers with malicious XML attachment.

Infection Chain:

Email:

On November 20th, the below spam email is sent out with thanksgiving greetings. it pretends to be coming from valid email addresses with valid full names.

XML:

The malicious attachment is not a Word document, it’s an XML document. Looks like malicious word document with VB macros and shell code is converted to  XML to evade from signature based detection.

Later the malicious XML document extension has been altered from .xml to .doc in order to launch it in Microsoft word, the  default program for .doc extension

The attachment opens in Microsoft word and requests user to enable macro.

Upon enabling macros, the shell code shown below gets executed

ShellCode Deobfuscation:

Escape character (^), the caret is used in obfuscation by breaking up the command string to evade from signature based detection. By escaping the escape character and ignoring semicolon from the above shown shell code, we shall retrieve the below
Step 1: 
Here obfuscation is done through existing environment variable values.
cmd /c C%PrOgrAMfILES(x86):~  +9, +1%D; /v: /%APPdATA:~ 6,  1% “;

Environment variables:

ProgramFiles(x86)=C:\Program Files (x86)
APPDATA=C:\Users\user\AppData\Roaming

The Programfiles(x86) environment variable contains the character ‘m’ at the 9th index. so replacing “%PrOgrAMfILES(x86):~  +9, +1%” with ‘m’  and likewise replacing %APPdATA:~ 6,  1% with ‘r’ yields

 cmd /c CmD /v:/r
Step 2:
Set variable “cd1” as shown below.
Step 3:
“fOr /L %E IN ( +1559 -3 +2) do (sET uYi=!uYi!!cd1:~  %E,   1!) && If %E ==2 ((call %uYi:~ -520%))”
Reversal payload obfuscation is being used to encode commands. The reversed command is initially set in the environment variable “cd1” in step 2. The /L  flag instructs the for loop to iterate over a range of values starting from the first value (1559), decrement by the second value (-3) until it reaches the third value (i.e 2).
when it reaches 2, uYi will have the below string.
After applying all the above steps, we get
cmd /v:ON /r “<powershell command>”

PowerShell:

PowerShell script uses XMLHTTP object (MSXML2.XMLHTTP) to send an arbitrary HTTP request to download the payload. And it uses the stream object to save the binary contents to a file in the system temporary path. Finally starts running the payload

Payload:

Upon execution, the initial payload drops the Emotet malware which then connects to the C2C server

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • GAV: MalAgent.H_13035 (Trojan)
  • GAV: Emotet (Trojan)
  • GAV: MalAgent.H_13037 (Trojan)

Trend Chart:
Find below the hits for the GAV signature “MalAgent.H_13037”

Hash:

Email:

70f2001db275cd64b4479170e577256d9c23641254ef6f6bbc86a7da06027b82

XML:

947fd45284f627d42976f1dc2e17eb37dd43572801def4c6de4aa0b59468858a
c73a1ca2ea93c9dba1b6fd987fa1921890f51b87be5e792cc4184e250c0aeecf

Payload:

efe368ee739ef9ce068bdf624df783121fd84917bc69fcb0d9faaf8fda8a84f6
e00cd6e2a69ab6d8478951333fce0d834d5bf350a4add1bc11c7c209e002520b