Emotet is back for the holidays
November 22, 2018
Two weeks ago, SonicWall Threat Research Lab had researched and blogged about a large malspam campaign delivering Emotet. Emotet has come back again for holiday season with different tactics and better obfuscation techniques. These spam emails in Thanksgiving theme are sent in very large numbers with malicious XML attachment.
Infection Chain:
Email:
On November 20th, the below spam email is sent out with thanksgiving greetings. it pretends to be coming from valid email addresses with valid full names.
XML:
The malicious attachment is not a Word document, it's an XML document. Looks like malicious word document with VB macros and shell code is converted to XML to evade from signature based detection.
Later the malicious XML document extension has been altered from .xml to .doc in order to launch it in Microsoft word, the default program for .doc extension
The attachment opens in Microsoft word and requests user to enable macro.
Upon enabling macros, the shell code shown below gets executed
ShellCode Deobfuscation:
Escape character (^), the caret is used in obfuscation by breaking up the command string to evade from signature based detection. By escaping the escape character and ignoring semicolon from the above shown shell code, we shall retrieve the below
Step 1:
Here obfuscation is done through existing environment variable values.
cmd /c C%PrOgrAMfILES(x86):~ +9, +1%D; /v: /%APPdATA:~ 6, 1% ";
ProgramFiles(x86)=C:\Program Files (x86)
APPDATA=C:\Users\user\AppData\Roaming
The Programfiles(x86) environment variable contains the character 'm' at the 9th index. so replacing "%PrOgrAMfILES(x86):~ +9, +1%" with 'm' and likewise replacing %APPdATA:~ 6, 1% with 'r' yields
cmd /c CmD /v:/r
Step 2:
Set variable "cd1" as shown below.
Step 3:
"fOr /L %E IN ( +1559 -3 +2) do (sET uYi=!uYi!!cd1:~ %E, 1!) && If %E ==2 ((call %uYi:~ -520%))"
Reversal payload obfuscation is being used to encode commands. The reversed command is initially set in the environment variable "cd1" in step 2. The /L flag instructs the for loop to iterate over a range of values starting from the first value (1559), decrement by the second value (-3) until it reaches the third value (i.e 2).
when it reaches 2, uYi will have the below string.
After applying all the above steps, we get
cmd /v:ON /r "<powershell command>"
PowerShell:
PowerShell script uses XMLHTTP object (MSXML2.XMLHTTP) to send an arbitrary HTTP request to download the payload. And it uses the stream object to save the binary contents to a file in the system temporary path. Finally starts running the payload
Payload:
Upon execution, the initial payload drops the Emotet malware which then connects to the C2C server
Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:
- GAV: MalAgent.H_13035 (Trojan)
- GAV: Emotet (Trojan)
- GAV: MalAgent.H_13037 (Trojan)
Trend Chart:
Find below the hits for the GAV signature "MalAgent.H_13037"
Hash:
Email:
70f2001db275cd64b4479170e577256d9c23641254ef6f6bbc86a7da06027b82
XML:
947fd45284f627d42976f1dc2e17eb37dd43572801def4c6de4aa0b59468858a
c73a1ca2ea93c9dba1b6fd987fa1921890f51b87be5e792cc4184e250c0aeecf
Payload:
efe368ee739ef9ce068bdf624df783121fd84917bc69fcb0d9faaf8fda8a84f6
e00cd6e2a69ab6d8478951333fce0d834d5bf350a4add1bc11c7c209e002520b
