Cyberint Research - Emotet Returns

Emotet is Back in the Game

Introduction

Known to be one of the most useful popular and dangerous threats, Emotet, firstly seen in 2014, is a Malware-as-a-Service (MaaS), that used to operate as a banking trojan targeting banks in Germany, Austria and Switzerland. Since 2017, Emotet has done a shift into a loader and took parts in campaigns, setting up for Trickbot delivery, deployment of ransomware such as Conti and Ryuk, and other malwares such as QuakBot, Azorult, SilentNight and more.

Throughout November 2021, Cyberint researchers have seen a massive increase in Emotet campaigns, nearly 10 months after law enforcement and judicial authorities worldwide took down the Emotet botnet and two of its operators.

Delivery

As is common with Emotet, the main delivery method is via email lures masquerading as legitimate business communications that encourage the recipient to open the attachment. Based on an analysis of this recent campaign, These attachments, mostly doc, docm, xls and xlsm files, include content relating to urgent or pressing matters such as new order, payment, purchase order and quotation, as well as the apparent reuse of prior legitimate email threads that include contact details for, and mimic, an unwitting third party.

Given the nature of the email lure, targeted recipients will likely include those working within Business Administration, Finance and Sales teams. Furthermore, the compromise of one organization could lead to legitimate email accounts being abused to send convincing lures to other organizations, such as their customers, partners and suppliers.

Initial Infection

Macro & VBScript Downloader

Having lured the victim into opening the malicious email attachment, the victim is prompted to ‘Enable Editing’ and ‘Enable Content’ resulting in an embedded macro (Figure 1) being executed to initiate the first stage – a command-line Powershell script (Figure 2) which downloads the Emotet Dynamic Load Library (DLL) file.

Emotet maldoc delivery Macro
Figure 1: Emotet maldoc delivery Macro
Emotet - Loading Powershell script
Figure 2: Loading Powershell script

Powershell Script

As mentioned, the Powershell script is being executed by the VBA Macro within the malicious document. The actions that are being taken within the Powershell script are creating a working directory within the user space at %USER%\\Snuvw2w\\V4651pz\\ and downloading from one of the hardcoded listed drop zone domains the DLL file (Figure 3) named H64C.dll by calling the rundll32.exe.

Emotet - Powershell script communications with compromised WordPress drop zone example.](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/71d5a24f-301b-43a9-86ed-0d1eb670f13a/2.png) Figure 3: Powershell script communications with compromised WordPress drop zone example.
Figure 3: Powershell script communications with compromised WordPress drop zone example.

At this point, depending on the sample, it seems that the function call within the loaded DLL file varies. Some of the names of the functions remained the same from campaigns witnessed before Emotet takedown at the beginning of 2021, which might suggest that not much has changed when it comes to the delivery method and first stages in the victim’s machine. This raises the question of whether we are witnessing a comeback from Emotet’s former operators. either way, most certainly there is access to the source code for the current operators.

Emotet DLL

The last stage of the infection is done by the loading of another final DLL file to the %APPDATA%\\Local\\Temp\\ directory, while the file name and extension might vary due to the random name generating mechanism equipped as part of the loading technique of the H64C.dll file.

The loaded file is also a DLL, the lays the final deployment in the process. This file will communicate to the main CNC server via HTTPS using a self-signed certificate, which is also one of the new features that were introduced to the new Emotet campaigns over the past month.

Emotet Network Infrastructure

As the Emotet botnet grows by the day, more information is being revealed when it comes to the drop zones and CNC servers involved in this operation.

Drop Zones

While each and every malicious doc in an Emotet campaign is equipped with a VBA Macro the executes a Powershell script, as mentioned, there is a list of four to six domains in each script the are being used as the drop zones for the Emotet DLL file. Given that out of hundreds of domains inspected, the vast majority of these domains were legitimate WordPress domains that had been compromised and are being used as drop-zones at the moment, Some even still operate.

It seems that the operators of Emotet taking advantage of any exploitable WordPress domain they can find in order for them to maintain and expand their network.

CNC Servers

As mentioned, The main CNC server with which the Emotet will work communicates within the client via an HTTPS connection, signed by a self-signed certificate. These servers are fully dedicated to managing the botnet, The communication with the CNC servers contains, Furthur instructions, new payload do run or download to the infected machine. Although we couldn’t find a new type of malwares and payloads that are being loaded other than Trickbot, It is very probable that in the ransomware era, we will see ransomware groups using the rising Emotet botnet to deliver their payloads.

Recommendations

  • Employee security awareness training remains an important step in helping them identify and be suspicious of unsolicited emails and phishing campaigns, especially messages with embedded links or file attachments.
  • Disable administrative tools and script interpreters, such as PowerShell, to prevent their misuse by malicious payloads.
  • It is very important to understand that although the domains and loaded filenames presented in this report are hardcoded, it varies between every sample that was inspected during the research and should not be considered as solid IOCs.
  • Use Group Policy to disable macros from running in Microsoft Office applications (legitimate macros should be digitally signed to allow for an exception to the disable rule).
  • Educate users on the common TTP used and reinforce the message that documents encouraging them to ‘Enable Editing’, ‘Enable Content’ or disable any other security setting are almost certainly malicious.
  • Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, as well as implement protocols and security controls such as DKIM, DMARC and SPF.
  • Continuous monitoring of unusual endpoint behaviors such as excessive requests to specific web hosts using unusual user-agent strings can provide an early indication of compromise.
  • Consider applying deep content inspection to ensure that any downloaded content filetype matches the actual file content in addition to blocking dangerous filetypes, such as executables, for standard users.
  • There are currently some open source tools other than the traditional AV vendors that are dedicated to identification if a specific host is infected [1].
  • WordPress infrastructure owners must have dedicated protections services and versions control on their assets, especially when it is targeted at the moment by Emotet’s operators.

Indicators of Compromise

File Samples (SHA256)

The following hashes are provided for reference, given the ongoing nature of these campaigns, it is likely that the threat actor will utilize methods to avoid detection such as packing and crypting resulting in differing cryptographic hashes.

  • Emotet Malicious Docs:
    • 60f35eecf7735e0f788a644dee0653c72ff7494fd32ec7e912d92b2d57872b53
    • 56acebf173b0342b6fbb16385ff7c32c84094977f3157e60f2a637d1ee1e8291
    • c7958466c48e189302f274a007bb939eec90b14e2ce6aeb704e3aa7667794406
    • 01fa1fe232a76e79f865497df52b5b5063e1db410fee387e24c61a34dec029e7
    • 3b8235b67c4b67ea782b49388c5166786fb9d7a5b5096150b1c10e53f1d01738
    • a559212086d1d1a3b2ad64977500f034fe20c6122b57386fbeeecae8dfcfc531
    • ea299622bc9c5ddeb18ab322d2c8987989ae28c990ec5def7dbc33276de79cd6
    • 5926c888e7d56b47915f6efc836638530e038c53ee7ba1879417401f3e319d73
    • d0bac8c6b91b4fce972b7812732038060c5aa998e25f767bec7329a1224573c0
  • Emotet DLLs
    • 1623250e3a24cf262c3b822f4e64e02a62886b08590f7dae0f6724df7f910b0e
    • 5e4e8d9eee583adce4f0952d570c498e26bd7975b3ec7231a817bc8b85acb872
    • c31e91399f7c4ffaebada7a1598853ad044146c41d8c2a6ca869705210d29d63
    • 38c132f516cf6fc5c591af5838b1f73e3127d1cf3bc13f845ac0383427fb1980
    • 5b5b074eb56fc13a20ee1a0956aa1f4c3280c336d248b91525c2bcaf98a6302e
  • Emotet Drop Zones URLs:
    • hxxp://promamun[.]com/wp-admin/hLqNkW2AqRJ8g9CrSR/
    • hxxp://anvokelimited[.]co.uk/wp-content/gcTfqrPfsyEI3lelT/
    • hxxp://www.crownpacificpartners[.]com/guglio/AJ9tcRankj/
    • hxxp://zbc[.]vn/wp-admin/wc5hVGxhfmdwEE3/
    • hxxp://sp.mongoso[.]com/wp-content/8XtV96V8p6fqyhJ/
    • hxxp://alittlebrave[.]com/wp-content/JgiTtyqRGicpzGAYD/
    • hxxp://pasionportufuturo[.]pe/wp-content/aXZhSh/
    • hxxp://www.fizik[.]tv.tr/ex/mlFHNKb9x/
    • hxxp://gamaes[.]shop/wp-content/plugins/sSTToaEwCG5VASw/
  • CNC IPs
    • 172.104.227.98
    • 45.63.5.129

References

[1] https://github.com/JPCERTCC/EmoCheck

 

Want to speak to our experts?
Contact us!

 

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start