Infamous malware variant with updated TTPs
During our routine Open-Source Intelligence (OSINT) Research, Cyble Research Labs encountered several email phishing campaigns related to Emotet malware. We observed that the campaign is similar to older ones, which used spam emails with malicious MS Excel files as the initial attack vector to infect targets.
Emotet malware was first observed in the year 2014. Initially, this malware was
used as a banking trojan; later, the Threat Actors (TAs) behind Emotet modified it to deliver dangerous payloads. The impact of Emotet was worldwide. By
2020, researchers also concluded that this malware strain was prevalent across the globe. Emotet was taken down at the beginning of 2021 after the arrest of two individuals by international law enforcement in a combined effort by Europol and Eurojust.
In November 2021, researchers observed that Emotet is rebuilding its botnet with the help of the TrickBot malware. Since then, we have observed an increase in the Emotet campaigns in recent months; refer to Figure 1.
Before Emotet was taken down in January 2021, the malware was observed delivering dangerous malware families, including Trickbot, Ryuk ransomware, etc. After its rebirth last November, we observed that Emotet’s operations have been upgraded, and some new tricks have been added to its toolbox.
The recent upgrades include using Elliptic curve cryptography instead of RSA cryptography, improving control flow flatting methods, boosting the initial infection by using malicious Windows app installer packages that pose as legitimate software, and more. We also noticed that the Emotet malware delivered and installed Cobalt Strike Beacons in recent campaigns. We have illustrated common attack phases in Figure 2.
Cyble has constantly been tracking this malware family and their campaigns after their reappearance last year. This article covers a detailed analysis of a recent Emotet campaign we observed in the first two months of 2022.
Initial Vector of Emotet
As discussed earlier, the Emotet uses spam emails as the initial attack vector to infect users. Initially, the malicious DOC file was delivered as an attachment via spam. However, the Emotet actors have recently introduced new techniques for delivering malicious files. The new techniques include:
- Provide the server link where the malicious Excel file or the Zip file can be downloaded.
- Provide the Excel file in a zip archive file.
- Provide the malicious Excel file in a password-protected zip file.
Observations into the actor’s recent campaigns have indicated the use of password-protected archive files. It is harder to detect malicious files stored inside a password-protected zip archive as it is encrypted. Figure 3 shows the example of a spam email with password-protected zip which contains the Emotet Excel file.
Execution Behaviour
The Excel files display a message that tricks the targets to open the file in a Windows-based system and enable a feature that allows the hidden malicious code to execute. The messages are shown in Figure 4.
Figure 5 shows another example of a malicious Excel file with a different message.
When the user enables the “Enable content” feature, Excel executes malicious code present in the Excel file.
It is a known technique used by the Emotet campaigns to hide the malicious code inside the hidden Excel sheets. The actors are also using another technique to hide the code using a white font on a white background sheet so that the code is essentially not visible when a user opens the sheet.
The execution of the macro codes in different Excel files creates various infection chains. The few prevalent infection chains we observed are discussed in the following section.
Infection Chain 1
In the last week of January 2022, we have observed that the malicious Excel file executes a code hosted in a remote server using mshta.exe. The code present in the server further executes PowerShell commands that download the Emotet payload from various servers that are compromised. Later the downloaded Emotet payload will be executed using Rundll32.exe, as shown below.
Infection Chain 2
We observed a new infection chain of the Emotet campaign in the first week of February 2022 with minor modifications to the previous infection chain. The actor has used WScript to the infection chain. The hidden code in Excel drops both VBS and bat files. The VBS file then executes the bat file with PowerShell commands that download and execute the Emotet DLL from compromised machines. Refer Figure 7.
Infection Chain 3
On February 22, 2022, we identified a new infection chain in Emotet campaigns. The actors have used Regsvr32 instead of Rundll32, which executes the malicious DLL downloaded with the help of PowerShell commands. The infection chain is shown below.
Latest Campaign from Emotet
While conducting this analysis, Cyble Research labs came across Emotet’s new infection chain. The malicious Excel was delivered using the spam email as shown below.
The Excel file looks similar to the previously mentioned ones. We identified several hidden sheets in the Excel files from our investigation, as shown below.
One of the hidden sheets contains code that downloads a DLL file. Refer to Figure 11.
The code present in Excel creates a process tree, as shown in Figure 12.
As shown in Figure 8, the downloaded DLL is executed using regsvr.exe.
We also observed that the Excel file behaves differently when executed with Administrator privilege – illustrated in Figure 13.
Conclusion
Emotet is a sophisticated and long-lasting malware that has impacted users globally. The malware was taken down in 2021. And now it’s back with more capabilities, as per the researchers of Cryptolaemus.
Threat Actors are constantly adapting their techniques in an attempt to stay one step of cybersecurity entities – Emotet is one such example.
Cyble Research Labs is continuously monitoring the activity of Emotet and other malware and will keep our readers updated.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety measures needed to prevent attacks from similar threats and reduce the impact
- Don’t keep important files at common locations such as the Desktop, My Documents, etc.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- ​Refrain from opening untrusted links and email attachments without verifying their authenticity.
- ​Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 T1566.001 | – Phishing – Phishing: Spearphishing Attachment |
| Execution | T1204 T1059 | – User Execution – Command and Scripting Interpreter |
| Credential Access | T1573 T1571 T1110.001 | – Encrypted Channel – Non-Standard Port – Brute Force: Password Guessing |
| Discovery | T1087 | – Account Discovery |
| Collection | T1560 | – Archive Collected Data |
| Privilege Escalation | T1547.001 | – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 33efc0598f354c1488107b1b79d2e05b dd0391ba9fea4a5fe9ad9669791f6f6271734d10 2a44fd4c42fa33c3213d9c7867888fca985dcf1964fda2d2132be59ac8d8d7cf | MD5 SHA1 SHA256 | Hash of Emotet DLL (latest) |
| edea9a57fcb42e9831f3a0ca9993bddd c4523d237b7658feef0d98f3bdf37bf97e66c52a 6b4af4453203d531c1b71b17699939aee7c487e39d218b40405e114ec7330232 | MD5 SHA1 SHA256 | Hash of Emotet DLL (latest-similar) |
| e79a6a6e3bc66fe0e9dac7daaecd39e4 5ae34185c4018c6d7a1cfadcd5057c87e39333ca bf36c637f1fbba1f5b2fbbb435f41fb73a06d104539c5c6d5d66e140cf5c7bf9 | MD5 SHA1 SHA256 | Hash of the malicious Excel(infection chain3) |
| 579c2f6d46596faf4a2d492a954cac29 bb53f0e3cd96c5769893e04696769c0910cbd958 c4531347c02ad48f5d1f2471aad72edcbeeda910dd5a0c75e0e9fc4c9d42dc92 | MD5 SHA1 SHA256 | Hash of Emotet DLL |
| hxxps://themillionairesweb[.]com/wp-admin/MD/ | URL | URL to download DLL (from Latest campaigns) |
| hxxps://akhrailway[.]com/cgi-bin/b5c9CX4IK2GgN6C/ | URL | URL to download DLL (from Latest campaigns) |
| hxxps://cmbavocat[.]fr/wp-admin/uKCcU1bqvbSvE/ | URL | URL to download DLL (from Latest campaigns) |
| hxxp://idvlab.com.br/wp-admin/FIWBL/ | URL | URL to download DLL (from Latest campaigns) |
| hxxps://institutionsevigne[.]org/wp-includes/pvDqUHqjYEqoQ6R/ | URL | URL to download DLL (from Latest campaigns) |
| hxxps://ajmotorsshop[.]com/grad-ooze/O/ | URL | URL to download DLL (from Latest campaigns) |
| hxxps://msubrahm[.]com/wp-admin/5SjBp9WHfGbtgY/ | URL | URL to download DLL (from Latest campaigns) |
| hxxp://moveconnects[.]com/item-immo/5NAtMXXCkzQ5NrX3z/9moeTie4vHJ/ | URL | URL to download DLL (from Latest campaigns) |
| hxxp://beta2.emeritus[.]org/wp-content.previous/WS0O/ | URL | URL to download DLL (from Latest campaigns) |
| hxxps://karmapedia[.]com/wp-includes/edvf/ | URL | URL to download DLL (from Latest campaigns) |
| 1e7fea5ef6b8ee5667ff55c919b30536 1dd2832e80401cc6c761b4a1c9e35d2b6db49f41 2ba6a096ec0ef4360becac3472489be4b0ae111a8d5f5ebccc0465254a6a7752 | MD5 SHA1 SHA256 | Malicious Excel File(infection chain1) |
| hxxp://0xb907d607/cc[.]html | URL | URL, which downloads PowerShell commands |
| a07ac600ef866a923be6d821375355d3 c925b02db6955bee56bd85028b873943372c7320 c684e1bd1afb8bc7a7c79b4f5bffa24df2ca78de551627c8c4290df7fc06d11f | MD5 SHA1 SHA256 | DLL from the compromised server |
| 1e7fea5ef6b8ee5667ff55c919b30536 1dd2832e80401cc6c761b4a1c9e35d2b6db49f41 2ba6a096ec0ef4360becac3472489be4b0ae111a8d5f5ebccc0465254a6a7752 | MD5 SHA1 SHA256 | Malicious Excel File that downloads Cobalt Strike Beacon |
| e14e1f70b5017b24e974ced57d431f6b e38bcf31e93dfa0a2d75fbea1384a73b12461530 50433febc90d43b5ceebe9c7d558dc07b9b7ff0291b41a72a5acab256f3ed43f | URL | Emotet Payload Download URL |
| d70ce1610610563de47a834f86acaa20 9a5ee04f6911307d0dd9f38dfd363c68d0cd727d 7f5a08014c527b3b7cf2b12214fa701ee62b2a107dc2ef511f125e7f813a588d | MD5 SHA1 SHA256 | Hash of the Excel file |
| ac581207ef80437a961f2ada3a47d763 62964395bbc5fbee65dac62e0233ce8377674b2c b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65 | MD5 SHA1 SHA256 | Cobalt Strike Beacon Hash |
| foxofeli[.]com | URL | Cobalt Strike C&C |
| diyabip[.]com | URL | Cobalt Strike 2nd C&C |
| 423a0a24796cac9bbb5e0363c34d4bdc d7af30d0c96d9c91d948315b5dcefd8c78a34df4 00a033f48fae407c3ca552b6ceddc01d2d0515ea86a84486c1bfed9519fa5d85 | MD5 SHA1 SHA256 | Malicious Excel File infection chain2 |
| 3b1981c56995aa93dfac052238402b1a 36676ee9ff2096b8c9d6179ea3db2d1a93c6cb04 fca2b52421d1f71dd2e058f604346b853f621c5625e5a42006583bf8115797f1 | MD5 SHA1 SHA256 | Payload file |
| hxxp//remedy.eventmasti[.]com/vendor/Y2XclYoCdDzSSua/ | URL | URL of second stage payload |
| 72a1a718eb55872fffebdacee60b4200 15fb5c1e7c23d8071173befaf6ee6e423ab185a0 7ead1e26db3d44fb78584d894a97114375d5980fa7228f5d44db43e8d609b916 | MD5 SHA1 SHA256 | Hash of DLL file downloaded from above URL |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
Comments are closed.