Recently, our research team came across media news as well as CSIRT alert to the users about a new wave of Emotet malspam campaign that spreads across Japan, Italy and worldwide.
Emotet is an extremely sophisticated and destructive Trojan used to download and install other malware. The first version of Emotet malware was spotted in the wild back in 2014, initially, it was designed to steal banking credentials using only its native information stealing toolset. Emotet has gained advanced capabilities over the course of its lifetime and evolved into an entire malware distribution service.
In September 2020, we observed a large uptick in Emotet malspam campaign with the attached malicious document named Documentation du September 2020.doc, County Report – September.doc, FILE-092020.doc etc., or ZIP archive with malicious documents. The below diagram depicts some of the Emotet samples which are analyzed by opensource tools.
The spam email with Zip archive attached sometimes does have message body, except with fictitious name and password which is required to open the document as shown below.
We looked into one of the latest malspam document named “Documentation du September 2020.doc”. Upon opening the malicious Microsoft Office document, the victim is instructed to enable macro as shown in the image below. Afterwards, the PowerShell script that executes in the background makes consequent connections to download Emotet payload.
We observed the following DNS requests made to Emotet payload servers at the time of the investigation.
alameenmission.net
hottco.com
fuguluggage.com
movewithketty.com
The attacker server which is active at that time of connection request distributes Emotet payload to the victim’s machine. We have noticed that the following URL:
“movewithketty.com/cgi-bin/m/” serves payload executable file as shown below.
The downloaded Emotet payload is stored as %AppData%\Local\[random name]\randomname.exe on the infected machine. Analyzed Emotet payload is a 32-bit Microsoft Visual C++ compiled Windows executable file packed using custom packer routine. This particular Emotet payload has less AV detection at this point as shown below.
The below diagram depicts the post-infection C2 communication of Emotet payload which is spotted during our investigation.
Conclusion
Emotet is one of the most sophisticated and lucrative malware that are actively seen in the past seven years. The delivery vector has been primarily spammed e-mail attachments that are responsible for downloading payloads.
Protection from Emotet
- Keep systems up to date with updates
- consistently implement a sensible backup strategy
- Do not open attachments from e-mails or only open them if you can be sure that the sender and not malware sent the e-mail
List of IOC’s:
File Hashes:
d2be18da0668bf18c2e36e72deae0907
97fc98ee3a4240344e2fb3162d8e9207
f190747d1f0197e36502bf47f4ab7b35
34001e51d414bb2e43d5240e9e7b532a
08cc04bbc76aa7af2178ab35aa479a05
f1ea1131ad723a81dbf1bf00eea07504
URL (currently Active):
hxxp://movewithketty[.]com/cgi-bin/m/
hxxp://f1.dodve.com/wp-admin/EksL3KtiHZ/
hxxp://greensync.com.br/aspnet_clientOld/Xyicd
hxxp://greensync.com.br/aspnet_clientOld/Xyicd/
hxxp://guarany.net/zefiro/2D2qJIZs/
hxxp://markantes.com/jason/BK9vrxXcA/
hxxp://marmolhi.com/_vti_bin/0nNKKlWZ4/
hxxp://movewithketty.com/cgi-bin/m/
hxxp://pulseti.com/isla/61D/
hxxp://www.closmaq.com.br/wp-admin/nc/
hxxps://comerciopuravida.com/wp-admin/qqUV32Q/
hxxps://hotelunique.com/teste/oxda9J0BvF/
hxxps://muabannodanluat.com/wp-admin/css/colors/kIxtL8/
hxxp://174[.]113[.]69[.]136/wyCkPUyeT/nrAc/I9DMge/Z7NHsW5VOhVy0w/GTgZ0YAxo4ReUIF/I4olnbNWC4/
hxxp://girlgeekdinners[.]com/wp-content/Hpz/
hxxp://marblingmagpie[.]com/COPYRIGHT/Ak/
hxxp://veccino56[.]com/gjpra/4ZR/
Domain’s:
alameenmission[.]net
hottco[.]com
fuguluggage[.]com
movewithketty[.]com
veccino56[.]com
girlgeekdinners[.]com
marblingmagpie[.]com
IP’s :
185.182.56[.]215
190.191.171[.]72
162.241.41[.]111
45.230.228[.]26
78.31.106[.]99
205.144.171[.]34
174.113.69[.]136
About Cyble
Cyble is an Atlanta, US-based, global premium cyber-security firm with tools and capabilities to provide near real-time cyber intelligence. The company is focused on de-hashing cyber threats at upstream.
This monitoring and notification platform gives the average consumer insights into their personal cybersecurity issues, allowing them to take action then as needed. It has recently earned accolades from Forbes as being the top 20 cyber-security companies to watch in 2020.