• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Mail Protection • Malware • Phishing • Security  /  The evolution of a 4-year-old-threat Emotet: From an infamous Trojan to a complex threat distributer
25 July 2018

The evolution of a 4-year-old-threat Emotet: From an infamous Trojan to a complex threat distributer

Written by Aniruddha Dolas
Aniruddha Dolas
Mail Protection, Malware, Phishing, Security
1
Estimated reading time: 6 minutes

Emotet malware campaign has been existing for a long time. It comes frequently in intervals with different techniques and variants to deliver malware on a victim. Attackers are smart and they use complex techniques to avoid detection. At the start of 2017, we had seen the emotet campaign spreading through email attached PDF and JS file. This time, it is spreading through MS Office Word documents with a heavily obfuscated macro inside it.

Attack chain

Attack Chain
Fig.1 Attack Chain

The spreading mechanism of this campaign is a phishing email. It uses subject lines like ‘Invoice’, ‘Delivery details’, ‘Shipment details’, ‘Payment details’ and so on to trick the victim into opening the email. Such emails have compromise or phishing sites that will download a Word document. Another way is directly attaching a document inside the email or sometimes attaching a compressed file having a document file.

Fig.2 Phishing Mail

 

Detail analysis of Macro

A malicious office document embedded with macro, on clicking on Enable Editing a macro code will be activated. We have taken one sample. it’s having two heavily obfuscated macros inside, such as “prMzoHTQ” & “zdXXRhCd”, a code has Sub AutoOpen() function is executing the macros.

Fig.3 Macro Workflow

In first macro “zdXXRhCd” one function FAUzvR() which accepts a string as an argument. In the phase of deobfuscation, we found that there were used junk code to do complications in reverse the code, On Error Resume Next, it means there is junk code if it exists ignore it. Shell is using to execute the code, next to the shell there is vbkeyP which means the letter “P”. Values MIqCuXCZPMl, SOznt, and 4 others are parameters are passed to function FAUzvR() as shown in the figure, These are declared as a function in the second macro. The motivation of the second macro is combining strings and return a value to functions FAUzvR() to the first macro. function FAUzvR() create a WScript Shell object, execute the functions with vbkeyP in order to get below output.
“PowersHeLL -e KABuAEUAVwAtAG8AYgBKAEUAYwBUACAAIABT……”

We get final PowerShell command as shown in below figure.

Fig.4 PowerShell command

While looking at command, we found that PowerShell with encoded base64 string. After decoding the base64 string, we get below output-

Fig.5 After base64 decode.
Fig.5 After base64 decode.

Then it is showing a Powershell script. Its contents compressed Base64 string with Powershell parameters. Here in script use IO.StreamReader initializes a new instance of StreamReader class for the specified file, with specified character encoding. IO.compression.compressionMode is set the compression mode to Decompression. Deflate stream object will be stream decompressed bytes from MemoryStream. [SySTem.tExt.encodIng]::ASCII It set to ASCII encoding. REadtOEND() reads the entire stream and returns the ASCII string contained in it.

For deobfuscation of the script we need to first decode the string with base64, then us decompression will get output in below figure-

Fig.6 De-obfuscation Powershell stage2

We finally get a deobfuscated script. It has a list of malicious URLs. The script downloads malware from URLs and generates random file names by picking in bet 1 to 994915, then kept at %temp% location as a .exe extension. Then the malware will be executed using Start-Process.

We have come across with different obfuscation ways as shown in below figures.

Fig.7 Obfuscated pattern1

 

Fig.8 Obfuscated pattern2

 

Fig.9 Obfuscated pattern3

 

Payload Analysis

The downloaded payload “{Random_number}.exe” is then executed from %temp% location.

In this case, we found the payload name as “iwamregutilman.exe”. This rename its instance and launched its copy of name “wsdquota.exe” from “C:\Windows\system32” location.

This file again spawned a new instance of its own and show its activity.

Fig.10 The execution flow

The downloaded payload has a pre-defined list of words, by using a combination of 2 words from this list it creates the name of 2nd self-copy executes from respective locations. If the system is 32-bit, then it executed its self-copy from “C:\Windows\System32” folder else if it is 64-bit then the location is “C:\Windows\SysWOW64”.

Fig.11 List of file names

The following is the list of names stored in this file.

Fig.12 Total list of names
Fig.12 Total list of names

By combining the 1st word as “wsd” and 2nd word is “quota” it creates the name of the file name as “wsdquota.exe”.

The first instance of the dropped file contains the huge encrypted data. This data will get decrypted at runtime and writes 2 another PE file in memory which can be used by the parent file for further process.

After this, the parent process checks whether the process is spawned by itself or not. If not, then it creates one mutex and closes the parent process and run as an individual.

The spawned process will list out all the running process and stores it in a memory. After that, it starts enumerating each process.

Fig.13 Show each process list enumeration

By using the CreateToolhelp32Snapshot function, it takes the snapshot of each process and threads, heaps and modules used by these processes.

Fig.14 Use of CreateToolhelp32Snapshot function

After taking the details of each running process, malware starts to encrypting the data and sends to the malicious server in POST request.

Fig.15 Post request

As the all malicious servers are not active, so we can’t find the post activity after the response of this malware.

Following is the list of malicious URLs present in malware which sends the POST request to each URL.

Fig.16 CnC request domain list

IOCs

4154619d2075d3f6c9e73bf4cdccdb17 (DOC)

6f86fa7d95fed4472ad03eb77cb6a9a4 (DOC)

2dcf064d40ef8fda90193fb00d306020 (DOC)

8249D414627D3DDE168318C92A63F74A (PE)

7B6E1369FF14E16A4815AE1DB32F0794 (PE)

 

Detection Statistics

Quick heal has successfully detected the spam email which is the initial vector of the Emotet campaign. It is a special type of a detection provided by Quick Heal for detecting such kinds of campaigns.

Below are the last one-month statistics of email detections.

Fig.17 Email detections

As Quick Heal is detecting the initial vector of Emotet campaign, we have seen less hits from the second and third vector of this campaign.

Fig.18 Doc and Executable detections

 

Detection Names

  • MIME.Emotet.Downloader.31464
  • MIME.Emotet.31831
  • MIME.Emotet.31617
  • MIME.Emotet.31618
  • W97M.Emotet.31645
  • W97M.Emotet.31769
  • X97M.Emotet.32092
  • Trojan.Emotet.Y4
  • Trojan.Emotet.X4

Conclusion

Spreading Emotet malware via spam mail which has social engineering tricks to phish the user easily.

Quick Heal provides multilayered protection against each layer of Emotet campaign.

Security measures to follow

  • Don’t open any link in mail body sent by an unknown source.
  • Don’t download attachments received by an untrusted source.
  • Always turn on email protection of your antivirus software.
  • Don’t enable ‘macros’ or ‘editing mode’ upon execution of the document.

 

Subject Matter Experts:

Prashant Tilekar, Aniruddha Dolas, Preksha Saxena, Prakash Galande, Vallabh Chole | Quick Heal Security Labs

 Previous PostSeqrite Mobile Device Management: Everything you need to know
Next Post  Tailgating: Security Risks Involved
Aniruddha Dolas
About Aniruddha Dolas

Aniruddha Dolas is part of the HIPS (Host-based Intrusion Prevention System) team in Quick Heal Security Labs. He has worked on various security vulnerabilities...

Articles by Aniruddha Dolas »

Related Posts

  • Malware-as-a-service: Cybercrime’s nine-to-five

    Anyone, even you, can carry out cyberattacks with the Malware-as-a-Service model

    October 30, 2020
  • Can office emails leave you skating on thin ice?

    Could you be blindsided when your CEO emails you?

    September 22, 2020
  • Masslogger’s malice imposes spying and keylogging in businesses.

    MassLogger: An Emerging Spyware and Keylogger

    July 31, 2020

1 Comment

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

  1. Kenuma Vijay Reply to Kenuma to Kenuma Vijay'> Reply to Kenuma
    August 9, 2018 at 1:24 PM

    Very Impressive Cyber Security. The content seems to be pretty exhaustive and excellent and will definitely help in learning Cyber Security. I’m also a learner taken up Cyber Security and I think your content has cleared some concepts of mine.

Popular Posts

  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021
  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.