RSA Exclusive: Try new products, meet our executive team, and see VIP guests you won't find anywhere else.

Learn More

Close

You are here

Home:Blogs:Thanks for Giving, Emotet!
X-Labs
November 20, 2018

Thanks for Giving, Emotet!

Adrian OGara Security Researcher
Ran Mosessco Principal Security Researcher
Cyber Crime Malware

Emotet – the banking Trojan turned malware delivery platform – has recently been observed altering its behaviour in some interesting ways. After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting.  On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial themes regularly seen.

Many Email Greetings.

The Emotet crew have quite thoughtfully included some cheerful Thanksgiving words in the email’s we have observed, which saw volumes exceeding 27,000 covering a period between 07.30 EST and 17:00 EST.

 

Figure 1 - Sample email contents

Macros and Obfuscation.

This new Thanksgiving themed campaign broadly follows the usual pattern of an email containing a document with embedded macros leading to a PowerShell downloader for the Emotet payload.

However, the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide. The syntax for the shell function is

Shell( pathname, [ windowstyle ] )

where pathname can be a program or script.

Figure 2 - Macro using Shapes

The resultant output is a heavily obfuscated command, shown below.

Figure 3 - Obfuscated DOS command

When deobfucscated, the above command reveals the standard PowerShell downloader we routinely observe with Emotet.

Figure 4 - Powershell downloader

Conclusion

In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously. Whilst not completely novel (use of XML files to conceal macros was reported by Trustwave back in 2015) it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

  • Stage 3 (Delivery) – Malicious emails are identified and blocked.
  • Stage 4 (Exploitation) – Malicious attachments are identified and blocked
  • Stage 5 (Dropper file) – Malicious payload URLs are identified and blocked
  • Stage 6 (Call Home) – Traffic to C2 nodes is identified and blocked

IOCs

Sample Subjects:

Thanksgiving eCard
The Thanksgiving Day eCard
Thanksgiving Day email greetings
Congratulations on Thanksgiving Day
Thanksgiving Day Greeting Card
Thanksgiving   greetings
Happy Thanksgiving Day Greeting Message
Happy Thanksgiving Day Message
Thanksgiving Greeting eCard
Happy Thanksgiving Day wishes
Thanksgiving Day Card
Happy Thanksgiving Message
Thanksgiving Day wishes
Thanksgiving wishes
Thanksgiving Greeting Card
The   Thanksgiving Day congratulation!
Thanksgiving email greetings
Thanksgiving Day congratulation
The Thanksgiving Day congratulation!
Independence Day Greeting message
<victim name> Thanksgiving Day Greeting Card
<victim name> Thanksgiving Day congratulation
<victim name> The   Thanksgiving Day congratulation!

Sample Hashes

d11b78494e303c2b5fb0425017f1ac7f96b8e6c0
d88eec6d588aae7081186ab55256660c82dd61be
ed68bf8de0bc1c6c0b184c948804d4cfaf7c6eea
fe786b7956b7fd129b2165a6dac52c1f775af3cd
e1975502f8080bd6d63483e0e4b62bff8399a817
64542c0ff4838b589fc3393676675ce4dc41ece8
85e7aec4ac3e5c9035ba2cc3a0e4999f956f42a9
575a829d6f21d31acb3b3b9c003a2a74cde682c6
009f49a35f4f445f82e19d908c4e2b983eac726a
1d209a0a0df092fb1b5a1225bd421156c1936df0
330df78ddd5c1c642e67a42bf58047f30d3b23bf
9a00a0e540a134e59f596fef2ce31c9e72d863dd
c15893443f1716343e6d157b380437c2f4295478

Sample Attachment Names

Greeting-Card-2018.doc
Greeting-Card-Thanksgiving-Day.doc
Thanksgiving-Greeting-Card.doc
Thanksgiving-Congratulation.doc
greeting-card.doc
Thanksgiving-Day-greeting-card.doc
Thanksgiving-wishes.doc
Thanksgiving-Day-eCard.doc
Thanksgiving-ecard.doc
Thanksgiving-Day-Card.doc
Thanksgiving-Card.doc
Thanksgiving-Day-wishes.doc

Sample Dropper Domains

hxxp://bemnyc[.]com/dFl8aeN
hxxp://tvaradze[.]com/8Z3cdkK
hxxp://mentoryourmind[.]org/orfhuwL
hxxp://bahiacreativa[.]com/Z24ooLp
hxxp://chang[.]be/BF0i0qax

C2

181.143.208.106:8090
186.64.69.115:443
186.1.6.67:443
65.87.40.115:80
221.120.97.51:8080
190.16.177.117:80
181.39.66.26:990
81.136.248.12:8080
181.170.212.29:80
98.144.133.221:80
210.2.86.72:8080
37.120.175.15:80
23.254.203.51:8080
190.189.16.174:8080
210.2.86.94:8080
216.14.176.17:80
165.227.213.173:8080
190.180.96.117:8080
49.212.135.76:443
100.34.98.47:80
213.123.212.188:8080
190.113.233.4:80
133.242.208.183:8080
198.199.185.25:443
139.59.242.76:8080
190.145.67.134:443
69.198.17.20:8080
5.9.128.163:8080
192.155.90.90:7080
173.242.103.80:80
67.79.6.38:8080
77.68.30.48:443
159.65.76.245:443
186.146.1.36:80
AO

Adrian OGara

Security Researcher
Read more articles by Adrian OGara
RM

Ran Mosessco

Principal Security Researcher
Read more articles by Ran Mosessco

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.
Learn more about Forcepoint