Emotet – the banking Trojan turned malware delivery platform – has recently been observed altering its behaviour in some interesting ways. After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting. On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial themes regularly seen.
Many Email Greetings.
The Emotet crew have quite thoughtfully included some cheerful Thanksgiving words in the email’s we have observed, which saw volumes exceeding 27,000 covering a period between 07.30 EST and 17:00 EST.
Macros and Obfuscation.
This new Thanksgiving themed campaign broadly follows the usual pattern of an email containing a document with embedded macros leading to a PowerShell downloader for the Emotet payload.
However, the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide. The syntax for the shell function is
Shell( pathname, [ windowstyle ] )
where pathname can be a program or script.
The resultant output is a heavily obfuscated command, shown below.
When deobfucscated, the above command reveals the standard PowerShell downloader we routinely observe with Emotet.
In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously. Whilst not completely novel (use of XML files to conceal macros was reported by Trustwave back in 2015) it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.
Forcepoint customers are protected against this threat at the following stages of attack:
- Stage 3 (Delivery) – Malicious emails are identified and blocked.
- Stage 4 (Exploitation) – Malicious attachments are identified and blocked
- Stage 5 (Dropper file) – Malicious payload URLs are identified and blocked
- Stage 6 (Call Home) – Traffic to C2 nodes is identified and blocked
Thanksgiving eCard The Thanksgiving Day eCard Thanksgiving Day email greetings Congratulations on Thanksgiving Day Thanksgiving Day Greeting Card Thanksgiving greetings Happy Thanksgiving Day Greeting Message Happy Thanksgiving Day Message Thanksgiving Greeting eCard Happy Thanksgiving Day wishes Thanksgiving Day Card Happy Thanksgiving Message Thanksgiving Day wishes Thanksgiving wishes Thanksgiving Greeting Card The Thanksgiving Day congratulation! Thanksgiving email greetings Thanksgiving Day congratulation The Thanksgiving Day congratulation! Independence Day Greeting message <victim name> Thanksgiving Day Greeting Card <victim name> Thanksgiving Day congratulation <victim name> The Thanksgiving Day congratulation!
d11b78494e303c2b5fb0425017f1ac7f96b8e6c0 d88eec6d588aae7081186ab55256660c82dd61be ed68bf8de0bc1c6c0b184c948804d4cfaf7c6eea fe786b7956b7fd129b2165a6dac52c1f775af3cd e1975502f8080bd6d63483e0e4b62bff8399a817 64542c0ff4838b589fc3393676675ce4dc41ece8 85e7aec4ac3e5c9035ba2cc3a0e4999f956f42a9 575a829d6f21d31acb3b3b9c003a2a74cde682c6 009f49a35f4f445f82e19d908c4e2b983eac726a 1d209a0a0df092fb1b5a1225bd421156c1936df0 330df78ddd5c1c642e67a42bf58047f30d3b23bf 9a00a0e540a134e59f596fef2ce31c9e72d863dd c15893443f1716343e6d157b380437c2f4295478
Sample Attachment Names
Greeting-Card-2018.doc Greeting-Card-Thanksgiving-Day.doc Thanksgiving-Greeting-Card.doc Thanksgiving-Congratulation.doc greeting-card.doc Thanksgiving-Day-greeting-card.doc Thanksgiving-wishes.doc Thanksgiving-Day-eCard.doc Thanksgiving-ecard.doc Thanksgiving-Day-Card.doc Thanksgiving-Card.doc Thanksgiving-Day-wishes.doc
Sample Dropper Domains
hxxp://bemnyc[.]com/dFl8aeN hxxp://tvaradze[.]com/8Z3cdkK hxxp://mentoryourmind[.]org/orfhuwL hxxp://bahiacreativa[.]com/Z24ooLp hxxp://chang[.]be/BF0i0qax
184.108.40.206:8090 220.127.116.11:443 18.104.22.168:443 22.214.171.124:80 126.96.36.199:8080 188.8.131.52:80 184.108.40.206:990 220.127.116.11:8080 18.104.22.168:80 22.214.171.124:80 126.96.36.199:8080 188.8.131.52:80 184.108.40.206:8080 220.127.116.11:8080 18.104.22.168:8080 22.214.171.124:80 126.96.36.199:8080 188.8.131.52:8080 184.108.40.206:443 220.127.116.11:80 18.104.22.168:8080 22.214.171.124:80 126.96.36.199:8080 188.8.131.52:443 184.108.40.206:8080 220.127.116.11:443 18.104.22.168:8080 22.214.171.124:8080 126.96.36.199:7080 188.8.131.52:80 184.108.40.206:8080 220.127.116.11:443 18.104.22.168:443 22.214.171.124:80