The evolution of a 4-year-old-threat Emotet: From an infamous Trojan to a complex threat distributer

Credit to Author: Aniruddha Dolas| Date: Wed, 25 Jul 2018 13:40:33 +0000

Estimated reading time: 6 minutesEmotet malware campaign has been existing for a long time. It comes frequently in intervals with different techniques and variants to deliver malware on a victim. Attackers are smart and they use complex techniques to avoid detection. At the start of 2017, we had seen the emotet campaign spreading through email attached PDF and JS file. This time, it is spreading through MS Office Word documents with a heavily obfuscated macro inside it. Attack chain Fig.1 Attack Chain The spreading mechanism of this campaign is a phishing email. It uses subject lines like ‘Invoice’, ‘Delivery details’, ‘Shipment details’, ‘Payment details’ and so on to trick the victim into opening the email. Such emails have compromise or phishing sites that will download a Word document. Another way is directly attaching a document inside the email or sometimes attaching a compressed file having a document file. Fig.2 Phishing Mail   Detail analysis of Macro A malicious office document embedded with macro, on clicking on Enable Editing a macro code will be activated. We have taken one sample. it’s having two heavily obfuscated macros inside, such as “prMzoHTQ” & “zdXXRhCd”, a code has Sub AutoOpen() function is executing the macros. Fig.3 Macro Workflow In first macro “zdXXRhCd” one function FAUzvR() which accepts a string as an argument. In the phase of deobfuscation, we found that there were used junk code to do complications in reverse the code, On Error Resume Next, it means there is junk code if it exists ignore it. Shell is using to execute the code, next to the shell there is vbkeyP which means the letter “P”. Values MIqCuXCZPMl, SOznt, and 4 others are parameters are passed to function FAUzvR() as shown in the figure, These are declared as a function in the second macro. The motivation of the second macro is combining strings and return a value to functions FAUzvR() to the first macro. function FAUzvR() create a WScript Shell object, execute the functions with vbkeyP in order to get below output. “PowersHeLL -e KABuAEUAVwAtAG8AYgBKAEUAYwBUACAAIABT……” We get final PowerShell command as shown in below figure. Fig.4 PowerShell command While looking at command, we found that PowerShell with encoded base64 string. After decoding the base64 string, we get below output- Fig.5 After base64 decode. Then it is showing a Powershell script. Its contents compressed Base64 string with Powershell parameters. Here in script use IO.StreamReader initializes a new instance of StreamReader class for the specified file, with specified character encoding. IO.compression.compressionMode is set the compression mode to Decompression. Deflate stream object will be stream decompressed bytes from MemoryStream. [SySTem.tExt.encodIng]::ASCII It set to ASCII encoding. REadtOEND() reads the entire stream and returns the ASCII string contained in it. For deobfuscation of the script we need to first decode the string with base64, then us decompression will get output in below figure- Fig.6 De-obfuscation Powershell stage2 We finally get a deobfuscated script. It has a list of malicious URLs. The script downloads malware from URLs and generates random file names by picking in bet 1 to 994915, then kept at %temp% location as a .exe extension. Then the malware will be executed using Start-Process. We have come across with different obfuscation ways as shown in below figures. Fig.7 Obfuscated pattern1   Fig.8 Obfuscated pattern2   Fig.9 Obfuscated pattern3   Payload Analysis The downloaded payload “{Random_number}.exe” is then executed from %temp% location. In this case, we found the payload name as “iwamregutilman.exe”. This rename its instance and launched its copy of name “wsdquota.exe” from “C:Windowssystem32” location. This file again spawned a new instance of its own and show its activity. Fig.10 The execution flow The downloaded payload has a pre-defined list of words, by using a combination of 2 words from this list it creates the name of 2nd self-copy executes from respective locations. If the system is 32-bit, then it executed its self-copy from “C:WindowsSystem32” folder else if it is 64-bit then the location is “C:WindowsSysWOW64”. Fig.11 List of file names The following is the list of names stored in this file. Fig.12 Total list of names By combining the 1st word as “wsd” and 2nd word is “quota” it creates the name of the file name as “wsdquota.exe”. The first…
http://blogs.quickheal.com/feed/