As with most cyber-attacks, phishing emails are the first point of contact, which can deliver malicious software and compromise both the host and company network regardless of where they land.

Among the most active malware that leverages the naivety of end-users to get delivered, there is Emotet. Emotet is a sophisticated and destructive malware that is primarily spread through phishing emails. Once installed on a victim's computer, Emotet can steal sensitive information, such as usernames and passwords, and can also download and install additional malicious software. Emotet is particularly dangerous because it can propagate itself through a victim's network, allowing it to infect multiple computers and cause widespread damage. In addition, Emotet is known for its ability to evade detection by traditional antivirus software, making it a formidable threat to organizations and individuals alike.

The Advantio SOC team recently discovered an Emotet downloader attached to a suspicious e-mail with an archive (ZIP) attachment.

In this article, we summarize the steps taken by our experts to analyze the artifacts and the steps that every company should take to mitigate these types of attacks.

The Mail

Emotet is known to deliver itself through an e-mail that often contains a password-protected ZIP file as an attachment, a simple phrase such as “please see attached file” in the body, and the required password to open the ZIP archive.

In this case, the Advantio team couldn’t immediately recognize the e-mail as being part of the widely known Emotet campaign because the modus operandi was slightly different: the e-mail analyzed did, indeed, contain:

1.    a zipped file

2.    a suspicious subject: a “Tr:” with no further info after the colon

3.    a very basic “Yes, thank you” in the body.

The attachment, though, was not password-protected and, thus, there was no suspicious clear-text password in the body of the e-mail.

Nonetheless, it did look suspicious: the recipient wasn’t expecting anything of the sort.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-1-1

Figure 1 - E-mail

The Attachment:

Once the Advantio SOC team confirmed that the e-mail was not expected and, thus, had to be deemed malicious, the Advantio Malware Analysis Team was engaged to safely analyze the attachment.

The archive was unzipped in a protected malware analysis environment and the team was immediately warned by the huge size (more than 530 MB) of the .doc file it contained. A binary check of the file disclosed a fatty “NULL”-section at the end of the file.

This is a tactic many attackers use to avoid the sandbox analysis that most EDRs include in their protection plan: most sandboxes can’t analyze files that are bigger than 500 MB.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-2

Figure 2 - Word Document Style

The big size of a Microsoft Office file can also be an indicator of the presence of - potentially malicious – “macros”. Macros are code-based automation tools that can be included in any Microsoft Office file. Many attackers can use macros to deliver their malicious code to the machine of the unfortunate victim.

Through a quick static analysis, the team was able to confirm their hypothesis: the .doc included an embedded code (OLE2) component and a call to Visual Studio DLLs.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-3

Figure 3 - OLE2 Evidence

Moreover, the document included more than 10 potentially malicious macros.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-4

Figure 4 - OleTool Results

When opening the document with Microsoft Word, the user gets prompted to “Enable Content”.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-5

Figure 5 - Word Document Opening

To perform a deeper, dynamic analysis of the file, the Advantio team enabled code execution. They immediately noticed a new explorer window being opened, indicating that the system was downloading a DLL file.

At this point in the analysis, the team could be sure: the attachment was, indeed, a malware downloader.

The Malware: 

The Advantio Malware Analysis Team carried through with the analysis of malware behavior and collected numerous IOCs (listed at the end of the article).

With no need for any further action from the user, the downloader wrote a DLL on the system and assured its persistence on the victim’s host by modifying the “Autostart” MS Office registry key.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-6

Figure 6 - Autostart RegKey

The malicious DLL was downloaded from the following URL:

http://ly[.]bi3x[.]org/magazini/pWKy5V5/?224421&c=1

In this stage, though, the downloader tried to contact several different domains until the malicious DLL has been downloaded.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-7

Figure 7 - Domains sweeping

Right after this phase, the second stage of the malware runs a “regsvr32” instance, which begins contacting a Command-and-Control server (91.121.146.47).

The C2 instructs the malware on board of the machine to collect system and network information and send them to the C2 server. The malware has been observed writing all the useful info in two temporary files.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-8

Figure 8 - Tmp File Created

In a short period of time, our now infected system has been observed contacting 5 different C2 servers, presumably sharing the same system and network information that it collected before. Even after killing the process, the system continued establishing the connections to these servers.

It then started connecting with more than 30 different IP addresses on 7080 and 8080 TCP ports. Click here to download a detailed screenshot.

All 5 C2 servers are known in the cybersecurity community to be associated with an Emotet variant. This is when Advantio Malware Analysis Team could associate the malware just analyzed with the well-known Emotet malware family.

The Response: 

The most effective response to this kind of attack is not to open the attachment: as this analysis has made evident, the sole action the malware requested from the user to be (un)safely delivered was to open the file and enable the embedded code execution. After the user enabled its execution, the malware operated entirely in the background, undetected by the user.

For complete protection of your company's endpoints, it’s recommended to deploy an EDR (Endpoint Detection and Response) solution on each device.

Advantio SOC Team tested one EDR Solution (Bitdefender) on this malware, and it successfully detected and blocked the threat. As shown in the image below, the EDR disinfected the Word document as soon as the user tried to access it, blocking the malware before the initial download.

Advantio_Malware-Analysis-New-Emotet-Variant_Figure-10

Figure 9 - Bitdefender graph

This is a perfect example of why it's crucial for individuals and organizations to prioritize security awareness. By investing in security awareness training, you can learn how to identify and respond to potential security threats. This will enable you to protect your personal and sensitive information and contribute to a safer and more secure digital environment. Whether you're an individual looking to safeguard your personal data or an organization looking to protect your assets and reputation, security awareness is a critical component of your overall security strategy.

Take control of your security posture today by prioritizing security awareness.

Malware Analysis: New Emotet Variant

I would like to mention and thank Silvia Guma (SOC Analyst L2 at Advantio) for her contribution to this analysis as this would not have been possible without her. 


 

MITRE ATT&CK

Account Discovery

T1087

Archive Collected Data

T1560.002 Archive via Library

Boot or Logon Autostart Execution

T1547.001 Registry Run Keys / Startup Folder

Command and Scripting Interpreter

T1059.003 Windows Command Shell

Credentials from Password Stores

T1555

File and Directory Discovery

T1083

Input Capture

T1056.001 Keylogging

Native API

T1106

Network Share Discovery

T1135

OS Credential Dumping

T1003

Process Discovery

T1057

Remote System Discovery

T1018

Subvert Trust Controls

T1553.002 Code Signing

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Owner/User Discovery

T1033

User Execution

T1204.002 Malicious File

Windows Management Instrumentation

T1047

 

IOCs

All collected IOCs are listed below:

IP ADDRESSES

1.234.2.232

101.50.0.91

103.132.242.26

104.168.155.143

107.170.39.149

110.232.117.186

115.68.227.76

119.59.103.152

147.139.166.154

149.56.131.28

153.126.146.25

153.92.5.27

159.65.88.10

160.16.142.56

163.44.196.120

164.68.99.3

167.172.199.165

167.172.253.162

169.57.156.166

172.105.226.75

173.212.193.249

183.111.227.137

185.4.135.165

197.242.150.244

202.129.205.3

206.189.28.199

45.235.8.30

66.228.32.31

72.15.201.15

79.137.35.198

82.223.21.224

91.121.146.47

91.207.28.33

95.217.221.146

DOMAINS

Ly[.]bi3x[.]org

moiki[.]online

ns1[.]koleso[.]tc

radiomarket[.]shop

besthome[.]kz

diagnostic[.]net

TCP PORTS

8080

7080

HASHES

65D2FEA34B5EAD55F85670E48C686DE4421954C4FD235F5247D60F43D205114E

 

Column Header Text Column Header Text Column Header Text

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Discover More

Advantio_Blog_DNS_Diagram_V1 Image caption goes here. This is HTML text.

Mario Capone

Written by

My experience in information technology spans over 20 years. For the past six years, I have worked as a Security Analyst, Malware Analyst, and Digital Forensics Analyst. In addition to my background in IT systems administration, I am also a network engineer. I love Cyber Security because it reminds me that I never know enough.

Schedule a call with an expert