Emotet is an extremely sophisticated and destructive Trojan used to download and install other malware. The first version of Emotet malware was spotted in the wild back in 2014, initially, it was designed to steal banking credentials using only its native information stealing toolset. Emotet has gained advanced capabilities over the course of its lifetime and evolved into an entire malware distribution service.
In September 2020, we observed a large uptick in Emotet malspam campaign with the attached malicious document named Documentation du September 2020.doc, County Report – September.doc, FILE-092020.doc etc., or ZIP archive with malicious documents. The below diagram depicts some of the Emotet samples which are analyzed by opensource tools.
The spam email with Zip archive attached sometimes does have message body, except with fictitious name and password which is required to open the document as shown below.
We looked into one of the latest malspam document named “Documentation du September 2020.doc”. Upon opening the malicious Microsoft Office document, the victim is instructed to enable macro as shown in the image below. Afterwards, the PowerShell script that executes in the background makes consequent connections to download Emotet payload.
We observed the following DNS requests made to Emotet payload servers at the time of the investigation.
The attacker server which is active at that time of connection request distributes Emotet payload to the victim’s machine. We have noticed that the following URL:
“movewithketty.com/cgi-bin/m/” serves payload executable file as shown below.
The downloaded Emotet payload is stored as %AppData%\Local\[random name]\randomname.exe on the infected machine. Analyzed Emotet payload is a 32-bit Microsoft Visual C++ compiled Windows executable file packed using custom packer routine. This particular Emotet payload has less AV detection at this point as shown below.
The below diagram depicts the post-infection C2 communication of Emotet payload which is spotted during our investigation.
Emotet is one of the most sophisticated and lucrative malware that are actively seen in the past seven years. The delivery vector has been primarily spammed e-mail attachments that are responsible for downloading payloads.
Protection from Emotet
- Keep systems up to date with updates
- consistently implement a sensible backup strategy
- Do not open attachments from e-mails or only open them if you can be sure that the sender and not malware sent the e-mail
List of IOC’s:
URL (currently Active):
Cyble is an Atlanta, US-based, global premium cyber-security firm with tools and capabilities to provide near real-time cyber intelligence. The company is focused on de-hashing cyber threats at upstream.
This monitoring and notification platform gives the average consumer insights into their personal cybersecurity issues, allowing them to take action then as needed. It has recently earned accolades from Forbes as being the top 20 cyber-security companies to watch in 2020.