Emotet Malware Emerges with New wings, Malspammer Knock Up

Recently, our research team came across media news as well as CSIRT alert to the users about a new wave of Emotet malspam campaign that spreads across Japan, Italy and worldwide. 

Emotet is an extremely sophisticated and destructive Trojan used to download and install other malware. The first version of Emotet malware was spotted in the wild back in 2014, initially, it was designed to steal banking credentials using only its native information stealing toolset.  Emotet has gained advanced capabilities over the course of its lifetime and evolved into an entire malware distribution service. 

In September 2020, we observed a large uptick in Emotet malspam campaign with the attached malicious document named Documentation du September 2020.doc, County Report – September.doc, FILE-092020.doc etc., or ZIP archive with malicious documents. The below diagram depicts some of the Emotet samples which are analyzed by opensource tools. 

The spam email with Zip archive attached sometimes does have message body, except with fictitious name and password which is required to open the document as shown below. 

We looked into one of the latest malspam document named “Documentation du September 2020.doc”. Upon opening the malicious Microsoft Office document, the victim is instructed to enable macro as shown in the image below. Afterwards, the PowerShell script that executes in the background makes consequent connections to download Emotet payload. 

We observed the following DNS requests made to Emotet payload servers at the time of the investigation. 

alameenmission.net 

hottco.com 

fuguluggage.com 

movewithketty.com 

The attacker server which is active at that time of connection request distributes Emotet payload to the victim’s machine. We have noticed that the following URL:

“movewithketty.com/cgi-bin/m/” serves payload executable file as shown below.

The downloaded Emotet payload is stored as %AppData%\Local\[random name]\randomname.exe on the infected machine. Analyzed Emotet payload is a 32-bit Microsoft Visual C++ compiled Windows executable file packed using custom packer routine. This particular Emotet payload has less AV detection at this point as shown below.  

The below diagram depicts the post-infection C2 communication of Emotet payload which is spotted during our investigation. 

Conclusion 

Emotet is one of the most sophisticated and lucrative malware that are actively seen in the past seven years. The delivery vector has been primarily spammed e-mail attachments that are responsible for downloading payloads.   

Protection from Emotet 

  • Keep systems up to date with updates 
  • consistently implement a sensible backup strategy 
  • Do not open attachments from e-mails or only open them if you can be sure that the sender and not malware sent the e-mail 

List of IOC’s:  

File Hashes:  

d2be18da0668bf18c2e36e72deae0907  

97fc98ee3a4240344e2fb3162d8e9207  

f190747d1f0197e36502bf47f4ab7b35  

34001e51d414bb2e43d5240e9e7b532a  

08cc04bbc76aa7af2178ab35aa479a05  

f1ea1131ad723a81dbf1bf00eea07504 

URL (currently Active): 

hxxp://movewithketty[.]com/cgi-bin/m/ 

hxxp://f1.dodve.com/wp-admin/EksL3KtiHZ/ 

hxxp://greensync.com.br/aspnet_clientOld/Xyicd 

hxxp://greensync.com.br/aspnet_clientOld/Xyicd/ 

hxxp://guarany.net/zefiro/2D2qJIZs/ 

hxxp://markantes.com/jason/BK9vrxXcA/ 

hxxp://marmolhi.com/_vti_bin/0nNKKlWZ4/ 

hxxp://movewithketty.com/cgi-bin/m/ 

hxxp://pulseti.com/isla/61D/ 

hxxp://www.closmaq.com.br/wp-admin/nc/ 

hxxps://comerciopuravida.com/wp-admin/qqUV32Q/ 

hxxps://hotelunique.com/teste/oxda9J0BvF/ 

hxxps://muabannodanluat.com/wp-admin/css/colors/kIxtL8/ 

hxxp://174[.]113[.]69[.]136/wyCkPUyeT/nrAc/I9DMge/Z7NHsW5VOhVy0w/GTgZ0YAxo4ReUIF/I4olnbNWC4/ 

hxxp://girlgeekdinners[.]com/wp-content/Hpz/ 

hxxp://marblingmagpie[.]com/COPYRIGHT/Ak/ 

hxxp://veccino56[.]com/gjpra/4ZR/ 

Domain’s:  

alameenmission[.]net  

hottco[.]com  

fuguluggage[.]com  

movewithketty[.]com 

veccino56[.]com 

girlgeekdinners[.]com 

marblingmagpie[.]com 

 IP’s :  

185.182.56[.]215 

190.191.171[.]72 

162.241.41[.]111 

45.230.228[.]26 

78.31.106[.]99 

205.144.171[.]34 

174.113.69[.]136 

About Cyble

Cyble is an Atlanta, US-based, global premium cyber-security firm with tools and capabilities to provide near real-time cyber intelligence. The company is focused on de-hashing cyber threats at upstream.  

This monitoring and notification platform gives the average consumer insights into their personal cybersecurity issues, allowing them to take action then as needed. It has recently earned accolades from Forbes as being the top 20 cyber-security companies to watch in 2020. 

Leave a Comment

Your email address will not be published.

%d bloggers like this: