Cyble-Emotet-Malware-Variant-Updated-TTPs

Emotet Malware back in Action

Infamous malware variant with updated TTPs

During our routine Open-Source Intelligence (OSINT) Research, Cyble Research Labs encountered several email phishing campaigns related to Emotet malware. We observed that the campaign is similar to older ones, which used spam emails with malicious MS Excel files as the initial attack vector to infect targets.

Emotet malware was first observed in the year 2014. Initially, this malware was
used as a banking trojan; later, the Threat Actors (TAs) behind Emotet modified it to deliver dangerous payloads. The impact of Emotet was worldwide. By
2020, researchers also concluded that this malware strain was prevalent across the globe. Emotet was taken down at the beginning of 2021 after the arrest of two individuals by international law enforcement in a combined effort by Europol and Eurojust.

In November 2021, researchers observed that Emotet is rebuilding its botnet with the help of the TrickBot malware. Since then, we have observed an increase in the Emotet campaigns in recent months; refer to Figure 1.

Figure 1: Emotet stats in 1.5 years by jpCert

Before Emotet was taken down in January 2021, the malware was observed delivering dangerous malware families, including Trickbot, Ryuk ransomware, etc. After its rebirth last November, we observed that Emotet’s operations have been upgraded, and some new tricks have been added to its toolbox.

The recent upgrades include using Elliptic curve cryptography instead of RSA cryptography, improving control flow flatting methods, boosting the initial infection by using malicious Windows app installer packages that pose as legitimate software, and more. We also noticed that the Emotet malware delivered and installed Cobalt Strike Beacons in recent campaigns. We have illustrated common attack phases in Figure 2.

Figure 2: Emotet Attack phases

Cyble has constantly been tracking this malware family and their campaigns after their reappearance last year. This article covers a detailed analysis of a recent Emotet campaign we observed in the first two months of 2022.

Initial Vector of Emotet

As discussed earlier, the Emotet uses spam emails as the initial attack vector to infect users. Initially, the malicious DOC file was delivered as an attachment via spam. However, the Emotet actors have recently introduced new techniques for delivering malicious files. The new techniques include:

  • Provide the server link where the malicious Excel file or the Zip file can be downloaded.
  • Provide the Excel file in a zip archive file.
  • Provide the malicious Excel file in a password-protected zip file.

Observations into the actor’s recent campaigns have indicated the use of password-protected archive files. It is harder to detect malicious files stored inside a password-protected zip archive as it is encrypted. Figure 3 shows the example of a spam email with password-protected zip which contains the Emotet Excel file.

Figure 3: Example of Spam Email with password-protected zip

Execution Behaviour

The Excel files display a message that tricks the targets to open the file in a Windows-based system and enable a feature that allows the hidden malicious code to execute. The messages are shown in Figure 4.

Figure 4: Example of a malicious file with the message

Figure 5 shows another example of a malicious Excel file with a different message.

Figure 5: Another example of Emotet spreading malicious Excel

When the user enables the “Enable content” feature, Excel executes malicious code present in the Excel file.

It is a known technique used by the Emotet campaigns to hide the malicious code inside the hidden Excel sheets. The actors are also using another technique to hide the code using a white font on a white background sheet so that the code is essentially not visible when a user opens the sheet.

The execution of the macro codes in different Excel files creates various infection chains. The few prevalent infection chains we observed are discussed in the following section.

Infection Chain 1

In the last week of January 2022, we have observed that the malicious Excel file executes a code hosted in a remote server using mshta.exe. The code present in the server further executes PowerShell commands that download the Emotet payload from various servers that are compromised. Later the downloaded Emotet payload will be executed using Rundll32.exe, as shown below.

Figure 6: Phases in infection chain 1

Infection Chain 2

We observed a new infection chain of the Emotet campaign in the first week of February 2022 with minor modifications to the previous infection chain. The actor has used WScript to the infection chain. The hidden code in Excel drops both VBS and bat files. The VBS file then executes the bat file with PowerShell commands that download and execute the Emotet DLL from compromised machines. Refer Figure 7.

Figure 7: Phases in infection chain 2

Infection Chain 3

On February 22, 2022, we identified a new infection chain in Emotet campaigns. The actors have used Regsvr32 instead of Rundll32, which executes the malicious DLL downloaded with the help of PowerShell commands. The infection chain is shown below.

Figure 8: Phases in Infection chain 3

Latest Campaign from Emotet

While conducting this analysis, Cyble Research labs came across Emotet’s new infection chain. The malicious Excel was delivered using the spam email as shown below.

Figure 9: Spam email used in the latest campaign

The Excel file looks similar to the previously mentioned ones. We identified several hidden sheets in the Excel files from our investigation, as shown below.

Figure 10: Hidden sheets in the Excel file

One of the hidden sheets contains code that downloads a DLL file. Refer to Figure 11.

Figure 11: The code present in one of the hidden sheets that download DLL

The code present in Excel creates a process tree, as shown in Figure 12.

Figure 12: Process created by the execution of malicious Excel file

As shown in Figure 8, the downloaded DLL is executed using regsvr.exe.

We also observed that the Excel file behaves differently when executed with Administrator privilege – illustrated in Figure 13.

Figure 13: Illustrating the change in behavior with and without admin privilege

Conclusion

Emotet is a sophisticated and long-lasting malware that has impacted users globally. The malware was taken down in 2021. And now it’s back with more capabilities, as per the researchers of Cryptolaemus.

Threat Actors are constantly adapting their techniques in an attempt to stay one step of cybersecurity entities – Emotet is one such example.

Cyble Research Labs is continuously monitoring the activity of Emotet and other malware and will keep our readers updated.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety measures needed to prevent attacks from similar threats and reduce the impact

  • Don’t keep important files at common locations such as the Desktop, My Documents, etc.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.    
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • ​Conduct regular backup practices and keep those backups offline or in a separate network.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566
T1566.001
– Phishing
– Phishing: Spearphishing Attachment
ExecutionT1204
T1059
– User Execution
– Command and Scripting Interpreter
Credential AccessT1573
T1571
T1110.001
– Encrypted Channel
– Non-Standard Port
– Brute Force: Password Guessing
DiscoveryT1087  – Account Discovery
CollectionT1560– Archive Collected Data
Privilege EscalationT1547.001– Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Indicators of Compromise (IOCs)  

IndicatorsIndicator TypeDescription
33efc0598f354c1488107b1b79d2e05b  dd0391ba9fea4a5fe9ad9669791f6f6271734d10  2a44fd4c42fa33c3213d9c7867888fca985dcf1964fda2d2132be59ac8d8d7cfMD5 SHA1 SHA256Hash of Emotet DLL (latest)
edea9a57fcb42e9831f3a0ca9993bddd c4523d237b7658feef0d98f3bdf37bf97e66c52a 6b4af4453203d531c1b71b17699939aee7c487e39d218b40405e114ec7330232MD5 SHA1 SHA256Hash of Emotet DLL (latest-similar)
e79a6a6e3bc66fe0e9dac7daaecd39e4 5ae34185c4018c6d7a1cfadcd5057c87e39333ca bf36c637f1fbba1f5b2fbbb435f41fb73a06d104539c5c6d5d66e140cf5c7bf9MD5 SHA1 SHA256Hash of the malicious Excel(infection chain3)
579c2f6d46596faf4a2d492a954cac29 bb53f0e3cd96c5769893e04696769c0910cbd958 c4531347c02ad48f5d1f2471aad72edcbeeda910dd5a0c75e0e9fc4c9d42dc92MD5 SHA1 SHA256Hash of Emotet DLL
hxxps://themillionairesweb[.]com/wp-admin/MD/URLURL to download DLL (from Latest campaigns)
hxxps://akhrailway[.]com/cgi-bin/b5c9CX4IK2GgN6C/URLURL to download DLL (from Latest campaigns)
hxxps://cmbavocat[.]fr/wp-admin/uKCcU1bqvbSvE/URLURL to download DLL (from Latest campaigns)
hxxp://idvlab.com.br/wp-admin/FIWBL/URLURL to download DLL (from Latest campaigns)
hxxps://institutionsevigne[.]org/wp-includes/pvDqUHqjYEqoQ6R/URLURL to download DLL (from Latest campaigns)
hxxps://ajmotorsshop[.]com/grad-ooze/O/URLURL to download DLL (from Latest campaigns)
hxxps://msubrahm[.]com/wp-admin/5SjBp9WHfGbtgY/URLURL to download DLL (from Latest campaigns)
hxxp://moveconnects[.]com/item-immo/5NAtMXXCkzQ5NrX3z/9moeTie4vHJ/URLURL to download DLL (from Latest campaigns)
hxxp://beta2.emeritus[.]org/wp-content.previous/WS0O/URLURL to download DLL (from Latest campaigns)
hxxps://karmapedia[.]com/wp-includes/edvf/URLURL to download DLL (from Latest campaigns)
1e7fea5ef6b8ee5667ff55c919b30536 1dd2832e80401cc6c761b4a1c9e35d2b6db49f41 2ba6a096ec0ef4360becac3472489be4b0ae111a8d5f5ebccc0465254a6a7752MD5 SHA1 SHA256Malicious Excel File(infection chain1)
hxxp://0xb907d607/cc[.]htmlURLURL, which downloads PowerShell commands
a07ac600ef866a923be6d821375355d3  c925b02db6955bee56bd85028b873943372c7320  c684e1bd1afb8bc7a7c79b4f5bffa24df2ca78de551627c8c4290df7fc06d11fMD5 SHA1 SHA256DLL from the compromised server
1e7fea5ef6b8ee5667ff55c919b30536 1dd2832e80401cc6c761b4a1c9e35d2b6db49f41 2ba6a096ec0ef4360becac3472489be4b0ae111a8d5f5ebccc0465254a6a7752MD5 SHA1 SHA256Malicious Excel File that downloads Cobalt Strike Beacon
e14e1f70b5017b24e974ced57d431f6b  e38bcf31e93dfa0a2d75fbea1384a73b12461530  50433febc90d43b5ceebe9c7d558dc07b9b7ff0291b41a72a5acab256f3ed43fURLEmotet Payload Download URL
d70ce1610610563de47a834f86acaa20  9a5ee04f6911307d0dd9f38dfd363c68d0cd727d  7f5a08014c527b3b7cf2b12214fa701ee62b2a107dc2ef511f125e7f813a588dMD5 SHA1 SHA256Hash of the Excel file
ac581207ef80437a961f2ada3a47d763 62964395bbc5fbee65dac62e0233ce8377674b2c b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65MD5 SHA1 SHA256Cobalt Strike Beacon Hash
foxofeli[.]comURLCobalt Strike C&C
diyabip[.]comURLCobalt Strike 2nd C&C
423a0a24796cac9bbb5e0363c34d4bdc d7af30d0c96d9c91d948315b5dcefd8c78a34df4 00a033f48fae407c3ca552b6ceddc01d2d0515ea86a84486c1bfed9519fa5d85MD5 SHA1 SHA256Malicious Excel File infection chain2
3b1981c56995aa93dfac052238402b1a 36676ee9ff2096b8c9d6179ea3db2d1a93c6cb04 fca2b52421d1f71dd2e058f604346b853f621c5625e5a42006583bf8115797f1MD5 SHA1 SHA256Payload file
hxxp//remedy.eventmasti[.]com/vendor/Y2XclYoCdDzSSua/URLURL of second stage payload
72a1a718eb55872fffebdacee60b4200 15fb5c1e7c23d8071173befaf6ee6e423ab185a0 7ead1e26db3d44fb78584d894a97114375d5980fa7228f5d44db43e8d609b916MD5 SHA1 SHA256Hash of DLL file downloaded from above URL

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com


Scroll to Top