EMOTET Malware Campaign Overview
Recently a new malware campaign has been seen in the wild across the globe, in which an attacker is sending phishing emails with malicious links or an attachment of Office Document in the Email.
In case, if the Email contains a malicious link then it downloads the malicious office document when the person clicked on it.
In another scenario, Email contains an attachment of malicious office document.
In both the scenario, the malicious document contains an obfuscated malicious macro script that automatically downloads the EMOTET malware on the user’s machine.
Flow Chart:
Get peace of mind! Get rid of malicious programs instantly
Free Checkup & fix for your PC! Get rid of malicious programs instantly!
Technical Analysis of EMOTET Malware Campaign
File Name: INV654135635008082.doc
MD5: 9E88441722CDE0C95F613A96B8554705
File Type: DOC
Spread Via: E-mail
Detail Description EMOTET Malware Campaign with Screenshots
During execution of INV654135635008082.doc, it’s launch Microsoft Word application in Protected View Mode.
Figure 1 Enable Editing (Protected View Mode)
By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.
In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification doesn't pop up. And it will harm your system.
So, it’s always recommended to never disable the protection mode.
As shown below, After Enable Editing, it shows another warning message (“Macros have been disabled”).
Figure 2 Enable Content Warning
In case, if the user clicks on the Enable Content button or doesn’t use Microsoft Default Protected View Mode, the Malicious macro will automatically download the payload into %temp% location with the help of Powershell.exe
%temp%\{Random-ID}.exe
As shown below, WINWORD.exe creates several processes
Figure 3 Process Tree
As shown below, INV654135635008082.doc contain obfuscated malicious macro which is not clearly visible and understandable by the normal user.
Below macro code has Sub Document_Open() function which means on opening the document, the malicious macro code will be get activated.
Figure 2 Obfuscated Macro Code
To understand the obfuscated code, a person needs to be expertise or having the skillset to deobfuscate this kind of obfuscated code.
By analyzing the above obfuscated macro code, we came to know that it's running the malicious obfuscated PowerShell script in the background.
Figure 3 Obfuscated PowerShell Script
As shown above, this PowerShell script contains another obfuscated code.
Deobfuscated PowerShell script:
Figure 4 Deobfuscated PS Script
Also See: Detailed Technical Analysis of Jigsaw Ransomware Attack
As shown above, PowerShell script attempts to connect 5 URL’s, whichever URL is active it downloads the payload into %temp%\{Random-ID}.exe
Thereupon, it automatically starts the downloaded payload process (Random-ID.exe) on the victim’s machine.
From the above 5 URL’s, only 2 URL’s are active yet rest of the URL’s are not working now. And all of them will downloads the same malware payload (EMOTET HASH: 17A8054EDBF3C8B5ABFD3A1EFB8A016B)
This malware then dropped another file at following location
C:\Users\admin\AppData\Local\Microsoft\Windows\fonduexinput.exe
fonduexinput.exe (MD5: BA963C5B203753F9BF04CFBBFFC1F5B4) tries to connect with their C&C Server 96.94.189.130
It also creates an autorun entry in the registry at following location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fonduexinput
Following are the MUTEXES created by the fonduexinput
M2A5B3DF7
PEMF48
Are you worried about your PC health?
Check your PC Health for Free!
IOC’s
Associated Hash
9E88441722CDE0C95F613A96B8554705
17A8054EDBF3C8B5ABFD3A1EFB8A016B
BA963C5B203753F9BF04CFBBFFC1F5B4
Associated URL
hxxp://www[.]storiesofsin[.]com/themes/sos/images/Yec23
hxxp://www[.]logopeda-slonecznik[.]pl/pv6j24/
hxxp://www[.]vanchuyencontainerlanh[.]com/78TGV/
hxxp://www[.]whattrick[.]com/MffufXs/
hxxp://www[.]muccimobilya[.]com/pwz0/
Associated IP
96.94.189.130
Associated MUTEXES
M2A5B3DF7
PEMF48
Associated Registry Entry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fonduexinput
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
