On 06/25/2018, malicious emails were sent to healthcare and finance clients baring invoice subjects. The attachments followed the format, ‘INV-[0-9]{6}\.doc’ and were composite document files (CDF) as created by Microsoft’s Office Word. The IPv4 address, 202.162.229[.]26 (Mumbai, Maharashtra - India), was the source of all malicious emails identified during analysis, belonging to internet service provider (ISP), Netcore Solutions Pvt Ltd.

Threat Summary:

Emotet is a banking trojan, used to obtain financial information by harvesting sensitive data from victim PCs and in transmission before sending them to a remote command-and-control (C2) server. Emotet is a member of the Feodo trojan family, but has several variants of itself. Once installed, Emotet has been observed to have several different tactics, techniques and procedures (TTP) related to privilege escalation, evading reverse engineering or sandboxing, propagation and data exfiltration. Emotet is a common malware observed in weekly spam campaigns, as observed by GTIC researchers.

Analysis:

The attachment, as stated, was a Word document, containing 11 different macros as shown below. Unlike recent Emotet activity, no use of OLE objects and associated vulnerabilities were identified during the delivery and installation attack phases, rather slightly obfuscated strings and functions across several macros were used for one cause, to download a remote binary.

Inside each VBA macro contains obfuscated code which results in the following obfuscated PowerShell command being executed on the victim machine.

Once executed the PowerShell command downloads the first-stage binary from turbobuicks[.]net/yWAvMi as shown by the HTTP request in Figure 3. This file is then saved as ‘228.exe’ and executed as a child-process of powershell.exe. 

Downloaded Binary hashes

MD5: 48ACC088EE9352D93AD018EC1F7DC52E

SHA1: 97F02B7D58073A23EE064FFE71F2070617FDFF47

SHA256: 11195525AA46AEB761CE8F885EFD60B28EC0B5EED453BBDA53ABF4ED70EEF4B7

Shortly after, the first-stage binary spawns another process, ‘watchvsgd.exe’, which is the final Emotet Heodo payload where C2 communication to 12.182.146[.]226:80 and 70.182.77[.]184:8090 occur. The server 70.182.77[.]184 is as a well-known Feodo botnet C2 server indicating this as Emotet malspam specifically for the Heodo variant, in addition to the user-agent used when communicating with the C2 server, 12.182.146[.]226. 

During dynamic analysis, anti-debugging features for this Emotet sample included checks for kernel debuggers on the victim machine by leveraging the KernelDebuggerInformation function as well as enabling debug privileges. In addition, the samples analyzed contained several long sleep loops to hinder dynamic analysis. Persistence techniques used were only modifying the autorun value of the Run key in the registry to associate with the final executable ‘watchvsgd.exe’. This allows persistence by executing the program if the victim PC were to restart.

Threat Indicators

Below are indicators of compromise identified during analysis.

Hashes

c9254e205cf0c8c42bcdd3264b73f1500a15a7ee27e1534145af2f247f3c07e2 (Malicious Attachment)

d0dcf0c212407b0d5c5f091fc192b36a8dd65fc1ba2890502839c8440ee294d2 (Malicious Attachment)

5236712d896150ee28707729fbe508033812cec76e3eeb8482a7c5b7d156c98c (Malicious Attachment)

cfc8c6886ed300ce90ee773814fb279d691ab30eecf401587d168e1bfbd3d1f5 (Malicious Attachment)

78bd474e990901916584022ade9b5c5c8c2115aea1beaef14ddb94879fc111b5 (Malicious Attachment)

620052b4d56464e00d9e523e9450db4e0dfc3ee0eea9e856e701a4645b58f04f (Malicious Attachment)

f5e86722c4805df0eba25b8d85607fe0ea03422c9e60b5a4f6285b0027f03582 (Malicious Attachment)

MD5: 48ACC088EE9352D93AD018EC1F7DC52E (Emotet)

SHA1: 97F02B7D58073A23EE064FFE71F2070617FDFF47 (Emotet)

SHA256: 11195525AA46AEB761CE8F885EFD60B28EC0B5EED453BBDA53ABF4ED70EEF4B7 (Emotet)


IP Addresses

12.182.146[.]226 (C2)

70.182.77[.]184 (C2)

202.162.229[.]26 (Malspam Source)

 

Domains

turbobuicks[.]net (Emotet Host)


URLs

turbobuicks[.]net/yWAvMi (Emotet Download Location)