During the past couple of days, we have seen an increase in activity from Emotet. This Trojan downloader spreads by emails that lure victims into downloading a Word document, which contains macros that after executing employ PowerShell to download a malicious payload.
We have observed Emotet downloading a variety of payloads, including ransomware, Dridex, Trickbot, Pinkslipbot, and other banking Trojans.
During a wave of attacks in early December we discovered a campaign spreading the ransomware family HydraCrypt. The sample we received had a compilation date of December 5.
The initial Word documents were downloaded from a number of URLs; some examples follow:
- hxxp://URL/DOC/Invoice/
- hxxp://URL/scan/New-invoice-[Number]/
- hxxp://URL /scan/New-invoice- Number]/
- hxxp://URL /LLC/New-invoice- Number]/
The document topics are crafted to entice users to open them because they appear to impact our finances or official documentation.
- Invoice
- Paypal
- Rechnung (with or without a number)
- Dokumente vom Notar
The documents have typical characteristics used by Emotet attackers. When a user opens the document, it claims the file is protected and asks the victim to enable the content, which launches the code hidden in the macros.
In analyzing the macros, we see heavily obfuscated code to make detection difficult and cover up the real purpose of the document:
The macro code uses a mix of command, wmic, and PowerShell to copy itself to disk, create a service, and contact its control server for a download URL.
Emotet collects information about the victim’s computer, for example running processes, and sends encrypted data to the control server using a POST request:
The specific user-agent strings used in these requests:
- Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
.NETCLR3.5.30729;.NETCLR3.0.30729;MediaCenterPC6.0;.NET4.0C;.NET4.0E) - Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727;
.NETCLR3.5.30729;.NETCLR3.0.30729;MediaCenterPC6.0;InfoPath.3) - Mozilla/5.0(WindowsNT6.1;WOW64;rv:39.0)Gecko/20100101Firefox/38.0•Mozilla/5.0
(compatible;MSIE8.0;WindowsNT5.1;SLCC1;.NETCLR1.1.4322)
The payload samples are downloaded to %Windir%\System32 using a random name, either in GUID format or a five-digit random name.
The control servers and URLs hosting the malicious documents are covered within McAfee Global Threat Intelligence, with which we provide coverage for the samples detected. The McAfee Advanced Threat Research team proactively monitors any new developments regarding Emotet.
Detection
The new variants of Emotet are detected by McAfee DAT files as Emotet-FEJ!<Partial Hash> since December 3. Real Protection technology within McAfee Endpoint Security Adaptive Threat Protection provides zero-day detection of these new variants as Real Protect-SS!<Partial Hash>.
The post Emotet Downloader Trojan Returns in Force appeared first on McAfee Blogs.