Blog Viewer

Emotet Spambot activity surges!

By mhahad posted 10-17-2017 13:30

  

For several weeks, Cyphort Labs (now part of Juniper Networks Sky ATP) has been observing the renewed activity of the Emotet malspam campaign. As can be seen from the chart below, based on our telemetry, this variant of emotet started to show activity on the first week of August and picked up dramatically towards the end of September through early October.EmotetActivity.png

 

Emotet is primarily a trojan downloader which downloads additional modules that would perform the following malicious activity:

  • Steal Information (email accounts and browsers credentials).
  • Spread itself via Email Spam.
  • Participate in a DDOS attacks.
  • Steal bank credentials (only in prior versions).

 

Its recent uptick in activity may be attributed to its spam module and it could mean that it has added a significant number of infected hosts to its botnet to cause this spike in activity.

 

Infection Chain

 

Emotet has historically been distributed through Spam emails containing phishing links leading to malicious office documents which would then download the Emotet payload. We have also seen downloaders that arrive as PDF containing a malicious link that leads to a malicious macro (creadit to: @JAMESWT_MHT).

 

EmotetEmailDelivery.png

Emotet Spam Email.

 

EmotetPDF.png

 PDF with link to malicious Emotet trojan.

 

The malicious macro will execute a powershell command to download emotet.

 

EmotetPowershell.png

 

In our case, the emotet sample was downloaded from http://austxport[.]com[.]au/redbeandesign/zaW/  as a plain executable.

Installation

 

The downloaded emotet is saved and executed from the %temp% folder as {random_number}.exe.  It copies itself into the %system% folder as searchlog.exe. For persistence, it installs itself as a service named searchlog as seen below.

 

EmotetRegistry.png

 

Command and Control

Emotet contacts its CnC server, which in one particular case happens to be 147.135.209.118, via HTTP but uses port 443. Communication to its CnC is encrypted using a custom protocol. It will first send information about the infected system, such as username, OS version, etc.

 

As with the previous emotet versions, it responds with HTTP/1.1 404 Not Found. This is a clever way for the actors to hide the communicaton as many security devices like web gateways will not process 404 response pages. As you can see from the pcap below, it still sends encrypted data.

 

EmotetCnC.png

Emotet HTTP Request/Response showing the 404 response code.

 

At the time of our analysis, The CnC server was not returning any malicious samples anymore. 

IOCs

CnC IP: 147.135.209.118

 

SPAM Email Hashes:

11374ac48f532024805fa35a0ebc4311d53040113db05b5deae67089814b06d1

2a139ead90b2237ac7d0e449bbdc6bb6fd33beec70172468fb5f26fccad2766b

 

MSWord Attcachment Document:

027d2c86033e6b7cb8d12188cfc2c9ef854cf1e1950a17c174b809d80d44f42e

 

Emotet Payload:

378bf4086161f2b5273955557ad56a9bc9fb350bcf961533207419636875c7f8

 

This analysis is courtesy of Paul Kimayong.

Permalink