Posted on

Malspam pushing Emotet malware, (Wed, Jul 26th)

Introduction

On Tuesday 2017-07-25, we were contacted by a reader through our contact page. He sent us a Microsoft Word document, and he included the following message:

Received a typical phishing email pointing to the site: anduron.com/XXGX911533.

This links downloads a doc with an open document macro. Interestingly, the macro was not encrypted. Understanding the payload however is outside my skill set…

I examined the Word document and found its a downloader for Emotet malware. We never obtained a copy of the associated email. Emotet is generally known as a banking Trojan, although its also been described as a downloader with worm-like propagation. border-width:2px” />
Shown above: Chain of events for malspam pushing Emotet.

The Word document

The Word document is a typical macro-based downloader. You enable Word macros after opening the document, and the macro code attempts to download and run malware. border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: The macro name is Document_Open. Click Edit border-width:2px” />
Shown above: The highly-obfuscated macro code is shown in Microsofts Visual Basic editor.

Enabling macros caused the code to download a Windows executable (an Emotet binary) to the users AppDataLocalTemp directory with a file name of 5 random digits and an .exe file extension. This file executed and promptly deleted itself from the AppDataLocalTemp directory. Before that, the malware copied itself to the user border-width:2px” />
Shown above: border-width:2px” />
Shown above: Emotet binary made persistent on an infected Windows host.

Infection traffic

At this point, I didnt know what the malware was, so I reviewed the network traffic. The URL to download the malicious document was still active, so I retrieved the Word document from anduron.com and infected a Windows host. I wasnt familiar with the traffic, but I had monitored the infection with a Security Onion host running Suricata and the EmergingThreats Pro ruleset. border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: Escalate the Emotet events, and youll see all the destination IPs.

Indicators of Compromise (IOCs)

Payload Securitys reverse.it sandbox analysis (same as hybrid-analysis.com) of the Word document shows 5 other URLs from the macro that download the same Emotet malware binary. Payload Security border-width:2px” />
Shown above: border-width:2px” />
Shown above: Some additional URLs leading to the Word document.

The following are IOCs associated with malspam pushing Emotet malware on 2017-07-25:

Word document from links in the emails:

  • SHA256 hash: 6cad070bd1a37291b207895bbb51b975fa07b4ad2f05fb9a1ee15fb7441d600e
  • File size: 120,320 bytes
  • Links: VirusTotal , reverse.it , malwr.com

Emotet binary downloaded by the Word macro:

  • SHA256 hash: 48f3c89ea2f1e3190ae00f7ac7243ddb752364c076b40afc049424c6a0f75443
  • File size: 176,128 bytes
  • Links: VirusTotal , reverse.it , malwr.com

Links from the malspam to download the word document:

  • anduron.com – GET /XXGX911533/
  • approxim.com – GET /RHKA318298/
  • beckiyore.com – GET /ECPT315356/
  • bluedevils.be – GET /joomla/language/MZQO136516/
  • boscoandzoe.com – GET /ICHY890603/
  • bravasav.net – GET /ENOD612941/
  • cohenbenefits.com – GET /office/custom/SIPQ546465/
  • cpkapability.com – GET /UKSV614228/
  • danielmerchen.com – GET /TZEX247131/
  • denbar.com.au – GET /UOOP149434/
  • driften.org – GET /MCGF919307/
  • euphorianet.com – GET /YQCB092598/
  • event-weekend.ch – GET /ICOT371647/
  • falconbilgisayar.com – GET /RIOC718921/
  • flexlogic.nl – GET /QBUP530634
  • ftpgmbh.ch – GET /VYXG951483
  • getoutofthecube.com – GET /JZST874751/
  • goldencoyote.com – GET /ALLS580885/
  • hcsnet.com.br – GET /FDED220303/
  • hobbycoinexchange.com – GET /ssfm/ESIF185658/
  • homexxl.de – GET /images/articles/EYQD907375/
  • huiwei19.com – GET /YJPW400437/
  • intedyn.com – GET /PZFY613518/
  • interwatts.com – GET /jcgestio/report/XIND162748/
  • kovalantie.fi – GET /XOON622261/
  • lincolngroup.biz – GET /BCCC068652/
  • livablecity.org – GET /DFKR972152/
  • mariamartinezportfolio.com – GET /XLJF149270/
  • merz.com.ar – GET /POXE116744/
  • molodin.org – GET /YFUF766014
  • phvfd221.org – GET /CVQP360485/
  • procebe.com – GET /MPKL050560/
  • prodevinc.com – GET /RPJI648495/
  • rehaunion.de – GET /GDOG943694/
  • rekonaudio.com – GET /TGVY210050/

Macros from the Word document downloading the Emotet binary:

  • ais-fo.fr – GET /kukajweln/
  • blushphotoandfilm.com – GET /ckgawd/
  • bugbbq.com – GET /awhwgra/
  • dzynr.com – GET /ev/
  • netoip.com – GET /rwibpm/

HTTP post-infection traffic:

  • 74.208.17.10 port 8080 – 74.208.17.10:8080 – POST /
  • 158.69.199.223 port 8080 – 158.69.199.223:8080 – POST /
  • 178.62.175.211 port 443 – 178.62.175.211:443 – POST /

Post-infection attempted TCP connections, but no response (or RST) from the server:

  • 93.180.157.92 port 443
  • 164.132.50.32 port 8080
  • 173.212.192.45 port 8080
  • 178.79.132.214 port 443
  • 192.81.212.79 port 443

Final words

As mentioned earlier, we didnt obtain a copy of the email with a link to the Word document. Last month, a similar report on Emotet was published on malwarebreakdown.com, but it was also without an example of the associated emails. If anyone has an example of these emails, feel free to share a copy through our contact page.

If your organization follows best security practices, your risk of infection is minimal. However, we continue to see reports on this type of malspam on a near-daily basis. That implies the criminals behind it are at least somewhat successful.

Pcap and malware samples for todays diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

What are your thoughts?