2017-07-26 update: After publishing this diary, we were contacted by several people who provided samples of the emails. Screenshots of these emails have been added after my signature block. Thanks to everyone who responded!
Introduction
On Tuesday 2017-07-25, we were contacted by a reader through our contact page. He sent us a Microsoft Word document, and he included the following message:
Received a typical phishing email pointing to the site: anduron.com/XXGX911533.
This links downloads a doc with an open document macro. Interestingly, the macro was not encrypted. Understanding the payload however is outside my skill set...
I examined the Word document and found its a downloader for Emotet malware. We never obtained a copy of the associated email. Emotet is generally known as a banking Trojan, although its also been described as a downloader with worm-like propagation. border-width:2px" />
Shown above: Chain of events for malspam pushing Emotet.
The Word document
The Word document is a typical macro-based downloader. You enable Word macros after opening the document, and the macro code attempts to download and run malware. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: The macro name is Document_Open. Click Edit border-width:2px" />
Shown above: The highly-obfuscated macro code is shown in Microsofts Visual Basic editor.
Enabling macros caused the code to download a Windows executable (an Emotet binary) to the users AppData\Local\Temp directory with a file name of 5 random digits and an .exe file extension. This file executed and promptly deleted itself from the AppData\Local\Temp directory. Before that, the malware copied itself to the user border-width:2px" />
Shown above: border-width:2px" />
Shown above: Emotet binary made persistent on an infected Windows host.
Infection traffic
At this point, I didnt know what the malware was, so I reviewed the network traffic. The URL to download the malicious document was still active, so I retrieved the Word document from anduron.com and infected a Windows host. I wasnt familiar with the traffic, but I had monitored the infection with a Security Onion host running Suricata and the EmergingThreats Pro ruleset. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Escalate the Emotet events, and youll see all the destination IPs.
Indicators of Compromise (IOCs)
Payload Securitys reverse.it sandbox analysis (same as hybrid-analysis.com) of the Word document shows 5 other URLs from the macro that download the same Emotet malware binary. Payload Security border-width:2px" />
Shown above: border-width:2px" />
Shown above: Some additional URLs leading to the Word document.
The following are IOCs associated with malspam pushing Emotet malware on 2017-07-25:
Word document from links in the emails:
- SHA256 hash: 6cad070bd1a37291b207895bbb51b975fa07b4ad2f05fb9a1ee15fb7441d600e
- File size: 120,320 bytes
- Links: VirusTotal , reverse.it , malwr.com
Emotet binary downloaded by the Word macro:
- SHA256 hash: 48f3c89ea2f1e3190ae00f7ac7243ddb752364c076b40afc049424c6a0f75443
- File size: 176,128 bytes
- Links: VirusTotal , reverse.it , malwr.com
Links from the malspam to download the word document:
- anduron.com - GET /XXGX911533/
- approxim.com - GET /RHKA318298/
- beckiyore.com - GET /ECPT315356/
- bluedevils.be - GET /joomla/language/MZQO136516/
- boscoandzoe.com - GET /ICHY890603/
- bravasav.net - GET /ENOD612941/
- cohenbenefits.com - GET /office/custom/SIPQ546465/
- cpkapability.com - GET /UKSV614228/
- danielmerchen.com - GET /TZEX247131/
- denbar.com.au - GET /UOOP149434/
- driften.org - GET /MCGF919307/
- euphorianet.com - GET /YQCB092598/
- event-weekend.ch - GET /ICOT371647/
- falconbilgisayar.com - GET /RIOC718921/
- flexlogic.nl - GET /QBUP530634
- ftpgmbh.ch - GET /VYXG951483
- getoutofthecube.com - GET /JZST874751/
- goldencoyote.com - GET /ALLS580885/
- hcsnet.com.br - GET /FDED220303/
- hobbycoinexchange.com - GET /ssfm/ESIF185658/
- homexxl.de - GET /images/articles/EYQD907375/
- huiwei19.com - GET /YJPW400437/
- intedyn.com - GET /PZFY613518/
- interwatts.com - GET /jcgestio/report/XIND162748/
- kovalantie.fi - GET /XOON622261/
- lincolngroup.biz - GET /BCCC068652/
- livablecity.org - GET /DFKR972152/
- mariamartinezportfolio.com - GET /XLJF149270/
- merz.com.ar - GET /POXE116744/
- molodin.org - GET /YFUF766014
- phvfd221.org - GET /CVQP360485/
- procebe.com - GET /MPKL050560/
- prodevinc.com - GET /RPJI648495/
- rehaunion.de - GET /GDOG943694/
- rekonaudio.com - GET /TGVY210050/
Macros from the Word document downloading the Emotet binary:
- ais-fo.fr - GET /kukajweln/
- blushphotoandfilm.com - GET /ckgawd/
- bugbbq.com - GET /awhwgra/
- dzynr.com - GET /ev/
- netoip.com - GET /rwibpm/
HTTP post-infection traffic:
- 74.208.17.10 port 8080 - 74.208.17.10:8080 - POST /
- 158.69.199.223 port 8080 - 158.69.199.223:8080 - POST /
- 178.62.175.211 port 443 - 178.62.175.211:443 - POST /
Post-infection attempted TCP connections, but no response (or RST) from the server:
- 93.180.157.92 port 443
- 164.132.50.32 port 8080
- 173.212.192.45 port 8080
- 178.79.132.214 port 443
- 192.81.212.79 port 443
Final words
As mentioned earlier, we didnt obtain a copy of the email with a link to the Word document. Last month, a similar report on Emotet was published on malwarebreakdown.com, but it was also without an example of the associated emails. If anyone has an example of these emails, feel free to share a copy through our contact page.
If your organization follows best security practices, your risk of infection is minimal. However, we continue to see reports on this type of malspam on a near-daily basis. That implies the criminals behind it are at least somewhat successful.
Pcap and malware samples for todays diary can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
2017-07-26 update: Anther reader contacted us with additional info on yesterdays Emotet malspam. From the reader:
We saw this campaign as well yesterday. The senders were all random, but they seem to rely on the from field to lend increased credibility. There were two emotet campaigns with the one before this using other employee names that work in the same department as the recipient. This campaign used a very convincing bill from ATT, with the exception of the odd characters for ATT in the body everything else seemed pretty convincing.
Subjects:
ATT Bill Message
ATT Monthly Statement
ATT Customer
ATT Statement
ATT Automatic Billing Message
AT border-width:2px" />
Shown above: Screenshot from one of the emails pushing Emotet malware.
2017-07-26 additional update: Thanks to everyone who emailed contacted us with examples of malspam they found pushing Emotet. border-width:2px" />
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.