Threat Spotlight: Emotet Infostealer Malware

On November 9, 2017, our Threat Guidance team received a request to analyze a malicious document intended to infect a targeted system with the Emotet infostealer malware, a variant of the Feodo Trojan family.

Emotet first emerged in 2014 as a Trojan designed to steal banking credentials and other sensitive information, and is most often propagated by way of phishing emails containing a tainted document or URL.

As the holiday season is upon us, extra care should be taken when interacting with emails that contain attachments purporting to be invoices or other business communications or links to similar document, tactics attackers favor with the hope that distracted targets may let their guard down.

The sample analyzed in this report is a Microsoft Word Document that contains a malicious macro program which was developed to download the Emotet malware, which then searches the targeted system for sensitive information that will be exfiltrated to the command and control (C2) servers under the attackers’ control.

The attacker then can sell the information harvested, or login into the account themselves to steal more information. Emotet can spread itself to other systems by stealing an address book from one computer on the network.

File Information

SHA256

7bdf7722115be910e2b301b3f6b3037bc4b987c588838cd2459aeeeec9f50be7

Type

Microsoft Word 97-2003 Document

Size

171KB

Timestamp 

 (no data)

ITW names

Informationen # 1608076179.doc
Invoice #291804458731.doc
Invoice #6889534827.doc
Invoice #1927656.doc
Invoice #11504604167.doc
Invoice #02358185534.doc
Invoice #72539978.doc

Threat Overview

Stage 1

As mentioned above, the first step of this attack arrives in the form of a malicious Microsoft Word file that contains a macro which requires the target to manually enable functionality (figure 1):

Figure 1

The script can have different obfuscator techniques, but at the end the base code is the same as we can see in the (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog