Independence Day greeting campaign delivers Emotet
Recently, Zscaler’s research team, ThreatLabZ, came across malicious Microsoft Office documents delivering Emotet malware via attachments using “Greeting Card” as the document name. The malware author leveraged the popular 4th of July holiday, the USA’s Independence Day, to lure users into downloading and opening the malicious documents. We saw over two dozen unique payloads hitting our Cloud Sandbox in the 48-hour span from July 2nd to July 4th earlier this week. The filenames and hashes for these attachments are shown below: Filename Hashes Greeting-Card-07-04-2018.doc 88b9cff1d3c253f93c56c1a3a3c78800 Greeting-Card-July-4.doc 3fe87f1b847a8a10989342fb9a92e7c9 Greeting-Card.doc 223c733af5b6036d855c7c9177116ef4 Greeting-Card-July-4.doc 229e78f0da36f6ad099d6fc35f154a5d Greeting-Card-07-04-2018.doc 6c0c7ee1f783a1465d1fcad1b227aa43 Greeting-Card-07042018.doc 57fc905430afb5323c68e14f28e02f4c Greeting-Card-07042018.doc 12e13776e95851ebf61e57e0600dfb4f Fig.1: Filenames of the attachments with the hashes In attempting to open the attachment, the user sees the following social-engineered message asking the user to enable content, which will execute the malicious macro in the background. Microsoft Office by default disables automatic execution of embedded macros until the user specifically selects “enable content.” Fig. 2: Fake Office message that asks user to enable macros Macro obfuscation and de-obfuscation There is only one macro in the document named Sub_Autoopen(). It includes a lot of junk code to throw off security researchers attempting to analyze it. Fig. 3: Embedded obfuscated macro triggering with AutoOpen The code links the values stored in the variable and then runs the whole command with wscript.exe. Fig. 4: PowerShell command being de-obfuscated and executed In the above snapshot, the code is executing Wscript to download a payload using the PowerShell script. The parameters are stored in “OUzoicLZQ.” The PowerShell script is highly obfuscated making it harder to analyze. Obfuscation script: Fig. 5: Obfuscated PowerShell command In the script, we can see it is using: (GV ‘*Mdr*’).nAmE[3,11,2]-jOIN”). This is basically for “iex,” which stands for invoke expression. The Invoke-Expression cmdlet (“command-let”) evaluates or runs a specified string as a command and returns the results of the expression or command. Using the for loop, it is taking characters from an array one by one as a string and XORing with “1d,” and, finally, making the full string the full command string using the JOIN method. De-obfuscation of PowerShell parameters: Fig. 6: De-obfuscated PowerShell command parameters The code then connects the user’s machine to a remote server, where it will download the Emotet payload, dropping to the temp directory in Windows: ‘C:\Users\user\AppData\Local\Temp\
*** This is a Security Bloggers Network syndicated blog from Research Blog authored by [email protected]. Read the original post at: http://www.zscaler.com/blogs/research/independence-day-greeting-campaign-delivers-emotet-5
