Independence Day greeting campaign delivers Emotet

Recently, Zscaler’s research team, ThreatLabZ, came across malicious Microsoft Office documents delivering Emotet malware via attachments using “Greeting Card” as the document name. The malware author leveraged the popular 4th of July holiday, the USA’s Independence Day, to lure users into downloading and opening the malicious documents. We saw over two dozen unique payloads hitting our Cloud Sandbox in the 48-hour span from July 2nd to July 4th earlier this week. The filenames and hashes for these attachments are shown below: Filename Hashes Greeting-Card-07-04-2018.doc 88b9cff1d3c253f93c56c1a3a3c78800 Greeting-Card-July-4.doc 3fe87f1b847a8a10989342fb9a92e7c9 Greeting-Card.doc 223c733af5b6036d855c7c9177116ef4 Greeting-Card-July-4.doc 229e78f0da36f6ad099d6fc35f154a5d Greeting-Card-07-04-2018.doc 6c0c7ee1f783a1465d1fcad1b227aa43 Greeting-Card-07042018.doc 57fc905430afb5323c68e14f28e02f4c Greeting-Card-07042018.doc 12e13776e95851ebf61e57e0600dfb4f Fig.1: Filenames of the attachments with the hashes In attempting to open the attachment, the user sees the following social-engineered message asking the user to enable content, which will execute the malicious macro in the background. Microsoft Office by default disables automatic execution of embedded macros until the user specifically selects “enable content.” Fig. 2: Fake Office message that asks user to enable macros   Macro obfuscation and de-obfuscation There is only one macro in the document named Sub_Autoopen(). It includes a lot of junk code to throw off security researchers attempting to analyze it.  Fig. 3: Embedded obfuscated macro triggering with AutoOpen The code links the values stored in the variable and then runs the whole command with wscript.exe. Fig. 4: PowerShell command being de-obfuscated and executed In the above snapshot, the code is executing Wscript to download a payload using the PowerShell script. The parameters are stored in “OUzoicLZQ.” The PowerShell script is highly obfuscated making it harder to analyze.  Obfuscation script: Fig. 5: Obfuscated PowerShell command In the script, we can see it is using: (GV ‘*Mdr*’).nAmE[3,11,2]-jOIN”). This is basically for “iex,” which stands for invoke expression. The Invoke-Expression cmdlet (“command-let”) evaluates or runs a specified string as a command and returns the results of the expression or command. Using the for loop, it is taking characters from an array one by one as a string and XORing with “1d,” and, finally, making the full string the full command string using the JOIN method. De-obfuscation of PowerShell parameters: Fig. 6: De-obfuscated PowerShell command parameters The code then connects the user’s machine to a remote server, where it will download the Emotet payload, dropping to the temp directory in Windows: ‘C:\Users\user\AppData\Local\Temp\ For a detailed technical analysis of the Emotet payload, please check our previous blog here. Zscaler Cloud Sandbox report for one of the greeting card payloads is shown below: Fig. 7: Zscaler Cloud Sandbox report IOCs Download attachment URLs: www.dokassessoria[.] www.xiaoguoyx[.]com/4th-july/ pds[.] www.acqi[.]cl/independence-day-greetings/ Malicious document MD5s: 88b9cff1d3c253f93c56c1a3a3c78800 3fe87f1b847a8a10989342fb9a92e7c9 223c733af5b6036d855c7c9177116ef4 229e78f0da36f6ad099d6fc35f154a5d 6c0c7ee1f783a1465d1fcad1b227aa43 57fc905430afb5323c68e14f28e02f4c 12e13776e95851ebf61e57e0600dfb4f Emotet domain: dessertcake[.] ky663[.]com/zzd hunter-kings[.]com/wp-content/czVbGb dotlenieni[.]pl/Fk5j clubvolvoitalia[.]it/r3z6 ecuadoresort[.]com/Oa beraysenbas[.]com/hs2Jv5Y Emotet executable MD5s: 27e90f2bc9a214b36a59e4ca0b18e75e D620a9a598f8848c05f72b025f01289b Ed0abac215c27665005271cfbf77c027 9295c23c16cb8615e4349830df30cc12 c0ebf36bb0f204bd76cb33e7d6e50678 Emotet C&C

*** This is a Security Bloggers Network syndicated blog from Research Blog authored by Read the original post at: