Analysis: Emotet in Nepal
--
So this morning, I saw a post from hiro_ of an Emotet doc in Nepali. Being a Security Researcher in Nepal, I was very keen to look at it. So, I thought of writing a blog about its basic static analysis.
I call it an campaign targeting specific country. Previously, I have seen emotet actor targeting people speaking Japanese and Italian. Likewise, this maldoc is crafted for Nepali talking people. The actor simply translate “Invoice” or “Info” in Nepali language ie. “जानकारी”. The main highlight of this maldoc is theme its carrying and specified target.
Overhauling the doc, it follows the latest theme inside that was changed last week and named as “red_dawn” with reference to the red banner in the file. As usual, the emotet gang wants the victim to “Enable Content”. You know the Macro Stuffs.. Lets do that,
Note: I am running these malicious files in my virtual box as a sandbox. So, I shall not fear to get infected.
Monitoring the process from procmon, we notice the powersheLL.exe (PID 7388) with some huge encoded values.
Analyzing the values, the encoding algorithm seems to be Base64. Therefore, following is the decoded and yet obfuscated powershell script used to perform its malicious task. This , obfuscation technique was first noticed last week here. Ivan keeps changing it actively though.
Cleaning up the junks from above, we get following full phased script.
Following are the technique for obfuscation used:
* Random declaration of variables,
* Random Variables Name,
* String using concatenation where not necessary,
* Use of split to create array dynamically,
* Massive use of concatenation for URL,
Thus, extracting URLs from the script we can list out following dropper link,
://www.kunstefan.de/cgi-bin/ZwGV/
://loschelder.eu/bilder/t3vb78/
://lblcomputacion.com/img/file/TzRHO/
://m-neumeier.de/cgi-bin/attach/TvaCePYsJNfk/
://linstitut.cat/wp-includes/attach/rtvRd/
://lueckebergfeld.de/cgi-bin/attach/vTDnvuQXDD/
://lichenheim.de/1984/mi55m4797242/
Letting the Fiddler do its job (make sure network adapter is turned off) the same list of url were attempted to connect by the powershell.
The report from AnyRun sandbox shows following process graph where two executable are dropped. ie. J2meDvSHjK.exe and efsutill.exe.
As mentioned, we get two executable which in fact has same binary in a different path and with different name. Auto execution of the first executable calls for new file to different path while it delete itself. Imports from kernel.dll such as CreateFile, DeleteFile, TerminateProcess, CreateThread etc. can certainly makes sense.
Executing the exe in my test environment, it send a POST request to its multiple C2.
Furthermore, mapping it to the MITRE ATT&CK® framework from hybrid-analysis, we suspect the dropped malware could be possible info-stealer.
Concluding this blog, the Emotet actor has now started targeting Nepal with respect to preferred language, Nepali. But, interestingly the malware carried by the maldoc seem to be similar family. Since, initial access of Emotet is spear-phishing with various sneaky method such as Email Reply Chain method, to prevent it as a first line of defense, any kind of attachment (.docs, .xls, pdf), link, and link embedded pictures from unauthorized source/sender, is considered suspicious. Since, the malware dropped by Emotet Trojan can result in top level cyber threat, Ransomware, we must take this cyber threat campaign seriously.
IOCs:
e1851a8a43444fdf9911390920e5b1dcd69463a6ef44cfb571e5666d30069487
edc6327781da3a442c1d8efb5fddd53b0b74ceb926662de38f25a45b23edd329
http://210.1.219.238/
http://162.144.42.60:8080/
http://134.209.193.138:443/
http://68.183.233.80:8080/
http://172.105.78.244:8080/
http://181.113.229.139:443/
More at: https://pastebin.com/5APr7h3D
Reference:
