Summary

On 2020-07-17 the Hornetsecurity Security Lab detected the return of Emotet malspam. The reemerging Emotet malspam was already blocked by existing detection rules. The current Emotet malspam wave again uses malicious macro documents spread either via attachments or via malicious download links. As usual, the VBA macros in the document download the Emotet loader that the Hornetsecurity Security Lab has previously analyzed [EmotetLoader].

Background

As previous reported the return of Emotet was inevitable. The Emotet botnet did not send malspam since 2020-02-07. While there were other activities on the botnet, as can be seen in the following timeline, no malspam was observed by the Hornetsecurity Security Lab since 2020-02-07.

Emotet recent events

On 2020-07-17 new Emotet malspam emails were blocked by Hornetsecurity’s email filtering systems. One of such emails looks as follows:

Emotet malspam email

The email has a Word document attached, however, other emails with malicious download links to the malicious Word documents exist as well. When opening the document it instructs the user to click the “Enable Editing” (or as the Emotet authors put it “Enable Edition”) and click the “Enable Content” banner buttons:

Emotet DOC attachment

If a user does so, they become a victim to Emotet.

Technical Analysis

As previously reported the typical Emotet infection chain is as follows:

Emotet infection chain

We already reported on the Emotet loader as part of an analysis regarding its updates. Because at that time Emotet did not send malspam we could not outline the malicious documents typically used in Emotet infections.

The VBA macros are obfuscated. The macro will construct a Powershell command from obfuscated strings embedded in the VBA macro:

Emotet Powershell command

Decoding the Base64-encoded command reveals the 5 Emotet loader download URLs:

Emotet download URLs

The document will try to download the Emotet loader from each of these 5 URLs:

Emotet DNS queries

In case one of the 5 downlods is successful, it executes the Emotet loader, which we previously analyzed in a different article [EmotetLoader].

Conclusion and Countermeasure

Unlike previously speculated Emotet has no new tricks – at least not when it comes to the malspam.

To protect against Emotet the US CERT recommends to “implement filters at the email gateway to filter out emails with known malspam indicators” [USCERT].

Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market, already detected and blocked the reemerged Emotet malspam. Hornetsecurity’s Advanced Threat Protection extends this protection by also detecting yet unknown threats.

Beyond blocking the incoming Emotet emails defenders can use public available information by the Cryptolaemus team, a voluntary group of IT security people banding together to fight Emotet. They provide new information daily via their website [CryptolaemusWeb]. There you can obtain the latest C2 IP list for finding and/or blocking C2 traffic. For real-time updates you can follow their Twitter account [CryptolaemusTwitter].

References

Indicators of Compromise (IOCs)

Hashes

SHA256Description
99d8438c947cac7ca363037f1436ecab4e7fa4609c9c59f6fd5006a050d361aaMalicious document
5d2c6110f2ea87a6b7fe9256affbac0eebdeee18081d59e05df4b4a17417492bMalicious document
c5949244e5d529848c2323545a75eec34e6ba33c6519d46359b004d6717a68a5Malicious document

URLs

  • hxxps[:]//www.elseelektrikci[.]com/wp-content/hedk3/
  • hxxps[:]//www.rviradeals[.]com/wp-includes/LeDR/
  • hxxps[:]//skenglish[.]com/wp-admin/o0gf/
  • hxxps[:]//www.packersmoversmohali[.]com/wp-includes/pgmt4x/
  • hxxps[:]//www.tri-comma[.]com/wp-admin/MmD/

DNSs

  • www.elseelektrikci[.]com
  • www.rviradeals[.]com
  • skenglish[.]com
  • www.packersmoversmohali[.]com
  • www.tri-comma[.]com