Trustwave SpiderLabs analyzes Emotet Epoch 4 resuming spam campaigns, including a shift to OneNote attachments and heavy obfuscation to evade scanners. The post details padding tricks, a highly obfuscated VBA macro (AutoOpen) and a decode routine, plus the associated IOCs and download chain.
#Emotet #OneNote #Epoch4 #TrustwaveSpiderLabs #Cryptolaemus
#Emotet #OneNote #Epoch4 #TrustwaveSpiderLabs #Cryptolaemus
Keypoints
- Emotet Epoch 4 resumed operations in March, expanding its spam activity.
- Switch to OneNote attachments as a delivery method, a tactic used by other groups recently.
- Zero-byte padding inflates document size to about 500MB to thwart security scanners.
- Highly obfuscated VBA macro with an AutoOpen entry point and thousands of lines of unused code.
- A decode function pattern is revealed and converted to Python, with full deobfuscated VBA shared in Gists.
- IOC collection includes multiple URLs and file hashes linked to various ZIP/EXE payloads.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Uses a document attached to an email to deliver malware. [ ‘a document file carrying malware that was attached to a convincing reply-chain email’ ]
- [T1105] Ingress Tool Transfer – Downloads payload from multiple URLs; “Try to download a file from the first URL, and if that fails, try to download from the remaining URLs until a download is successful.” [ ‘Try to download a file from the first URL, and if that fails, try to download from the remaining URLs until a download is successful.’ ]
- [T1027] Obfuscated/Compressed Files and Information – Padding to inflate file size and evade scanning. [ ‘zero-byte padding technique… inflate the file size by appending null bytes or useless data to the end of a file’ ]
- [T1059.005] Visual Basic – Obfuscated macro with an AutoOpen entry point; macro runs on document open. [ ‘There is a recognizable macro name present in the code: AutoOpen. This macro is an event that is triggered when the document file is opened, making it the entry point function.’ ]
- [T1140] Deobfuscate/Decode Files or Information – Decode routine decodes strings using a character table and indices. [ ‘The code below is the decode function that takes a character table and a list of character indices and uses them to decode a string by reading characters from the character table based on the indices and appending them to a new string.’ ]
- [T1117] Regsvr32 – Executes the binary via regsvr32.exe. [ ‘Proceeds to execute the binary via regsvr32.exe.’ ]
Indicators of Compromise
- [URLs] context – hxxp://xyktza.nbxyk.net/bwzysov/index/X3hFHbueMtgoEi/etaJ35/, hxxp://arlex.su/services/IE2h6fBsQRQOhHBI691U/ and 5 more
- [File Names] context – ACH Payment info.zip, ACH Payment info.doc, and 2 more
- [Hashes] context – MD5 for ACH Payment info.zip: 68612b3d0094d51d3ca89ed6e3b16b4c, SHA256: 7041a0d1b2d0c1199e4b7505b0ab181ad2cdc881e01a520fb66758f081e4d40d; and 2 more hashes