Threat Research

Emansrepo Stealer: Analyzing Multi-Vector Attack Chains by FortiGuard Labs

Fortinet

Fortinet FortiGuard Labs analyzed Emansrepo, a Python-based infostealer active since November 2023 and distributed via phishing emails with fake purchase orders. The malware collects browser data, documents, extensions, wallets, and cookies, compresses them, and exfiltrates the data by emailing it to the attacker, with the attack flow evolving into multi-stage chains. #Emansrepo #Maternamedical

Keypoints

  • Affected Platforms: Microsoft Windows
  • Impact: High severity due to stolen information potentially enabling future attacks
  • Distribution Method: Phishing emails containing fake purchase orders and invoices
  • Malware Behavior: Compresses stolen data and sends it to the attacker via email
  • Attack Flow: Multi-stage process added over time, with various components downloaded before Emansrepo runs
  • Data Collected: User information, text files, PDF files, browser extensions, crypto wallets, and cookies
  • Fortinet Protections: Detected and blocked by FortiGuard Antivirus; FortiGuard services can disarm embedded links in documents

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Executes scripts to facilitate malware behavior. “Executes scripts (AutoIt, PowerShell) to facilitate malware behavior.”
  • [T1027] Obfuscated/Compressed Files and Information – The 7z batch file is obfuscated by BatchShield. “The 7z file from the link in the phishing mail contains a batch file obfuscated by BatchShield.”
  • [T1059.001] PowerShell – The PowerShell-based stage downloads and runs the payload. “The script.ps1… downloads preoffice.zip to the Temp folder and unzips it into %TEMP%PythonTemp, but it executes Emansrepo using run.bat.”
  • [T1059.005] VBScript – Used to facilitate next-stage execution. “downloads the PowerShell script, script.ps1, with VBScript for the next stage.”
  • [T1059.007] HTML Application (HTA) – HTA file drives the next stage via a hidden window and downloads PowerShell script. “Its source file is a JavaScript file that shows a hidden window named PowerShell Script Runner and downloads the PowerShell script, script.ps1, with VBScript for the next stage.”
  • [T1566] Phishing – Initial distribution through phishing emails. “Uses phishing emails to distribute malware.”
  • [T1003] Credential Dumping – Collects browser-stored credentials and autofill data. “Collects login data, credit card information, and autofill data from browsers.”
  • [T1213] Data from Information Repositories – Gathers files from user directories. “Gathers files from Desktop, Documents, and Downloads folders.”

Indicators of Compromise

  • [URL] – bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta[.]ipfs[.]dweb[.]link/wetrankfr[.]zip, bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y[.]ipfs[.]w3s[.]link/myscr649612[.]js, estanciaferreira[.]com[.]br/wp-includes/TIANJIN-DOC-05082024-xls[.]7z
  • [IP Address] – 191[.]101[.]130[.]185, 192[.]236[.]232[.]35
  • [Email Address] – minesmtp8714@dasmake[.]xyz, minestealer8412@dasmake[.]xyz, extensionsmtp@maternamedical[.]top, filelogs@maternamedical[.]top, cookiesmtp@maternamedical[.]top
  • [File Hash] – e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5, 8e43c97e5bc62211b3673dee13e376a1f5026502ebe9fd9f7f455dc17c253b7f

Read more: https://feeds.fortinet.com/~/903960230/0/fortinet/blog/threat-research~Emansrepo-Stealer-MultiVector-Attack-Chains