Emotet is being distributed through link files (.lnk) and Excel attachments, with distribution expanding since April. The emails disguise themselves as replies to the user to spread the malware, and the delivered payloads download additional loaders and malware from multiple URLs and C2 servers. #Emotet #LNK #Excel #VBScript #PowerShell
Keypoints
- Emotet distribution expanded from past methods to include .lnk (link) files in addition to Excel attachments.
- Attackers disguise the delivery as email replies to entice recipients into opening the payload.
- Excel-based deliveries use a macro sheet technique to trigger the payload.
- Downloaders use multiple payloads (VBScript and PowerShell) to fetch and execute additional malware from remote URLs.
- Several lnk filenames (e.g., Invoice-related names) are used, with commands executed upon opening the file.
- Emotet communicates with multiple C2 URLs after execution to receive commands and download further malware.
- AhnLab detects and blocks the family with several IOCs, including file hashes and a wide set of URLs.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – “The secured EML files share feature: they disguise themselves as replies to the user’s email to distribute the malware strain.” and attachments like Excel/lnk are used to deliver payloads.
- [T1204] User Execution – “Invoice # US-616121772.lnk attached to the email from Figure 2 runs the following command upon being executed.”
- [T1059.003] Windows Command Shell – “cmd.exe /v:on /c findstr … > …YlScZcZKeP.vbs” and related command sequences in the lnk file.
- [T1059.001] PowerShell – “powershell -executionpolicy bypass -file …” and subsequent base64-encoded payload execution.
- [T1059.005] VBScript – “Inside YlScZcZKeP.vbs are URLs encoded with Base64.”
- [T1027] Obfuscated/Compressed Files and Information – Base64 encoding/decoding and VBScript routines to reconstruct payloads.
- [T1105] Ingress Tool Transfer – “The file will access the URLs to download and run additional malware strains.”
- [T1071.001] Web Protocols – “Emotet attempts to access multiple C&C server URLs existing inside the malware when it is run. If the access is successful, it can receive commands…”
Indicators of Compromise
- [Hash] – MD5-type hashes observed: c32c22fa90ad51747e9939f8e7abf4c0, fd37d5fecf99b16df331be14649ac09c and 2 more hashes
- [URL] – Downloader domains/URLs observed: easiercommunications[.]com/wp-content/w/, dulichdichvu[.]net/libraries/QhtrjCZymLp5EbqOdpKk/ and other related addresses
- [URL] – Additional domains/URLs observed: www.whow[.]fr/wp-includes/H54Fgj0tG/, crean examples like creemo[.]pl/wp-admin/ZKS1DcdquUT4Bb8Kb/ and more
- [Domain] – Malicious domains observed: easiercommunications[.]com, dulichdichvu[.]net, creemo[.]pl, focusmedica[.]in, cipro[.]mx
- [File Name] – LNK/File names observed: Invoice # US-616121772.lnk, 20220429_57092_005.lnk, INVOICE-related lnk files
- [File Name] – Dropped/downloaded payloads: KzcEXkekpr.Zvp, YlScZcZKeP.vbs, xLhSBgzPSx.ps1 and other temp files
- [Domain] – Additional C2-related domains and paths: gccon.in/UploadedFiles/UYtJNrT2llxy1/, g-akudou.com/photo06/hEu/, giasotti[.]com/js/Khc6mb0zx4KoWX/
Read more: https://asec.ahnlab.com/en/34556/