The Emotet Trojan: A Tale of Two Malware Samples
I’ve been examining Emotet’s malicious documents a lot lately, since this malware campaign is on everyone’s lips, and I wanted to take a moment to point out an interesting observation I ran into a few days ago.
As a rough sketch, here’s what Emotet does all day: Millions of people receive spam emails designed to look like package shipping notices, or billing invoices, or other plausible documents that people would normally receive, somewhat like a phishing campaign. These emails then either have a Word doc file attached to them, or a URL link in the email that points to a Word doc file. Then, when you open that doc file, you’re presented with a fake template telling you that your copy of Word is configured improperly and implores you to fix that. (Pro Tip: The only thing incorrect about it is the part where it’s not letting the document’s AutoOpen() macro execute and do bad things to you.) Then, some subset of millions of people go ahead and Enable Macros, and set themselves up for a meeting with their IT department.
So, let’s have a look at one of these maldocs. How about the sample with the sha1 hash 7de95cb762eb9a6c0911d054fc4adab529185f41 ?
That’s definitely an Emotet maldoc.
Inside this maldoc, we find a nasty pile of Visual Basic macro code:
Ugh. That’s awful. Let’s clean that up a little bit so we can read it, okay? You see there, where it does “CreateObject()” ? That’s going to build a command-line out of all those randomly named pieces of string. Those pieces of string are made of smaller pieces of string in the pile of garbage up above.
We’re screwed.
We’re going to have to interpret this pile of Visual Basic.
Et voilà… That gives us a command line that’s going to be passed to WScript.Shell (which is VBA’s system() call) that looks like:
Oh holy hell in a handbasket… It’s DOSfuscated. Let’s unpack that a bit. It’s going to require simulating what cmd.exe does with it, and ultimately cmd.exe is going to run:
Argh, gdd*&*@(#mmo)mmit… Not only is cmd.exe launching powershell, but some “helpful” person decided it was a great idea to let powershell just run random blobs of base64 encoded payload. Let’s see what’s inside that mess:
Nice. It’s unicode. It’s always something. Let’s make that readable for humans.
FINALLY. OH MY GOD.
So, that’s a neat little pile of powershell scripting… Let’s tidy that up and see what it does?
Cool, right? It creates a stub of a “web browser” in $DrK. It makes a list of urls to check in $KvB out of 5 different URLs separated by an @ symbol. Then, it goes to each of them in order and tries to download whatever is there as “859.exe” and run it with Invoke-Item.
Fancy pants.
Needless to say, you shouldn’t go clicking on those urls. They’re bad for your health.
Now, let’s take a look at an entirely different malware document.
This one is 70a42e30077d2c2c80b9efc24f0c4b09d8cc51d2.
It’s got a pile of VBA inside too!
Hmm. Okay, this looks familiar. The AutoOpen() block is a tiny bit different, using Shell% instead, but it’s pretty close to the same thing at the end of the day. Let’s see what that string evaluates to.
Again with the DOSfuscation! That stuff unpacks to running:
Which is…
Ugh, unicode again…
Well. Look at that. The same script we saw earlier, more or less.
It’s taking a list of URLs in $Apq and downloading them as “150.exe” and running them…
Wait.
There’s only one url in the url list, but it’s splitting the URL list on “@”?
Why would you do that?
Clearly someone here has used the same tool as before to push a malware download URL, but what’s on the other end of this URL?
It turns out this is an Ursnif sample. Which is weird and cool, because it’s being delivered in something that might as well be an Emotet maldoc.
I wonder how that happened. No, really, I wonder how that happened. You see, we’ve observed a few things with Emotet.
We know that they mostly drop their own banking malware from their URL quintets, but occasionally they will load up their own spam tools to send their maldocs out, and sometimes they will even distribute PandaBanker or the TrickBot trojan instead.
We’ve seen prior “versions” of Emotet manifesting as two parallel sets of distribution infrastructure, originally distributing different malware. This has recently morphed into a single infrastructure that generally distributes only one kind of thing at a time; although it has been occasionally observed to distribute different download URLs in parallel during the same time window, suggesting a capability to run multiple campaigns contemporaneously.
Clearly, this Ursnif sample isn’t being served from the Emotet group’s distribution infrastructure, but it’s very interesting nonetheless. Did a third party write the tool that creates the maldoc from a template and contains the payload URLs and both of these groups obtained it? Did the Emotet group write that tool for their own purposes, and then they sold it to the Ursnif group (or the Ursnif group obtained it through some means)? Was this a test run for a campaign by the Emotet group to embed a link to the Ursnif group’s payload infrastructure in their own spam email delivery?
We can’t really know, but it’s something to watch for.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.
