Cyble – Emotet Returns Targeting Users Worldwide
Category

Latest Strain Spreading Bumblebee and IcedID Malware

Emotet malware strain was first discovered by cyber security researchers in 2014. Initially designed as banking malware to steal sensitive and private information from the victim’s system without their knowledge.

Later versions of Emotet can spam and deliver malware services that download other malware families, including banking trojans and ransomware.

The initial infection begins via spam email containing an attachment or link. When the user tries to open the attachment or link, it further downloads the Emotet payload to the victim’s machine in the background. This campaign uses various social engineering tricks to lure users into opening malicious documents and enabling the macro content for successfully downloading the Emotet payload.

Emotet has evolved several times over the years since 2014. It also offers Malware-as-a-Service (MaaS) to other threat groups to deploy additional malware, such as TrickBot, Qakbot, and Ransomware. Though the Emotet was believed as the most distributed malware in previous years, it abruptly stopped spamming in July 2022.

Security Researcher Cryptolaemus tweeted on November 2nd that the Emotet is back and started spamming again. Cyble Research and Intelligence Labs (CRIL) observed the recent Emotet spam campaign spreading malicious xls, xlsm, and password-protected zip files as an attachment to infect users. Our intelligence shows that the recent Emotet campaign is widespread worldwide, targeting 40 countries.

The below figure demonstrates the geographical distribution of Emotet spambot activity for the last week from (3rd Nov to 8th Nov 2022).

MicrosoftTeams image 4
Figure 1 – Geographical distribution of Emotet

Technical Details

The Emotet arrives to users via spam email containing an xls/xlsm or password-protected attachment, as shown in the image below. These office documents contain malicious macro code which downloads the actual Emotet binary from the remote server.

Figure 2 Spam email
Figure 2 – Spam Email

When a user opens the Microsoft Office document, it usually opens in protected view to prevent macros from being executed. Hence, the Threat Actors (TAs) behind this Emotet try various social Engineering techniques to lure the users into enabling the macro content.

The recent Emotet campaign shows a new template that contains instructions to bypass Microsoft’s Protected View. In this template, the TAs instructs the users to copy the xls into the trusted ‘Templates’ folders and run it again to view the document content. This trick bypasses Microsoft Office’s protected view feature and executes the hidden malicious macro code in the document that downloads Emotet malware. The below figure shows the new Office Template used by Emotet.

Figure 3 – New MSOffice template used by Emotet campaign
Figure 3 – New MS Office template used by Emotet campaign

During execution, the xls file runs the macro code, downloads Emotet DLL (Dynamic Link Library) file from the following URLs, and launches it with “regsvr32.exe”:

  • hxxps://designelis.com[.]br/wp-content/NNfbZZegI/
  • hxxp://copayucatan.com[.]mx/wp-includes/BqaJMpC3osZ0LRnKK/
  • hxxp://cursosweb.com[.]br/portal/6ozjR/
  • hxxp://db.rikaz[.]tech/lCx76IlkrBtEsqNFA7/.
Figure 4 Emotet dll downloaded from CC server
Figure 4 – Emotet dll downloaded from C&C server

The process tree demonstrates the execution of Emotet DLL downloaded from a malicious “xls” document, as shown below.

Figure 5 Emotet process tree
Figure 5 – Emotet process tree

Then, the Emotet malware quietly runs in the background and connects to the C&C server for further instructions or to install additional payloads. During analyzing the recent Emotet samples, CRIL observed that it downloads IcedID as follow-up malware.

IcedID

IcedID (aka BokBot) is a modular banking trojan that allows the TAs to steal banking credentials information from the victim’s system and act as a dropper for other additional malware, such as ransomware.

Upon execution of the Emotet, it drops the IcedID installer file into the following location:

  • C:Users[username]AppDataLocalClzhGUmETtiWkpuICXbDzlkuFEVWX.dll

Then, the installer downloads a binary file from the URL  (hxxps[:]//bayernbadabum[.]com/botpack[.]dat) and drops IcedID DLL into the following location.

  • C:Users[username]AppDataRoaming{E32EC873-DB7B-380C-E7AC-7CA404E8C9FF}Azkiifocnf.dll
  • C:Users[username]AppDataRoamingLoejesUrjoeeqamup1.dll

The below figure shows the downloaded IcedID payload by Emotet in the victim’s system.

Figure 6 – Presence of IcedID dll in the victims system
Figure 6 – Presence of IcedID dll in the victim’s system

Persistence

After installing the IcedID into the victim’s system, it adds the DLL files into the task scheduler entry for its persistence, as shown in the figure below.

Figure 7 Emotet and IcedID persistence
Figure 7 – Emotet and IcedID persistence

Bumblebee

It is also observed that Emotet downloads Bumblebee malware on 8th Nov 2022. In this campaign, the Emotet malware downloads a PowerShell script named “Peurix.txt” into the Temp folder from the URL (hxxp[:]//87[.]251[.]67[.]176/tps1[.]ps1). The downloaded Powershell file contains code to download Bumblebee DLL from the URL (hxxp[:]//134[.]209[.]118[.]141/bb[.]dll) in the following location and executes the DLL file using rundll32.exe.

  • C:WindowsTasksbb.dll

Cyble Research and Intelligence Labs (CRIL) has continuously monitored the Emotet malware campaign after it was spammed since November 2nd and identified the following intelligence from the recent spam campaign.

The figure below shows the top filenames used by the Emotet spam campaign.

Figure 8 Top filenames used by Emotet spam
Figure 8 – Top filenames used by Emotet spam

The below image shows file types used by the Emotet spam.

Figure 9 File types used by Emotet spam
Figure 9 – File types used by Emotet spam

The image below shows the top subject names used by the Emotet spam campaign.

Figure 10 Top mail subject names used by Emotet spam
Figure 10 – Top mail subject names used by Emotet spam

Emotet is one of the most sophisticated and profitable malware families actively observed in the past eight years, impacting users globally. The primary infection vector for Emotet is spam email containing malicious attachments responsible for downloading Emotet payloader, which further downloads other additional payloads such as IcedID, Bumblebee, etc.

As the Emotet has come back after a few months, we expect the campaign to deliver malware using new TTPs in the future. Cyble Research and Intelligence Labs is continuously monitoring the activity of the Emotet malware campaign and will keep our readers updated.

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below: 

Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact

  • Don’t keep important files in common locations such as the Desktop, My Documents, etc.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.   
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • ​Conduct regular backup practices and keep those backups offline or in a separate network.
Tactic Technique ID Technique Name
Initial Access T1566.001 Phishing: Spearphishing Attachment
Execution T1204
T1059		 User Execution Command and Scripting Interpreter
Persistence T1547.001  
T1053		 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Scheduled Task/Job
Defense Evasion T1497 Virtualization/Sandbox Evasion
Credential Access T1573
T1571
T1110.001		 Encrypted Channel Non-Standard Port Brute Force: Password Guessing
Discovery T1087  Account Discovery
Command and
Control		 T1071
T1105		 Application Layer Protocol Ingress Tool Transfer
Indicators Indicator type Description
e5192c6239f67745e99d626cd3df8a58
b67c12c03394ca14788991fc3243c41443a2a9d8
63b2446aefa7c225eb73702926903eabbe2fe4dbd2e381
df86ed8cd3808b6046		 MD5
SHA-1 SHA256		 Spam email
40fdab4303254fbd0ffe9a9a4917455a
0cf93b7a774b605e4350f3b92c0d2c63f84f8411
fbcedd57df5308b40cb3721027c4b2ae706377fc6364f63
88bcbc209f8f0888a		 MD5
SHA-1 SHA256		 6096.xls
5f144bff7013b9d25527d7baaa9ac4fb
6fcd48a2708fe81419ff9becc39ef3ca5a35e134
ff9edd81d641b7d1d6175007e20e123e7f3222201e3fc30
47d4fb3a232ab0683		 MD5
SHA-1 SHA256		 Emotet DLL
(ObpgVIuUvWX.dll)
2d5ed2b25105753b8dfbc68e38718f2d
7c1160e74747648485a2e3af179d060d7c4a33c4
59e3813b05edcb779baa462791f1a3383498bd0a6bc95
993e6bd0c8e4ce0e059		 MD5
SHA-1 SHA256		 IcedID DLL (
eqamup1.dll)
878e2105d4f1dd5e8957f7183e1c9c62
adfd3cde25019526083e091f546a26a2eb033ecc
861562690b5b005b733baebdbbfa39d8dbed512233723
046d8f59e15bc1b091a		 MD5
SHA-1 SHA256		 IcedID DLL (ifocnf.dll)
hxxps://designelis.com[.]br/wp-content/NNfbZZegI/
hxxp://copayucatan.com[.]mx/wp-
includes/BqaJMpC3osZ0LRnKK/
hxxp://cursosweb.com[.]br/portal/6ozjR/
hxxp://db.rikaz[.]tech/lCx76IlkrBtEsqNFA7/		 URL Emotet DLL payload
hxxps[:]//bayernbadabum[.]com/botpack[.]dat URL IcedID binary
hxxp[:]//87[.]251[.]67[.]176/tps1[.]ps1 URL Bumblebee downloader
hxxp[:]//134[.]209[.]118[.]141/bb[.]dll URL Bumblebee DLL
45[.]235[.]8[.]30:8080
94[.]23[.]45[.]86:4143
119[.]59[.]103[.]152:8080
169[.]60[.]181[.]70:8080
164[.]68[.]99[.]3:8080
172[.]105[.]226[.]75:8080
107[.]170[.]39[.]149:8080
206[.]189[.]28[.]199:8080
1[.]234[.]2[.]232:8080
188[.]44[.]20[.]25:443
186[.]194[.]240[.]217:443
103[.]43[.]75[.]120:443
149[.]28[.]143[.]92:443
159[.]89[.]202[.]34:443
209[.]97[.]163[.]214:443
183[.]111[.]227[.]137:8080
129[.]232[.]188[.]93:443
139[.]59[.]126[.]41:443
110[.]232[.]117[.]186:8080
139[.]59[.]56[.]73:8080		 IP: Port Emotet C&C Config

Source: https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide/