[MART] - Daily Diary #453 - Emotet's New Campaign

CTAS-MAT ctas-mat at appgate.com
Tue Feb 15 20:46:54 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

02/15/2022 - Diary entry #453:

In our Daily Diary #390, we covered Emotet's return. After that, we started to observe new campaigns, like Emotet using the Windows 10 App Installer to deploy its payload, covered in our Daily Diary #404. Recently, in mid-January, Emotet launched a new campaign with a different infection pattern.

Delivered via spam, as usual, Emotet's threat actors hijack email threads to generate fake replies based on legitimate emails, increasing the likelihood of victims executing the first-stage malware. The initial payload is delivered inside an encrypted and password-protected zip attachment with its password included in the email's message to bypass security solutions since encrypted zip files have their content scrambled.

After extracting and opening the Microsoft Office Excel document inside the attachment, the victim must enable macros on a vulnerable host to execute Excel 4.0 macros, an old feature abused by the threat actors. Next, the macro code executes a remote HTML obfuscated code using mshta.exe, downloading and executing then an additional Powershell script.

Subsequently, the Powershell script is responsible for downloading Emotet's final payload DLL from one of several different URLs - as a resiliency mechanism used by other malware families as well - and executing it using rundll32.exe. Finally, the DLL loads an encrypted PE from its resource section, executing the final stage of the attack chain.

This new campaign reinforces what we stated before. It suggests that a new group is using Emotet to grow its own operation (possibly along with older members of the original Emotet's operation), putting Emotet back as a highly-active threat.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220215/2b531332/attachment.htm>

More information about the MART mailing list