This blog originally appeared in October 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.
Following the recent return of Emotet after a five-month hiatus, a newly-discovered phishing campaign is using updated tactics by leveraging the hype surrounding President Trump’s decision to halt U.S. funding for the World Health Organization (WHO). In a ruse to drop this dangerous banking trojan, the malicious messages take the form of a typical Political Action Committee (PAC) email, eliciting support for presidential incumbent Donald Trump in the upcoming 2020 election.
First caught by Area 1 Security on August 21st, this ongoing campaign contains all the hallmarks of the resurgence of Emotet:
Leveraging stolen email content
Subject lines prefaced with “Fwd:” and ”RE:”
And PowerShell commands to download and execute the malware
This campaign, however, aims to compromise politically-related entities rather than just the typical targets of opportunity that are commonly associated with this banking trojan. In Figure 1, you can see how the attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message. Every link works and leads to benign web pages of the impersonated PAC.
Like a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanism as messaging about timely and highly publicized, hot-button issues in politics.
Figure 1. Screenshot of phishing message
The subject of the email reads “Fwd:Breaking: President. Trump suspends funding to WHO,” and the attacker employs Display Name Spoofing in an attempt to mask the true sender address. The actual sender addresses used to spread the phishing messages vary, but all have one thing in common: each is a legitimate account compromised by the attacker to launch this fraudulent WHO-themed campaign.
A closer look at the attacker’s infrastructure reveals compromised hosts used in the transfer of the phishing messages, such as the sending Mail Transfer Agent (MTA) server[.]websoftperu[.]com. Area 1 Security suspects that this MTA may have been compromised due to an open port running a very outdated version of OpenSSH (7.4), which has numerous vulnerabilities.
Similarly:
Compromised email accounts of several small businesses around the world were used in each wave of this campaign, again luring victims with the same stolen PAC email content.
One of these accounts is also connected to similar phishing messages with slightly different lures, all with the intent to infect targets with Emotet.
The example account above is, in particular, the source of various politically-themed phishing messages that contain stolen content from a number of different PAC mailers and was observed in the targeting of politically-affiliated email accounts.
The attacker primarily uses compromised accounts to successfully pass email authentication protocols, such as DMARC, DKIM, and SPF.
Whereas other malicious actors may look for sender domains that do not have these protocols configured or configured correctly, this attacker boldly leverages correctly-configured authentication protocols to their advantage. This tactic allows the attacker to bypass legacy vendors that solely rely on these authentication methods to provide indicators of maliciousness.
There is approximately one week of turnover time between each wave of the campaign as the attacker retools to get ahead of defenses. This includes various changes, such as modifying the weaponized attachment and using new compromised sender infrastructure and accounts.
Efforts like this can easily equip the attacker with the ability to circumvent typical signature-based detections that depend on IP addresses and payload hashes of known threats, leading defenders through a never-ending game of “cat and mouse”.
Analysis of Malware
At the bottom of the phishing message, there is a Microsoft Word Document that uses VBA Macros to drop the first-stage payload, the Emotet downloader. After clicking on the document, the user is prompted by a dialog box to enable editing and content, as depicted below.
Figure 2. Screenshot of Dialog Box
Merely clicking this box will enable a highly obfuscated VBA Macro (as shown in Figure 3) that runs an equally obfuscated PowerShell command using Windows Management Instrumentation (WMI).
Figure 3. Screenshot of Macro VBA obfuscated code
The content in Figure 4 shows a sampling of the PowerShell script after Area 1 Security researchers deobfuscated a majority of the code. This script attempts to download Emotet from a list of hardcoded compromised WordPress sites. It first runs through this list of sites (as highlighted below) to determine which are still actively hosting the Emotet trojan.
Figure 4. Screenshot of deobfuscated PowerShell
Area 1 Security found that, among the compromised sites hardcoded in the malware, only the link hxxp://cammis[.]com[.]br/wp-admin/8IArx/ was still active at the time of analysis. Once the final payload is found on a functioning site, it is downloaded to a temporary folder on the victim’s device, located at %userprofiles%\AppData\Local\. From here, a message is sent back to the Emotet command and control (C2) server, confirming that it was successfully downloaded.
What Makes Emotet Difficult to Detect?
Emotet is among some of the most destructive and costly malware, affecting both the public and private sectors. Once this advanced, modular banking trojan compromises a target device, other hosts on the network are at risk of infection, as the malware’s worm-like capabilities allow it to easily self-replicate to other connected devices. Sensitive information on the compromised hosts can be considered free rein, where essentially no data is safe from the attacker.
Since Emotet is primarily delivered via attachments or links in phishing emails, the attacker takes extra measures to ensure their messages will not trigger legacy email security solutions. These tactics range from simply changing the name and hash of the malicious file, to more advanced anti-debugging and host-environment analysis capabilities.
Emotet’s modular Dynamic Link Libraries (DLLs) and polymorphic nature offer the attacker not only continuously evolving capabilities but also effortless evasion of signature-based detection systems. Analysis of this evasive trojan can present challenges for those attempting to reverse the malware, as it is virtual-environment aware and will infinitely sleep in an attempt to render debugging analysis techniques ineffective. With malicious actors using constantly evolving malware, new and advanced techniques are needed to detect and catch these phishing messages before they reach users’ inboxes.
Recommendations
Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverage algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.
Indicators of Compromise
Compromised Sender Email Addresses:
accounts@alhilaldecors[.]com
reservas@carentminibus[.]com
sargodha@deluxefootwear[.]com[.]pk
c25@hahncollections[.]co[.]za
Sender IP Addresses:
59[.]127[.]189[.]26
103[.]133[.]214[.]57
175[.]138[.]0[.]109
208[.]109[.]80[.]1
Sender Domains:
Server1[.]gigafield[.]com
Server[.]websoftperu[.]com
Compromised Emotet Websites:
hxxp://cammis[.]com[.]br/wp-admin/8lArx/
hxxps://indiafricatoday[.]com/wp-admin/l0WmSB/
hxxp://gosmartmoving[.]com/wp-content/3QC/
hxxp://ilfacomercial[.]cl/wp-includes/P/
hxxp://hanh[.]cz/blogs/XU/
hxxps://myvanillastuffs[.]xyz/wp-admin/hjL8d/
hxxp://condi-shop[.]ru/wp-includes/nWJ/
Attachment Hashes:
MD5: 031be6a39da92ccedefc3ef3e5cc12aa
SHA1: 1eed6a05b977b6b13a8df2cafed8f1cdf7d53088
SHA256: 5d4bee6f5bb0d02b980f21c2ae731bd12d5de2e2810058e6098fc888a7cc6f7b
SSdeep: 1536:A2Fj72Fjmrdi1Ir77zOH98Wj2gpngh+a9BlJizP:1rfrzOH98ipgnYzP
MD5: 729d528ab5073b012c6dcded3872bb62
SHA1: 1984ee2ffcfc14beec272f671833bf506ab85f72
SHA256: d647fbb82b18f11ade1b505a7f9a065441fe8a187377299900bae27fe4047740
SSdeep: 3072:5Yy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////n:T0uXnWFchmmcI/o1/q1Bw4
MD5: 86b7f3f18a2e57ae66ba824b0c43be01
SHA1: ea1302e16d433653adf3071325bc8c2288b2a85e
SHA256: 874b498a569260ed044256f13bd87d1a3697f02a17a364d2d61ba9005e12cd25
SSdeep: 3072:fYy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////k:B0uXnWFchmmcI/o1/N2ODQwKdk
MD5: 7dc4f1c537c0557a3e38106803b43449
SHA1: acd368c99c7071461701bec70dcd113ad028fbbb
SHA256: 08c3d787f8a45044c85e4c95fb935cbab569d48a16dbe511b8abf6b79fa08046
SSdeep: 3072:V4PrXcuQuvpzm4bkiaMQgAlSmrvsPhQVwjZVPg:iDRv1m4bnQgISevsPOVwjZ5g
Attachment File Names:
Report.doc
Resume.doc
LG-7231 Medical report Covid-19.doc
IQ-5125 Medical report Covid-19.doc
PowerShell Executables (file names are a fixed-length, consisting of seven alphanumeric characters):
Qncqa3a.exe
S1xi8fyw.exe