Subscribe to receive notifications of new posts:

PAC spoof drops Emotet: phishing campaign leverages stolen PAC content to drop Emotet

2020-10-06

4 min read

This blog originally appeared in October 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.

Following the recent return of Emotet after a five-month hiatus, a newly-discovered phishing campaign is using updated tactics by leveraging the hype surrounding President Trump’s decision to halt U.S. funding for the World Health Organization (WHO). In a ruse to drop this dangerous banking trojan, the malicious messages take the form of a typical Political Action Committee (PAC) email, eliciting support for presidential incumbent Donald Trump in the upcoming 2020 election.

First caught by Area 1 Security on August 21st, this ongoing campaign contains all the hallmarks of the resurgence of Emotet:

  • Leveraging stolen email content

  • Subject lines prefaced with “Fwd:” and ”RE:”

  • And PowerShell commands to download and execute the malware

This campaign, however, aims to compromise politically-related entities rather than just the typical targets of opportunity that are commonly associated with this banking trojan. In Figure 1, you can see how the attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message. Every link works and leads to benign web pages of the impersonated PAC.

Like a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanism as messaging about timely and highly publicized, hot-button issues in politics.

Figure 1. Screenshot of phishing message

The subject of the email reads “Fwd:Breaking: President. Trump suspends funding to WHO,” and the attacker employs Display Name Spoofing in an attempt to mask the true sender address. The actual sender addresses used to spread the phishing messages vary, but all have one thing in common: each is a legitimate account compromised by the attacker to launch this fraudulent WHO-themed campaign.

A closer look at the attacker’s infrastructure reveals compromised hosts used in the transfer of the phishing messages, such as the sending Mail Transfer Agent (MTA) server[.]websoftperu[.]com. Area 1 Security suspects that this MTA may have been compromised due to an open port running a very outdated version of OpenSSH (7.4), which has numerous vulnerabilities.

Similarly:

  • Compromised email accounts of several small businesses around the world were used in each wave of this campaign, again luring victims with the same stolen PAC email content.

  • One of these accounts is also connected to similar phishing messages with slightly different lures, all with the intent to infect targets with Emotet.

  • The example account above is, in particular, the source of various politically-themed phishing messages that contain stolen content from a number of different PAC mailers and was observed in the targeting of politically-affiliated email accounts.

The attacker primarily uses compromised accounts to successfully pass email authentication protocols, such as DMARC, DKIM, and SPF.

Whereas other malicious actors may look for sender domains that do not have these protocols configured or configured correctly, this attacker boldly leverages correctly-configured authentication protocols to their advantage. This tactic allows the attacker to bypass legacy vendors that solely rely on these authentication methods to provide indicators of maliciousness.

There is approximately one week of turnover time between each wave of the campaign as the attacker retools to get ahead of defenses. This includes various changes, such as modifying the weaponized attachment and using new compromised sender infrastructure and accounts.

Efforts like this can easily equip the attacker with the ability to circumvent typical signature-based detections that depend on IP addresses and payload hashes of known threats, leading defenders through a never-ending game of “cat and mouse”.

Analysis of Malware

At the bottom of the phishing message, there is a Microsoft Word Document that uses VBA Macros to drop the first-stage payload, the Emotet downloader. After clicking on the document, the user is prompted by a dialog box to enable editing and content, as depicted below.

Figure 2. Screenshot of Dialog Box

Merely clicking this box will enable a highly obfuscated VBA Macro (as shown in Figure 3) that runs an equally obfuscated PowerShell command using Windows Management Instrumentation (WMI).

Figure 3. Screenshot of Macro VBA obfuscated code

The content in Figure 4 shows a sampling of the PowerShell script after Area 1 Security researchers deobfuscated a majority of the code. This script attempts to download Emotet from a list of hardcoded compromised WordPress sites. It first runs through this list of sites (as highlighted below) to determine which are still actively hosting the Emotet trojan.

Figure 4. Screenshot of deobfuscated PowerShell

Area 1 Security found that, among the compromised sites hardcoded in the malware, only the link hxxp://cammis[.]com[.]br/wp-admin/8IArx/ was still active at the time of analysis. Once the final payload is found on a functioning site, it is downloaded to a temporary folder on the victim’s device, located at %userprofiles%\AppData\Local\. From here, a message is sent back to the Emotet command and control (C2) server, confirming that it was successfully downloaded.

What Makes Emotet Difficult to Detect?

Emotet is among some of the most destructive and costly malware, affecting both the public and private sectors. Once this advanced, modular banking trojan compromises a target device, other hosts on the network are at risk of infection, as the malware’s worm-like capabilities allow it to easily self-replicate to other connected devices. Sensitive information on the compromised hosts can be considered free rein, where essentially no data is safe from the attacker.

Since Emotet is primarily delivered via attachments or links in phishing emails, the attacker takes extra measures to ensure their messages will not trigger legacy email security solutions. These tactics range from simply changing the name and hash of the malicious file, to more advanced anti-debugging and host-environment analysis capabilities.

Emotet’s modular Dynamic Link Libraries (DLLs) and polymorphic nature offer the attacker not only continuously evolving capabilities but also effortless evasion of signature-based detection systems. Analysis of this evasive trojan can present challenges for those attempting to reverse the malware, as it is virtual-environment aware and will infinitely sleep in an attempt to render debugging analysis techniques ineffective. With malicious actors using constantly evolving malware, new and advanced techniques are needed to detect and catch these phishing messages before they reach users’ inboxes.

Recommendations

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverage algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Indicators of Compromise

Compromised Sender Email Addresses:

accounts@alhilaldecors[.]com

reservas@carentminibus[.]com

sargodha@deluxefootwear[.]com[.]pk

c25@hahncollections[.]co[.]za

Sender IP Addresses:

59[.]127[.]189[.]26

103[.]133[.]214[.]57

175[.]138[.]0[.]109

208[.]109[.]80[.]1

Sender Domains:

Server1[.]gigafield[.]com

Server[.]websoftperu[.]com

Compromised Emotet Websites:

hxxp://cammis[.]com[.]br/wp-admin/8lArx/

hxxps://indiafricatoday[.]com/wp-admin/l0WmSB/

hxxp://gosmartmoving[.]com/wp-content/3QC/

hxxp://ilfacomercial[.]cl/wp-includes/P/

hxxp://hanh[.]cz/blogs/XU/

hxxps://myvanillastuffs[.]xyz/wp-admin/hjL8d/

hxxp://condi-shop[.]ru/wp-includes/nWJ/

Attachment Hashes:

MD5: 031be6a39da92ccedefc3ef3e5cc12aa

SHA1: 1eed6a05b977b6b13a8df2cafed8f1cdf7d53088

SHA256: 5d4bee6f5bb0d02b980f21c2ae731bd12d5de2e2810058e6098fc888a7cc6f7b

SSdeep: 1536:A2Fj72Fjmrdi1Ir77zOH98Wj2gpngh+a9BlJizP:1rfrzOH98ipgnYzP

MD5: 729d528ab5073b012c6dcded3872bb62

SHA1: 1984ee2ffcfc14beec272f671833bf506ab85f72

SHA256: d647fbb82b18f11ade1b505a7f9a065441fe8a187377299900bae27fe4047740

SSdeep: 3072:5Yy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////n:T0uXnWFchmmcI/o1/q1Bw4

MD5: 86b7f3f18a2e57ae66ba824b0c43be01

SHA1: ea1302e16d433653adf3071325bc8c2288b2a85e

SHA256: 874b498a569260ed044256f13bd87d1a3697f02a17a364d2d61ba9005e12cd25

SSdeep: 3072:fYy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////k:B0uXnWFchmmcI/o1/N2ODQwKdk

MD5: 7dc4f1c537c0557a3e38106803b43449

SHA1: acd368c99c7071461701bec70dcd113ad028fbbb

SHA256: 08c3d787f8a45044c85e4c95fb935cbab569d48a16dbe511b8abf6b79fa08046

SSdeep: 3072:V4PrXcuQuvpzm4bkiaMQgAlSmrvsPhQVwjZVPg:iDRv1m4bnQgISevsPOVwjZ5g

Attachment File Names:

Report.doc

Resume.doc

LG-7231 Medical report Covid-19.doc

IQ-5125 Medical report Covid-19.doc

PowerShell Executables (file names are a fixed-length, consisting of seven alphanumeric characters):

Qncqa3a.exe

S1xi8fyw.exe

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Email SecurityCloud Email SecurityPhishing

Follow on X

Cloudflare|@cloudflare

Related posts

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

May 30, 2024 1:00 PM

Disrupting FlyingYeti's campaign targeting Ukraine

In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...