Emotet Excel Loader (2022)
Emotet Excel Loader (2022) - The revival of Emotet’s Terror
Sample
MD5 — d4e0e1f4d8c7f66732a4872ad9292978
References
A Comprehensive Look at Emotet’s Fall 2022 Return
VMware Report Exposes Emotet Malware’s Supply Chain
Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20
Key Takeaways
- This version of Emotet abuses Microsoft Office’s trusted locations to avoid protections with macros.
- Sheets are password-protected to hide the code that would be executed for the next stage of the malware. AABABAAABBB^
- Staging C2s over HTTPS:
- blacksebo.de/sharedassets/fA/oxnv1.ooccxx
- chist.com/dir-/HH/oxnv3.ooccxx
- bikkviz.com/wp-admin/NyT44HkVg/oxnv2.ooccxx
- coadymarine.com/Admin/ekamS7WWDkLwS44q/oxnv4.ooccxx
Analysis
Emotet was observed activated November 2, 2022 after about 4 months of laying dormant. Security researchers waited patiently to see what new techniques would be discovered and used once Emotet returned.
Phishing
With new sample and infections flooding networks, Emotet is seen using some familiar initial infection methods. The primary method of infection has been observed through a phishing email that has been themed as and Invoice or Receipt. Emotet has aso been observed spreading through hijacked email threads from accounts that have been infected. This method is used to exploit the trust between venders to bring legitimacy to the attachment.
Cracking Excel Sheets
One hurtle in analysis was that all but one of the Excel sheets were password-protected. This limited the ability to perform static analysis on the file. No evidence of macros or malicious code could be found before cracking the sheets.
Researching into the difficulty into brute forcing the password found that it is possible due to the weak encryption. Below is the VBS code found from PassFab that allowed for a code module to be made to automate the cracking and unlocking process.
Sub PasswordRecovery()
Dim i As Integer, j As Integer, k As Integer
Dim l As Integer, m As Integer, n As Integer
Dim i1 As Integer, i2 As Integer, i3 As Integer
Dim i4 As Integer, i5 As Integer, i6 As Integer
On Error Resume Next
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If ActiveSheet.ProtectContents = False Then
MsgBox "One usable password is " & Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
Exit Sub
End If
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
End Sub
XLS file
The file attached to the email has been found to be a .xls file. This file is default file format from Excel 97 to Excel 2003. These file can contain macros in which Emotet uses to start the infection process.
When opening the file a the user is greated with a imitation Office warning. This warning resembles the “Enable Macros” button but is found to be a trick PNG. The threat actors want the users to add the file the trusted file paths for Microsoft Office. When a file is in this path macros execute without the “Enable Macros” prompt along with Microsoft protections.
Once the file is moved to one of these trusted locations and opened the ‘Auto Open’ action is executed which infected the device with the malicious DLLs by building regsrv32 and URLDownloadToFile commands. The files are downloaded from the C2s
- blacksebo.de/sharedassets/fA/oxnv1.ooccxx
- chist.com/dir-/HH/oxnv3.ooccxx
- bikkviz.com/wp-admin/NyT44HkVg/oxnv2.ooccxx
- coadymarine.com/Admin/ekamS7WWDkLwS44q/oxnv4.ooccxx
In all the sample analyzed it was found that the file extensions were the “OOCCXX”