Emotet is back after almost five months of absense. It disappeared in early February, 2020 and came back recently in July to resume it’s phishing campaigns. AhnLab Security Emergency-response Center(ASEC) has confirmed the return of Emotet malware through its blog on July 22nd.
Emotet is an infamous botnet that is known for its phishing campaigns. Even after a five-month-long break, their old tricks of using phishing emails remained the same. Emotet’s phishing campaign can be primarily divided into three types: ▲phishing email with malicious download links ▲phishing email with malicious PDF file attachments ▲phishing email with malicious Word documents.
They use malicious file attachments, such as Word documents and PDF files. The recently discovered PDF file contained payment information with a link disguised as a DocuSign website, as shown in Figure 1.
When the user opens the document, a link shows up. When the user clicks on the link (hxxp://braxmedia.nl/test/invoice/), an additional malicious file is downloaded.
The file downloaded is a Word document that contains a malicious Macro. Once enabled, Macro uses Windows Management Instrumentation (WMI) to run the Base64-encoded PowerShell command. This command uses 5 URLs to download Emotet.
Before Emotet dissapeared for almost five months, Emotet used the parameter of “–XXXXXXXX” format to be executed. However the latest version of Emotet executes without using a specific parameter. Once Emotet is activated, it connects to C2 to receive commands from the attacker to perform malicious activities. Depending on the command, it also updates Emotet, downloads malicious module, or downloads additional malware, such as Trickbot. There are two types of malicious modules, one being an info-stealer module that steals user information and the other one being a distribution module that exploits shared folders to be distributed.
Emotet is widely distributed through phishing emails with various contents. Thereby, users must refrain from opening suspicious emails and file attachments as well as enabling Macros within the Word document.
AhnLab’s anti-malware product V3 detects files and URLs used by Emotet using the following IOC information:
IOC (Indicator of Compromise)
• Downloader/DOC.Emotet.S1072 (2020.01.31.04)
• Downloader/MSOffice.Generic (2020.07.19.00)
• Trojan/Win32.Emotet.C4164773 (2020.07.21.03)