Emotet Evades Antivirus Detection With Camouflaged Malicious Macros

-


A new Emotet Trojan variant has been observed in the wild with the added ability to hide from anti-malware software by embedding malicious macros used to drop the main payload inside XML files disguised as Word documents.
Emotet (also known as Geodo or Heodo) is a modular Trojan developed by the Mealybug threat group and used by attackers to infect targets via spam e-mails, leading to the theft of financial information such as bank logins or cryptocurrency wallets.
The Trojan is also designed to act as a carrier conduit for other banking Trojans or for information-stealing and highly-customizable modular bots such as Trickbot.

Hides in plain sight

Menlo Security detected a new variant of the Emotet Trojan active since mid-January, which obfuscates the initial infection VBA macro code to minimize anti-malware detection levels.
The Menlo Security research team observed two variants of the malware distributed by the mid-January campaign. The first which accounted for 80% of all samples, delivered malicious XML files camouflaged as DOC documents.
The first type, and the more prominent one, was an XML file that contains the standard XML header, plus the Microsoft Word Document XML format tags. This is followed by Base64 encoded data, which contains the compressed and obfuscated VBA macro code. The file itself was named with a .doc extension.
Malicious XML with encoded VBA macro code
Sample malicious XML with encoded VBA macro code
The second type of malicious documents, which made up 20% of the rest of all detected samples, were standard Word files which also contained malicious macro code.

The infection procedure is quite complex and it follows a sequential structure, with the initial malicious script spawning multiple processes which will launch a Powershell script that downloads the Emotet payload to the TEMP folder on the compromised machine.
Once Emotet Trojan arrives on the infected host, it will be launched and starts connecting to "a list of URLs (probably the attacker’s command-and-control servers) in a loop and breaks when one succeeds."
Emotet infection
Emotet infection
This new detection evasion capability added to Emotet by MealyBug is in line with previously observed behavior. As US-CERT says in its TA18-201A advisory:
Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.
Additionally, Emotet is known to be very active, showing up in new malware campaigns almost every month, from October when it was updated to steal its victims' emails going back six months and November when it moved its Command & Control infrastructure to the US.
Also, the Trojan was revived in another November campaign which delivered the malware through emails designed to look as coming from financial institutions or disguised as Thanksgiving-themed greetings for employees.
Back in January Emotet came back again in the form of an updated variant capable of checking if the recipient's/victim's IP address is either blacklisted or on spam lists maintained by Spamhaus, SpamCop, or SORBS.

Menlo Security also provides a full list of indicators of compromise (IOCs) such as payload hashes, domains used by the malware campaign and IP addresses of C&C servers, as well as PowerShell callback URLs at the end of their analysis.

Source:Bleepingcomputer.com

Comments

Post a Comment

Popular posts from this blog

Andriod Cryptocurrency Clipboard Hijacking Crypto Malware Found On Google Play Store

-
Image
A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users. The malware, described as a " Clipper ," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a  blog post . Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out. The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency. To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called  MetaMask , claiming to let use
Read more

Hackers Deleted VFEmail Entire Data and Backups

-
Image
What could be more frightening than a service informing you that all your data is gone—every file and every backup servers are entirely wiped out? The worst nightmare of its kind. Right? But that's precisely what just happened this week with VFEmail.net, a US-based secure email provider that lost all data and backup files for its users after unknown hackers destroyed its entire U.S. infrastructure, wiping out almost two decades' worth of data and backups in a matter of few hours for no apparent reason. Started in 2001 by Rick Romero, VFEmail provides secure, private email services to companies and end users, both free and paid-for. Describing the attack as "catastrophic," the privacy-focused email service provider revealed that the attack took place on February 11 and that "all data" on their US servers—both the primary and the backup systems—has been completely wiped out, and it's seemingly beyond recovery. The VFEmail team detected the attack o
Read more

High-Severity SHAREit App Flaws Open Files for the Taking

-
Image
Security researchers have discovered two high-severity vulnerabilities in the SHAREit Android app that could allow attackers to bypass device authentication mechanism and steal files containing sensitive from a victim's device. With over 1.5 billion users worldwide, SHAREit is a popular file sharing application for Android, iOS, Windows and Mac that has been designed to help people share video, music, files, and apps across various devices. With more than 500 million users, the SHAREit Android app was found vulnerable to a file transfer application's authentication bypass flaw and an arbitrary file download vulnerability, according to a  blog post  RedForce researchers shared with The Hacker News. The vulnerabilities were initially discovered over a year back in December 2017 and fixed in March 2018, but the researchers decided not to disclose their details until Monday "given the impact of the vulnerability, its big attack surface and ease of exploitation."
Read more