Figure 1: Infection Chain
The infection vector is Excel 4.0 macros with malicious code distributed across excel spreadsheet cells. By default, the Excel file is opened in protected view, with the macros disabled. For this, Emotet Excel files have one image with instructions (Figure 2) asking user to copy the file to <Microsoft Office>\Templates folder and run again. This makes sure that execution of macros will be carried out seamlessly with user interaction.
Figure 2: Malicious document warning. The required actions infect the machine.
The macro code contains multiple URLs which further download the emotet dropper DLL.
Out of these 4 URLs only 3 were active at the time of analysis. These URLs downloaded 3 Emotet dropper DLLs having similar functionality. The DLLs are executed using regsvr32.exe.
Figure 3: View of the malicious VBA macro
Emotet is known for distributing many different malware families. During the analysis of two samples, no additional malware was observed being dropped or downloaded.
The dropper DLL has highly obfuscated custom packer code, including encrypted main Emotet DLL. The listed APIs involve multiple imports that are known to be used with malware. These cover multiple areas of monitoring, enumeration, execution, encryption, persistence, and exfiltration. Multiple APIs are loaded using DWORDs stored in memory (Figure 4).
Figure 4: Packed code shown in x64dbg
The custom decryption loop is used to decrypt the main Emotet DLL using key “vGZlfkkg?U^>+xzU”. Once regsvr32.exe is executed, the DLL is moved and renamed to “~\AppData\Local” and/or “\Windows\System32\” locations with a randomized name for both the parent folder and the file itself. A registry key is then created to autorun when the system is restarted (Figure 5).
Figure 5: Run Entry created for persistence
The process will then attempt to reach out to multiple IP addresses with a generated cookie and collected data. After initial communication with CnC servers it downloads further Emotet spammer module to the same folder or the “Appdata” directory.
For further spreading spammer module uses multiple malicious email templates like the one mentioned in Figure 6 below.
Figure 6: Email Template
It also uses a number of email domains, email addresses, their passwords and other information including malicious email attachments to spread across domains as seen in Figure 7.
Figure 7: Email Addresses and Passwords
This elaborates the redistribution mechanism of malware to infect other victims using already compromised email credentials.
This sample was a separate DLL file that showed several differences in both code and behavior. Manually running the decryption function resulted in a DLL being created within newly allocated memory space, but instead of a randomly named file, it’s called ‘clover.dll’ (Figure 8) and differs from the dropper in multiple ways.
Figure 8: Clover.dll allocated in memory
The first point is that when clover.dll drops, it lacks several of the anti-analysis features that the original has; notably, one can go directly to the entrypoint in a debugger without the program terminating itself. There is also a string that produced only two Google results (f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl), both of which are samples on Alienvault OTX[i][ii].
Running ‘clover.dll’ with regsvr32.exe results in the same behavior as the dropper sample. It is moved to ~AppData\Local, a registry key is created for persistence, and system enumeration begins. Regsvr32 then spawns a child process and kills the parent (Figure 9), becoming a ‘non-existent process’; this is an anti-analysis technique that prevents debuggers from attaching to the process.
Figure 9: This process does not exist (to a debugger)
The second part to note is the way Emotet is communicating with the C2 servers: using regsvr32.exe to send TCP requests. No tool normally used for packet capture will show the action (Fiddler, Wireshark, TCPMon), except for Procmon. The entire communication occurs within 2-3ms as seen in Figures 10 and 11. Attempts to use netstat also failed.
Figure 10: Procmon output of TCP communications
Figure 11: Timestamps from beginning to end
Looking at the runtime memory of regsvr32, a large list of C2 addresses were found (Figure 12), along with cookie information and public keys.
Figure 12: Beginning of C2 list in private-mapped memory
SonicWall Real Time Deep Memory Inspection (RTDMI) is detecting the malicious Excel spread sheet in CAPTURE ATP. The emotet dropper, emotet dll and spammer module are also being detected by RTDMI.
Evidence of detection by RTDMI ™ engine for the emotet dll can be seen in the below screenshot :
Figure 13: RTDMI ATP Report results
C2 IP Addresses: