Antigen Security – Cyber Pathogenesis Series – Emotet Malspam Strikes Back!

Share This Post

Case Summary

Antigen Security was engaged by the victim client to investigate a possible Business Email Compromise. Business Email Compromise (BEC) is a cyberattack involving the hacking or spoofing of a business email address. The victim of a BEC attack typically receives an email that appears to come from a trusted business that looks and feels genuine. But frequently it contains a phishing link, a malicious attachment, or a request to transfer money to the attacker. The client reported receiving multiple such phishing emails including ones with malicious Excel Spreadsheets attached. Following payload execution, “invoice.xls” three dropped files: yhjlswle.vbs, dkwtoaqzbs.hfb, and ughldskbhn.bat on the host, all of whom were quarantined by the endpoint detection and response tool.

During the investigation, Antigen Security assessed with confidence that this was a targeted Emotet malware campaign in which approximately 135 malicious emails were sent to the client’s employees between February 7, 2022 and February 8, 2022. Emails sent by the threat actor were tailored to lure users with factual company details such as specific employee names and facility conference rooms.

The threat actor staged 7 waves of phishing between February 7, 2022 and February 8, 2022. During the first phishing wave, the threat actor successfully lured one employee into opening a suggestively named Excel file embedded with a malicious payload. Many of the later phishing emails contained details that suggested the initial victim user’s email was exfiltrated and incorporated into the subsequent phishing waves based on suggestive email subject lines. The next 6 phishing waves were seen to be unsuccessful. In total, the phishing emails received by the client contained a total of 28 unique phishing malware payloads, 3 unique code blocks, and 43 unique domains used as threat actor infrastructure.

Antigen Security collected triage-level data from the single infected host machine and conducted extensive forensic analysis of the device. Through analysis Antigen Security was unable to identify any evidence of successful lateral movement or signs of persistence. However, upon further review of the different malware targeting the client it was clear to Antigen Security that lateral movement was the threat actor’s intent. Antigen Security confirmed that the EDR tool quarantined the malware before any attempt was successful.

Figure 1: Analysis of Malicious Executable Sent to Client

Figure 2: Invoice.xls ATT&CK Matrix

Analyst Comments

The client’s EDR solution played a crucial role in stopping the spread of the Emotet malware. When the malicious executable was opened from the first phishing email, the client’s EDR solution was able to successfully quarantine the malware before it was ever able to run. Had this payload been properly executed, the threat actor would have been able to secure a foothold and laterally move throughout the network. EDR solutions are a great defense against cyber-attacks, particularly when used in tandem with cybersecurity best practices.

  • Office365 best practices are the most effective way to avoid a business email compromise.
  • Ensure that your users are trained to recognize and easily report phishing attacks and employ strong passwords.
  • Enable MFA so that users will have to utilize a 2-step verification at logon.
  • Block corporate password reuse to better enable strong passwords and limit the attempts at password guessing from threat actors.
  • Deploy an anti-malware solution and deploy anti-phishing defenses.
  • Disable basic authentication in order to stop proxy authentication an attacker could leverage. Furthermore, you also want to identify which conditional access policies make sense for your client/company.
  • Lastly, ensure that audit logging is turned on to ensure logs are available to review in the event of an incident or for self-auditing.

During the investigation, Antigen identified phishing emails that suggested the initial victim user’s inbox was compromised. However, the second through seventh wave of phish appeared to have email content from the known compromised user’s account seeded in the subject lines, according to the IT staff. If true, it means the threat group ingested the compromised user’s email, parsed the email chains for details, and composed the next wave of tailored emails together with those parsed details in approximately 1 hour based on the observed timeline of events. Achieving that in relatively short window of time would most be most practical via polymorphism, a feature later detailed in the The Hacker News. Rapidly changing tactics mid campaign demonstrates sophistication, but to intelligently automate it via polymorphic code it makes it all the more remarkable.

Get Help from Our Experts

As sophisticated attacks such as BECs have become common, it’s important to be prepared with an incident response plan. Antigen Security can help you determine the next steps in the aftermath of an attack. Schedule a meeting with one of our experts to get started.

Suspicious C2 Domains and IPs

Domain Location ISP Provider IP
https://fullness-safety[.]com/-/P6x/ United States CYBERCON 65.175.118.94
https://nabajyotifoundation[.]com/da8uc7jo/4Za/ Germany Contabo GmbH 178.18.255.145
https://dwwmaster[.]com/wp-content/ebHTB4UF2/ China Huawei Cloud Service data center 121.36.207.120
http://formula8020[.]com/css/56Dzi0P/ United States GOOGLE 34.98.99.30
https://calad-formation[.]fr/r3x94z/kgZ9OGCi/ France OVH SAS 54.36.91.62
http://lissbernardin[.]com/hthjb3i/x9KHpCeYrr/ United States GO-DADDY-COM-LLC 132.148.230.59
http://royalsnackmyanmar[.]com/wp-includes/GMtz6DxM/ Thailand GMO-Z com NetDesign Holdings Co., Ltd. 163.44.198.39
http://pristineservices[.]findfacts[.]co[.]in/cgi-bin/BuLyc2HKLHIQVHQLc/ India PUBLIC-DOMAIN-REGISTRY 103.195.184.162
http://speedrankingsystem[.]de/wp-admin/k63ZcimPsE6/ Germany Host Europe GmbH 92.204.37.72
https://tigela[.]org[.]np/wp-content/Irp27O71/ United States LIMESTONENETWORKS 63.143.33.122
https://royaltyrealtynsb[.]com/backup_1/g51THhhLLUqodx6/ United States DIGITALOCEAN-ASN 142.93.205.206
http://bachilleratoporciclos[.]co/wp-content/PvIIx7/ United States GO-DADDY-COM-LLC 72.167.66.37
https://edu-media[.]cn/wp-admin/cKi/ China Hangzhou Alibaba Advertising Co., Ltd. 123.56.83.149
https://rtd[.]b2bpipe[.]cn/wp-content/8ESRhIJAIRh/ China Hangzhou Alibaba Advertising Co., Ltd. 47.95.142.91
https://youlanda[.]org/eln-images/n8DPZISf/ United States INFB2-AS 66.175.58.9
http://rosevideo[.]net/eln-images/EjdCoMlY8Gy/ United States INFB2-AS 66.175.58.9
http://vbaint[.]com/eln-images/H2pPGte8XzENC/ United States INFB2-AS 66.175.58.9
https://framemakers[.]us/eln-images/U5W2IGE9m8i9h9r/ United States INFB2-AS 66.175.58.9
http://niplaw[.]com/asolidfoundation/yCE9/ United States INFB2-AS 66.175.58.9
http://robertmchilespe[.]com/cgi/3f/ United States INFB2-AS 66.175.58.9
http://vocoptions[.]net/cgi/ifM9R5ylbVpM8hfR/ United States INFB2-AS 66.175.58.9
http://missionnyc[.]org/fonts/JO5/ United States INFB2-AS 66.175.58.9
http://robertflood[.]us/eln-images/DGI2YOkSc99XPO/ United States INFB2-AS 66.175.58.9
http://mpmcomputing[.]com/fonts/fJJrjqpIY3Bt3Q/ United States INFB2-AS 66.175.58.9
http://dadsgetinthegame[.]com/eln-images/tAAUG/ United States INFB2-AS 66.175.58.9
http://smbservices[.]net/cgi/JO01ckuwd/ United States INFB2-AS 66.175.58.9
http://stkpointers[.]com/eln-images/D/ United States INFB2-AS 66.175.58.9
http://rosewoodcraft[.]com/Merchant2/5[.]00/PGqX/ United States INFB2-AS 66.175.58.9
http://santafetortilla[.]com/_baks/tUx9/ United States INFB2-AS 66.175.58.9
http://donbaham[.]com/Home_files/YS0PAZPXcYeraes/ United States INFB2-AS 66.175.58.9
http://barnhart-studios[.]com/eln-images/Vghg1n/ United States INFB2-AS 66.175.58.9
http://blute[.]com/3Dtech/jLu8IAnnj3gK9Wc/ United States INFB2-AS 66.175.58.9
http://zenzebra[.]net/plath/9Q0DBlE/ United States INFB2-AS 66.175.58.9
http://rogerschultz[.]com/eln-images/u0vT/ United States INFB2-AS 66.175.58.9
http://realacorp[.]net/PhotoGallery/UwmRHceSGbaCeGF/ United States INFB2-AS 66.175.58.10
http://miniflam[.]com/eln-images/fSwbQjUMAfGxgdw/ United States INFB2-AS 66.175.58.9
http://marezdecor[.]com/MarezGallery/sEQxWTpMJ7A8rAtY0D/ United States INFB2-AS 66.175.58.9
http://hollywoodvisual[.]com/eln-images/HIWl5z/ United States INFB2-AS 66.175.58.9
http://marcowine[.]com/Images/SLlwnvS7Uxnymm/ United States INFB2-AS 66.175.58.9
http://chpopesco[.]com/Gallery/wPY7j2SE5MIv/ United States INFB2-AS 66.175.58.9
http://modsociete[.]com/cgi/qtAP/ United States INFB2-AS 66.175.58.9
http://boamorph[.]com/cgi/hTa5ip96VSdNjX/ United States INFB2-AS 66.175.58.9
http://annefront[.]com/eln-images/gANlH/ United States INFB2-AS 66.175.58.9

IOCs

19eff21c6da7f505333f1cfe83cbbbb98f9d999a  yhjlswle.vbs
N/A dkwtoaqzbs.hfb
F487A3876DB9CB4332A7CAD95D6795798812CDA0 ughldskbhn.bat
d0e36133984e3b709a001dd144b087699ab219e1  SURI745522740Xinvoice.xls
bd3623061918dcae9ab33bd85c0d9c3161a7985e  2022_02-XBalance.xls
a084feccc72223893a0a90ccc5aba007fe667c5b  POX2022-02-07_1909.xls
45743f2c86f06d92ab462525e0d7e74af48e9022  Invoice.xls
0795979af54712ba36b4bbdac48ec92608d22e4c  JPKG33964570.xls
899959ffa8e30daade07fe569402d99b5f45e26a  25947431_Dt_02072022.xls
b2cb19c63e5b1deba78a94f0c56f5e461f204ad0  PaymentXstatus.xls
9fa4f580fc7edf7ddb40671034e351c68a370084  InvoiceX2894350973XX51444212.xls
37ea002cf2690c279060c05cd80b9ce0190275e1  form.xls
62cfd18a51c52ffdbd4a8d8795d3b26d989df0a9  InvoiceXforXpayment.xls
7e912cccfb4e8c274a25c835e8a7a46adfe68ad1  Transaction.xls
18fedfcb99f8c42a87ee73104fa11e2aeb8c0bfd  BANKXTRANSFERXCOPYXACH.xls
d94c26f5fab3c4fcfb9512127de57920f865ddd2  INVOICEX2022-02-08_1604.xls
fd429bdb7c0fcf8abf9910fd6bd654e070117687  ACHXPaymentXAdvice.xls
40b591272394f3fb5351bd89ebf9f1ba7c7a31d1  JE0856149308.xls
37ea002cf2690c279060c05cd80b9ce0190275e1  2022_02-XReport.xls
6b122a9dae8561df51674aa187e907ab00b77ac4  2022_02-XStatement.xls
50aabeaf06ab6e639856469a58f5c5ddc727b7a7  paymentsX2022-02-07_1547.xls
a30501cb55be3d9b1ab2c1409e1296c34eb88de9  check.xls
392c39f5c13df58aaa2b2b9f5252bbed0ffa81f0  Report.xls
f90ed89aebf00307104edec3083620a4e11c8d17  FW-9262Xreport.xls
9fc0c6329dd43edc4e672481dee69748ea18c5aa  20142232_Dt_02072022.xls
c7c4ef715d70599dc3f8518cb202afb52bb0831e  winmail.dat
c6e361acef905dd1c42d4beb467bacd25da73390  19465779_Dt_02072022.xls
d7dc1602d07d58dfea0d32cc48d57e0d3659fcdb  ACHXForm.xls
a9073ef3747f3bd42d926c90815c76d65c105877  ElectronicXform.xls
37ea002cf2690c279060c05cd80b9ce0190275e1  2022_02-XBalanceXXXPaymentXReport.xls
95885fb8aeb7e3d4577df44b7d51f2f98a7bd26d  payment.xls
c0625676c00831b394f4017e51f50d92363543d5  77299610_Dt_02072022.xls
d1c1a4553882663d6652189208435ce0e96268d3  InvoiceX5XXXXXXXXXXXXE81199781.xls

Resources

  • https://threatpost.com/emotet-spreading-malicious-excel-files/178444/
  • https://github.com/pr0xylife/Emotet/blob/main/e4_emotet_09.02.2022.txt
  • https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/
  • https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html
  • https://www.checkpoint.com/press/2022/january-2022s-most-wanted-malware-lokibot-returns-to-the-index-and-emotet-regains-top-spot/
  • https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide

Make sure your business overcomes threats

Get in touch to learn how to prevent a breach from costing you more than it has to.