Malspam Leads to Malicous Word Document Which Downloads Geodo/Emotet Banking Malware

Download location where I got the malicious Word document:

  • 192.232.223.76 – kinonah.com – GET /Cust-4762868855/ – Compromised website hosting malicious Word document

Additional Word document download locations:

  • 213.190.161.210 – avenueevents.co.uk/Cust-PBP-03-D683320/
  • 67.212.91.221 – kingstoncybermall.com/Cust-3647227423/
  • 5.10.105.46 – theuntoldsorrow.co.uk/ORDER.-XI-80-UY913942/
  • 173.236.177.156 – visuals.com/CUST.-VT-38-RH422386/
  • 192.254.251.86 – thenursesagent.com/ORDER.-9592209302/
  • 192.185.148.240 – tiger12.com/TGA-48-76252-doc-May-04-2017/
  • 192.185.216.220 – gabrielramos.com.br/lxu-3h-ip079-zgmg.doc/
  • 146.185.16.121 – britbuys.co.uk/MMQKS-13-50456-doc-May-04-2017/
  • 186.233.185.77 – bbcinfo.com.br/Cust-Document-OR-23-D181969/
  • 212.1.208.253 – kineticwebdesign.co.uk/ORDER.-0674979321/
  • 192.185.88.17 – hand-ip.com/Cust-Document-5777177439/
  • 67.227.229.37 – bobrow.com/ito-6r-w193-pkr.doc
  • 81.169.145.158 – wyskocil.de/ORDER-525808-73297/
  • 192.254.231.89 – citylifeevents.co.uk/ORDER.-1198574243/
  • 146.185.181.231 – proiecte-pac.ro/ORDER.-5883789520/
  • 85.25.226.200 – zypern-aktiv.de/wp-content/plugins/wordfence/Cust-0396638436/
  • 66.7.193.7 – sublevel3.us/Cust-5226149026/
  • 205.204.94.16 – forthtechnologies.com/CUST.-Document-SHO-10-K839208/
  • 66.198.240.165 – highbeamshoes.com/Cust-XNG-91-EO055424/
  • 5.249.147.247 – itgastaldi.com/CUST.-Document-QGU-29-Z264146/
  • 67.227.212.192 – wlrents.com/CUST.-Document-YDI-04-GQ389557/
  • 89.187.85.6 – redkitecottages.com/Cust-Document-VMH-46-TJ804065/
  • 173.236.147.244 – thegilbertlawoffice.com/m-9q-d054-gu.doc/
  • 65.39.128.43 – sheyana.com/ORDER.-Document-8187485601/
  • 192.185.73.127 – gregbenjamin.com/CUST.-Document-TIJ-37-J534842/

Geodo/Emotet download locations:

  • 209.97.242.26 – dynamat.com/tou1yn-sq755-x/
  • 69.163.152.76 – sheacorp.com/ism3qo-u416-kjdd/
  • 74.55.90.58 – bullridemania.com/vs9r-z679-yg/
  • 144.208.69.18 – melodywriters.com/um5tc-c110-srd/
  • 79.96.237.135 – masil.pl/gfx/mhl7mcv-hb478-qy/

Additional Geodo/Emotet download locations:

  • 148.251.213.108 – arrowlink.com/uk1ej-kt757-md/
  • 80.150.6.143 – stromkontor.org/b8hcg-o392-gj/
  • 192.185.145.58 – danmichaelis.com/uf1t-g513-xa/
  • 143.95.238.54 – mmaacombatzone.com/wse9o-jr465-pguf/

C2s:

  • 81.88.24.211:443
  • 87.106.189.18:8080
  • 66.175.215.16:8080
  • 103.219.22.63:443
  • 139.59.33.202:8080
  • 50.116.5.69:443
  • 62.210.36.193:8080
  • 62.75.181.217:8080
  • 74.50.57.220:8080
  • 75.25.153.57:443
  • 79.170.95.202:7080
  • 87.106.148.126:443
  • 92.51.129.235:443
  • 78.47.56.162:443

Secondary downloads:

Infection Chain:

My infection chain didn’t begin with the email. Instead, I had an alert in a SIEM from a Wildfire event catching return HTTP traffic from hand-ip.com/Cust-Document-5777177439/ at 192.185.88.17. The return HTTP traffic was attempting to deliver the malicious Word document to the internal host. While I didn’t receive the malspam it would seem as though they’re sending out phishing emails with malicious links that point to the malicious Word documents being hosted on various compromised websites.

I decided to download the Word document to see what was going on. Once I downloaded the Word document I opened it and was presented with the familiar social engineering tricks of enabling editing and then enabling content:

Word document

The user must enable editing

Word document 2

The user must enable content

Word document 3

After enabling editing and content I got some error code

Once the user enables both editing and content their host will make GET requests for the malware payload being hosted on numerous compromised websites. Below is an example of network traffic up to this point:

Traffic 1

The Hybrid-Analysis report for the Word document shows the processes and the PowerShell script used to download the malware:

Script

The malware payload is dropped in %Temp% and then moves itself to %AppData% under a random folder:

TempAppDataAppData 2

MspthrdWake’s .lnk file is created inside the Startup folder in the system Start Menu so it can automatically run whenever the system starts:

Startup

Ealier versions would use HTTP POST requests containing the encrypted data to the C2 server. However, newer variants are using GET requests to send the encrypted data within a Base64 encoded cookie string:

Cookie string Emotet

The C2 server responds with a fake “404 Not Found” status; however, the body is full of encrypted data.

During one of my infections I also noticed another GET requests for incadesc.com.mx/dephm8uabdpkb83arcml/. This delivered the file “3658854804.exe”:

Temp 2

Around the same time I got this executable I noticed another user on Twitter mention it as well:

Twitter

The other executable, “103171900.exe”, scanned clean on VirusTotal. File details shows it to be autoconv.exe from Auto File System Conversion Utility by Microsoft Corporation.

https://www.virustotal.com/en/file/2ab981cfb743f3573d1dde48d6496fe8c315ff3c492c41711f4cb6b2024e0ec3/analysis/

Here is some of the C2 GET requests traffic filtered in Wireshark:

C2 traffic

Download the malicious Word document (password is infected):

Malicious Word Doc.zip

All the other files can be downloaded via the Hybrid-Analysis reports.

Until next time!

References:

  1. http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1
  2. https://blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk
  3. https://www.cyphort.com/emotet-cookies-c2-fakes-404/
  4. https://www.cisecurity.org/emotet-changes-ttp-and-arrives-in-united-states/
  5. https://myonlinesecurity.co.uk/open-the-attachment-to-view-the-document-malspam-delivers-a-multitude-of-malware/
  1. The autoconv.exe is an evasion tactic by the malware. Basically if it decides based on some criteria it is being analysised or sandbox it runs something like “cmd.exe /c ping.exe -n 6 127.0.0.1 & type “%WINDIR%\System32\autoconv.exe” > “C:\114443363.exe” to overwrite itself. Check out these hybrid-analysis records.

    Infected Word Doc:
    https://www.hybrid-analysis.com/sample/c28aa0ddc6bdc5c7c34e2634d6f1d73aac0527cf3b512cfb4a611817bc6870b3?environmentId=100

    First EXE it dropped:
    https://www.hybrid-analysis.com/sample/c2d3856c203245f0849b52d46fb25f5b4ffc7b2a031e61b5141bde6fb2bbc8e0?environmentId=100

    Second EXE it dropped:
    https://www.hybrid-analysis.com/sample/de3b0d40b3a8ce8be51c831d980d916293b3c14f13b719f99123bc907790791b?environmentId=100

    Open the infected word doc and away it went.
    Emotet stole the local credentials (Chrome Auto-Complete) from the device, stashed them in a .tmp file in the %appdata% folder and transmitted them.
    The second EXE started trying what must have been a dictionary attack against the active directory accounts on the network.
    I submitted both EXEs to hybrid-analysis and malwar, but the EXEs just overwrote themselves with autoconv.exe both times rather than executing their payload.

    Liked by 1 person

    Reply

    1. Correction I guess, looks like he malware that stole the credentials was Emotet version E AKA “Heodo” apparently the successor of Geodo / Emotet.

      Liked by 1 person

      Reply

    2. Hey,

      Thank you for the detailed information!

      Like

      Reply

  2. […] earlier, we didnt obtain a copy of the email with a link to the Word document. Last month, a similar report on Emotet was published on malwarebreakdown.com, but it was also without an example of the associated emails. […]

    Like

    Reply

  3. I was sent a very similar package by my local city recycling utility today. It seems that their email system got infiltrated and the malicious word doc was sent as an attachment to customers who recently submitted customer service requests. The macro was written in French!

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: