Emotet Returns, Now Adopts Binary Padding for Evasion
Once a user enables macros for the malicious document, it will download a ZIP file will from one of seven hardcoded and obfuscated URLs (which will be iterated through until the file is successfully retrieved):
- hxxps://midcoastsupplies.com[.]au/configNQS/Es2oE4GEH7fbZ/
- hxxp://mtp.evotek[.]vn/wp-content/L/
- hxxp://www.189dom[.]com/xue80/C0aJr5tfI5Pvi8m/
- hxxps://esentai-gourmet[.]kz/404/EDt0f/
- hxxp://139.219.4[.]166/wp-includes/XXrRaJtiutdHn7N13/
- hxxps://www.snaptikt[.]com/wp-includes/aM4Cz6wp2K4sfQ/
- hxxps://diasgallery[.]com:443/about/R/
The macro will then check if the response is 200 (indicating a success retrieval of the file). If so, it will then check if that file is either a PE File or a Zip file, suggesting that the threat actors may adopt alternative file formats to Zip files containing binary padded PE files.
The macro uses a function that checks the file type of the downloaded payload by examining the first two bytes of the file. It first checks if the first two bytes are equal to the ASCII values of “M” and “Z” (77 and 90, respectively). If so, it returns a value of 1, indicating that the file is a PE file. On the other hand, if the first two bytes are not equal to “M” and “Z,” the function checks if they are equal to the ASCII values of “P” and “K” (80 and 75, respectively). If so, it returns a value of 2, indicating that the file is a Zip file.
The CopyHere() method of the Shell32.FolderItems object is then used to extract the contents of the Zip file to the destination folder, after which the macro deletes the temporary folder files.
Finally, regsvr32.exe is invoked and the DLL is loaded with the /s switch to silently execute the Emotet payload to infect the endpoint.
For its stealer and spam routines, Emotet will make a copy of certutil.exe (a legitimate command-line tool) in the temporary directory that starts in a suspended state and then hollowed out.
The malware will then load one of several modules such as NirSoft’s Web Browser PassView and Mail PassView tools, an Outlook stealer, and a spam module before resuming execution. Note that we have not observed any second stage payloads outside of Emotet’s stealer and the spam modules. However, it is possible that payloads (such as backdoors and/or other information stealers) might be dropped in the future to enable access for other threat actors.
Binary padding is used to inflate file sizes so that they exceed the size limitations imposed by anti-malware solutions such as sandboxes and scan engines. In this example, the Emotet DLL is padded with 00 bytes in the overlay, inflating the PE file from 616KB to 548.1MB.
For Emotet, both the dropper document and the PE files use the 00-byte padding technique to inflate the file size. Malicious actors use Zip compression to transport the relatively small files via email and HTTP, before decompression is used to inflate the files to evade security solutions.
Finally, reconnaissance activities are performed either via IP configs or through the affected machine’s system information.
Emotet has been a prolific and resilient threat, even surviving a takedown of its infrastructure in 2021. Given what we’ve seen of Emotet over the years, it would not be surprising to see it evolve further in future attacks, employing alternative malware delivery methods, adopting new evasion techniques, and integrating additional second and even third-stage payloads into its routines.
To avoid getting infected by malicious spam emails, users should be cautious of emails from unknown senders or with suspicious subject lines. These types of emails are often paired with social engineering techniques that are designed to get recipients to click on a link or download an attachment containing malware. Users should also ensure that macros are disabled in Microsoft Office applications and avoid enabling them even when even prompted. Using spam filters can also help automatically filter out suspicious or unwanted emails before they reach the user’s inbox. By following these precautions, both individual users and organizations can greatly reduce the risk of getting infected by malicious spam emails.
Endpoint solutions like Trend Micro’s Smart Protection Suites and Worry-Free Business Security solutions offer protection for both users and businesses against threats like Emotet. These solutions come equipped with behavior-monitoring capabilities that enable them to detect malicious files, scripts, and messages. They can also block all related malicious URLs. Additionally, the Trend Micro™ Deep Discovery™ solution includes an email inspection layer that can identify and protect enterprises from malicious attachments and URLs. By leveraging these powerful tools, users and businesses can effectively defend themselves against the damaging effects of Emotet and other similar threats.
The indicators of compromise for this entry can be found here.