Phishing emails seem to come in a bigger number lately and compromised domains are used in order to spread malware.
Emai received seem to come from legitimate email addresses and are trying to make users access an exploited website that is used to deliver the malware.
The exploited domains used to deliver the payload are:
The document was delivered using the domain merzougamoroccotours[.]com and managed to bypass the AV.
Upon opening the document an image is attached in it stating that the document is protected and in order to view it to click on “Enable Content”.
By clicking on “Enable Content” some macro is executed and a Powershell window can be seen for a split second.
Note: If you access that link there are multiple documents generated in order to be downloaded.
Once the Powershell command runs other files are downloaded and dropped (mgmtapi, SystemSettings.DataModel, and esent).
By uploading these to Virus Total they seem to correspond to Emotet.
You can also see them in the StartUp section of task manager.
NOTE 2: It tried to create a folder named “admin” in C:\Users
Analyzing each binary
Esent.exe drops another binary named
l2nacp.exe in the following path:
"C:\Users\admin\AppData\Local\halacpi\". This binary seems to phone home (contact the C&C probably). The IP it tries to reach is
220.127.116.11, and makes a POST request.
Once this binary is run it drops another binary named “
RmClient.exe” in the following path:
As said before the malware contacts again
18.104.22.168. However, this time I’ve seen that it makes multiple connections to the following IP addresses:
- 22.214.171.124 port 7080
- 126.96.36.199 port 8080
- 188.8.131.52 port 8080
- 184.108.40.206 port 8080
Once the binary is executed it downloads another binary named “
rastls.exe” to the following path:
That binary contacts this IP again:
Running the binary drops another binary called “
rtutils.exe” in the path: “
“rtutils.exe” contacts a 2nd C&C because it couldn’t contact the firstone to check-in.
It also connects to multiple IPs:
- 220.127.116.11 port 80 – Didn’t respond
- 18.104.22.168 port 8080 – It’s the second server it checks with
- 22.214.171.124 port 8080
As persistence method the binaries add a value to the autorun registry key in order to start (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run).
Please note that probably these are compromised domains/servers used in spreading malware and they forward the traffic to C&C. Blocking them might stop to an extent the malware spread but we know that the attackers are going to compromise other domains/servers to serve their scope.