[MALWARE] Emotet

Phishing emails seem to come in a bigger number lately and compromised domains are used in order to spread malware.

Emai received seem to come from legitimate email addresses and are trying to make users access an exploited website that is used to deliver the malware.

The exploited domains used to deliver the payload are:

  • inelite[.]com
  • merzougamoroccotours[.]com
  • hikichi[.]vn

The document was delivered using the domain merzougamoroccotours[.]com and managed to bypass the AV.

Upon opening the document an image is attached in it stating that the document is protected and in order to view it to click on “Enable Content”.

By clicking on “Enable Content” some macro is executed and a Powershell window can be seen for a split second.

Note: If you access that link there are multiple documents generated in order to be downloaded.

Once the Powershell command runs other files are downloaded and dropped (mgmtapi, SystemSettings.DataModel, and esent).

By uploading these to Virus Total they seem to correspond to Emotet.

You can also see them in the StartUp section of task manager.

NOTE 2: It tried to create a folder named “admin” in C:\Users

Analyzing each binary

ESENT.EXE

Esent.exe drops another binary named l2nacp.exe in the following path: "C:\Users\admin\AppData\Local\halacpi\". This binary seems to phone home (contact the C&C probably). The IP it tries to reach is 190.202.229.74, and makes a POST request.

MGMTAPI.EXE

Once this binary is run it drops another binary named “RmClient.exe” in the following path: "C:\Users\admin\AppData\Local\PresentationHostProxy\".

As said before the malware contacts again 190.202.229.74. However, this time I’ve seen that it makes multiple connections to the following IP addresses:

  • 118.69.11.81 port 7080
  • 70.39.251.94 port 8080
  • 87.230.25.43 port 8080
  • 94.23.62.116 port 8080

SYSTEMSETTINGS.DATAMODEL.EXE

Once the binary is executed it downloads another binary named “rastls.exe” to the following path: C:\Users\admin\AppData\Local\ole32.

That binary contacts this IP again: 190.202.229.74.

INPUTINJECTIONBROKER.EXE

Running the binary drops another binary called “rtutils.exe” in the path: “C:\Users\admin\AppData\Local\radardt“.

“rtutils.exe” contacts a 2nd C&C because it couldn’t contact the firstone to check-in.

It also connects to multiple IPs:

  • 190.202.229.74 port 80 – Didn’t respond
  • 70.39.251.94 port 8080 – It’s the second server it checks with
  • 118.69.11.81 port 8080

Persistence method

As persistence method the binaries add a value to the autorun registry key in order to start (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run).

OPINIONS

Please note that probably these are compromised domains/servers used in spreading malware and they forward the traffic to C&C. Blocking them might stop to an extent the malware spread but we know that the attackers are going to compromise other domains/servers to serve their scope.