Today, 30th November 2018, Deep Secure Researchers identified a new variant of the Emotet banking Trojan, currently active in the UK.
The banking Trojan was first discovered in 2014 but what makes this variant, codenamed EmoTroDeepCover_341, remarkable is the level of obfuscation applied to evade detection by both detection-based anti-malware and sandboxing tools.
Infiltration
The malware is spread via an email attachment containing a heavily obfuscated macro hidden inside a word document. An example of the covering email is shown below.
Figure 1 - Cover Email
Infection
The email attachment is a Word 97 document using a typical social engineering trick to persuade the user to unwittingly trigger the exploit.
Figure 2 - User Prompt
Evasion
What is remarkable about the variant is the extent to which the VBA code inside the word document is concealed, to the point where standard pen-testing tools that perform static code analysis tools are unable to de-obfuscate the code and reveal the next stage in the exploit.
Figure 3 - Obfuscation and Evasion
Deep Secure researchers were able to reveal the code by dynamically analysing the malware, and discovered that a heavily obfuscated shell call is made.
Figure 4 - Shell Call
The malicious code is downloaded by this PowerShell command:
Figure 5 - PowerShell Command
Analysis revealed the attacker using an http:// path to download the malware from multiple websites, using the ‘@’ symbol to distinguish between each of them. They are then reversing the text to reveal the true HTTP path.
The list of domains hosting the malicious code is:
http://westfallworks.com
http://xplorar.com.br
http://rmdpolymers.com
http://pegas56.ru
As of today – xplorar.com.br and pegas56.ru are still hosting the malicious executable.
Payload
Through analysis of the executable, the researchers were able to confirm the presence of the Emotet banking trojan, first seen in the wild 2014. “What sets this variant apart is that the attackers have very heavily obfuscated the executable, applying anti-malware and anti-sandboxing evasion and obfuscation tactics to the point where analysis is nearly impossible”, commented Deep Secure researcher Aaron Mulgrew.
Mitigation
Customers of Deep Secure Content Threat Removal are automatically protected from the EmoTroDeepCover_341 banking trojan.
Deep Secure’s unique approach to content transformation ensures that business content crossing the security boundary is rendered totally threat-free without the need to try and detect the presence of a threat. The malicious code is simply discarded during transformation.