precisionsec blog image 8

The actors behind the Emotet malware resumed operations on Monday November 5, 2018 after nearly a month hiatus. Emotet is one of the most prolific malware families currently in distribution. It is responsible for a significant portion of global malware spam. Emotet is known to be bundled alongside other types of malware including Zeus Panda (Panda Banker), Trickbot, and IceID.

It was reported during the previous week that the Emotet botnet was distributing updated modules to harvest additional email credentials. As a result, there was widespread speculation that the actors would resume operations this week. These suspicious were confirmed Monday.

Traditionally, Emotet spam messages are distributed through large-scale spam campaigns containing links to malicious word documents. These malicious documents are usually hosted on compromised legitimate websites and they contain an embedded PowerShell downloader script. The malicious PowerShell code downloads the next stage of the attack, which is the malware binary.

Emotet Actors Adopt PDF Files for Malware Distribution

In the renewed attacks which resumed November 5, in some cases the actors opted to use malicious PDF documents as the attachment infection vector. This is not the first time Emotet has been reported to use PDF files for malware distribution but it is notable because it is a departure from their traditional TTP’s.

Please see screenshots below for examples of the malicious PDF files. Note that the social engineering in the malicious PDF files closely matches what we would expect to see in a traditional Emotet spam email.

In these two examples we analyzed closer, the malicious links were exposed as a plaintext URI object in the PDF file as shown below:

Re-use of Previous Attack Infrastructure

By pivoting on these links in our Threat Intelligence Platform, we are able to identify previous Emotet campaigns on October 3 and October 6, 2018 that re-used the same infrastructure. These campaigns took place immediately before the actors went on hiatus:

hxxp://blogforprofits[.]com/792F/WIRE/Personal – Emotet Malicious Document
hxxp://juegosaleo[.]com/iu8xL5T1 – Emotet Malware Binary

The re-activation of previously used infrastructure highlights the need for all organizations to implement some form of malware reputation tracking. precisionsec’s Malware Threat Intelligence enables organizations to protect users by providing detailed IOC’s of all observed Emotet campaigns. Proactive blocking of domains that have previously been used in malware attacks is an essential tactic to protect users against threats like Emotet.

If the victim clicks the link in the PDF file, the second stage of the attack is launched. In this case the second stage is a Word document with embedded malicious PowerShell commands. The malicious Word document subsequently downloads the next stage of the malware infection – the Emotet malware binary.

precisionsec is closely monitoring Emotet distribution and our Emotet IOC Feed is constantly being updated. All of the Emotet IOCs in this feed are internally verified using YARA rules.

Emotet IOC’s related to this post (please not this is only a fraction of the hundreds of IOC’s observed for this campaign):

Document Download URL’s:

hxxp://blogforprofits[.]com/files/En_us/Paid-Invoices
hxxp://juegosaleo[.]com/newsletter/US/Invoice-Corrections-for-81/79
hxxp://borggini[.]com/11XW/SEP/Smallbusiness
hxxp://www.zcnet[.]com/0872684IQBTLZW/ACH/Personal
hxxp://www.greenamazontoursperu[.]com/LLC/EN_en/Open-Past-Due-Orders
hxxp://www.conceptsacademy[.]co.in/wp-content/uploads/2018/files/US/024-13-180753-957-024-13-180753-943
hxxp://peconashville[.]com/INFO/En_us/Service-Report-20333/
hxxp://juegosaleo[.]com/newsletter/US/Invoice-Corrections-for-81/79
hxxp://gaardhaverne[.]dk/371880QWYFSQ/PAYMENT/Business/
hxxp://duwon[.]net/wpp-app/4815587SLERFGAN/identity/US/
hxxp://crowdgusher[.]com/Document/US_us/Overdue-payment/
hxxp://craniofacialhealth[.]com/newsletter/US/Past-Due-Invoices/
hxxp://cidadeempreendedora[.]org.br/wp-content/upgrade/65208YCNN/PAY/Smallbusiness/
hxxp://casino338a[.]city/newsletter/En/Invoice-5505302-November/
hxxp://brasileirinhabeauty[.]com.br/Document/En_us/Invoice-for-s/o-11/05/2018/

PDF hashes:

0f2ae420a6d9b4ba5240cd43500de3e9
3cd0067a01935a693a6d26e974ab8a41

Macro-enabled Document hashes:

0fc197fcb690d99b8fa89aca856323a8
228e2defd925478e6d218a1ee1d38c50
325c6240be61e858d1b8989b3beb3fe4
6f65a122f8df74393e511bb788f6e5be
756ea0b24fe267b93ba0ffcd5f75abe3
962d1eb9581fd0853f2c5cb6e6c17954
9c21f220983a10c56a80fac0733a865f
a5b25c43bf5237cf26209d37225b189f
a76cd0e19f10443bf82797309e118594
c4a780ad779e87ee53fb292b28c96a37
c51cd4ae525cccc746af7418f4b640a9
cb010a325ceb9803bc77e81aadb64bf1
d2eac8c5b215308dbc781a1cb02731ae
e3c4669d5b10fc7d83ab9d22a8b53223
e8a69d43cb32354bd852c5ab9c071abe
f8254ac8ef2653d46a8ca33dc79ca256
f8b5dc82433c8eb0ef81160f68c128a3

The full set of IOC’s for this campaign are available in our Malware Threat Intelligence Platform. Subscriptions include up-to-date Emotet IOC’s as well as comprehensive data on a host of other active malware families. If you would like to see more or schedule a demo, please sign up for a free trial.