Research
Emotet Resumes Operations, Distributes Malicious PDF Files
The actors behind the Emotet malware resumed operations on Monday, November 5, 2018, after a near month-long hiatus. Emotet is one of the most prolific malware families in distribution, responsible for a significant portion of global malware spam. It is known to be bundled alongside other malware including Zeus Panda (Panda Banker), Trickbot and IceID.
During the preceding week it was reported that the Emotet botnet was distributing updated modules to harvest additional email credentials, prompting widespread speculation that the actors would resume operations. That speculation was confirmed on Monday.
Traditionally, Emotet spam is distributed through large-scale campaigns containing links to malicious Word documents hosted on compromised legitimate websites. The documents contain an embedded PowerShell downloader that fetches the malware binary.
Emotet Adopts PDF Files for Distribution
In the renewed attacks beginning November 5, the actors opted to use malicious PDF documents as the attachment infection vector in some cases. This is not the first time Emotet has been reported to use PDFs, but it is notable as a departure from their traditional TTPs.
The social engineering in the malicious PDFs closely matches what we would expect in a traditional Emotet spam email:
In the two samples we analysed more closely, the malicious links were embedded as plaintext URI objects in the PDF:
Infrastructure Reuse
By pivoting on these links in our Threat Intelligence Platform, we identified previous Emotet campaigns on October 3 and October 6, 2018 that reused the same infrastructure from campaigns that ran immediately before the actors went on hiatus:
hxxp://blogforprofits[.]com/792F/WIRE/Personal (Emotet malicious document)
hxxp://juegosaleo[.]com/iu8xL5T1 (Emotet malware binary)If the victim clicks the link in the PDF, the second stage launches: a Word document with embedded malicious PowerShell commands. That document downloads the Emotet binary.
Indicators of Compromise
Document download URLs:
hxxp://blogforprofits[.]com/files/En_us/Paid-Invoices
hxxp://juegosaleo[.]com/newsletter/US/Invoice-Corrections-for-81/79
hxxp://borggini[.]com/11XW/SEP/Smallbusiness
hxxp://www.zcnet[.]com/0872684IQBTLZW/ACH/Personal
hxxp://www.greenamazontoursperu[.]com/LLC/EN_en/Open-Past-Due-Orders
hxxp://www.conceptsacademy[.]co.in/wp-content/uploads/2018/files/US/024-13-180753-957-024-13-180753-943
hxxp://peconashville[.]com/INFO/En_us/Service-Report-20333/
hxxp://juegosaleo[.]com/newsletter/US/Invoice-Corrections-for-81/79
hxxp://gaardhaverne[.]dk/371880QWYFSQ/PAYMENT/Business/
hxxp://duwon[.]net/wpp-app/4815587SLERFGAN/identity/US/
hxxp://crowdgusher[.]com/Document/US_us/Overdue-payment/
hxxp://craniofacialhealth[.]com/newsletter/US/Past-Due-Invoices/
hxxp://cidadeempreendedora[.]org.br/wp-content/upgrade/65208YCNN/PAY/Smallbusiness/
hxxp://casino338a[.]city/newsletter/En/Invoice-5505302-November/
hxxp://brasileirinhabeauty[.]com.br/Document/En_us/Invoice-for-s/o-11/05/2018/PDF hashes (MD5):
0f2ae420a6d9b4ba5240cd43500de3e9
3cd0067a01935a693a6d26e974ab8a41Macro-enabled document hashes (MD5):
0fc197fcb690d99b8fa89aca856323a8
228e2defd925478e6d218a1ee1d38c50
325c6240be61e858d1b8989b3beb3fe4
6f65a122f8df74393e511bb788f6e5be
756ea0b24fe267b93ba0ffcd5f75abe3
962d1eb9581fd0853f2c5cb6e6c17954
9c21f220983a10c56a80fac0733a865f
a5b25c43bf5237cf26209d37225b189f
a76cd0e19f10443bf82797309e118594
c4a780ad779e87ee53fb292b28c96a37
c51cd4ae525cccc746af7418f4b640a9
cb010a325ceb9803bc77e81aadb64bf1
d2eac8c5b215308dbc781a1cb02731ae
e3c4669d5b10fc7d83ab9d22a8b53223
e8a69d43cb32354bd852c5ab9c071abe
f8254ac8ef2653d46a8ca33dc79ca256
f8b5dc82433c8eb0ef81160f68c128a3PrecisionSec analysts closely monitor Emotet activity. Our Emotet IOC feed contains internally verified IOCs for all observed Emotet campaigns.