EclecticIQ Threat Research Team
July 28, 2022

Emotet Downloader Document Uses Regsvr32 for Execution

Intelligence Research

emotet-intrusion-blog

Executive Summary

This paper investigates a recent Emotet intrusion and details how the final Emotet payload is installed onto the system. The key observations are:

  • Obfuscated Excel macros used to download and run the Emotet loader.
  • Emotet loader executed using regsvr32.exe.
  • Encrypted Emotet payload embedded in loader’s .rsrc section.
  • Windows service used for Emotet payload persistence.
  • Emotet continues to evolve delivery techniques and obfuscation to reduce detection.

Background

Emotet is a Windows-based malware loader operated by the cybercrime group TA542 (1), also referred to as Mummy Spider (2). First discovered in mid-2014, Emotet, originally designed as a banking trojan, was later developed into a modular malware platform capable of performing various functions such as loading other malware, information stealing, and spambot capabilities (1). Emotet is primarily distributed through phishing campaigns (1). In early 2021, North American and European law enforcement agencies disrupted Emotet’s infrastructure resulting in a hiatus of Emotet activity (3), but Emotet resumed operation in mid-November 2021 (4). Emotet has been observed dropping other malware families such as Qakbot (5) and CobaltStrike (6). Emotet infections are high risk, having led to ransomware deployments in the past (7).

EclecticIQ analysts have observed Emotet distribution throughout 2022. The below bar graph highlights the number of Emotet files and network indicators observed in EclecticIQ’s internal dataset in the first half of 2022.

1-2

Figure 1.1: Bar chart of the number of Emotet-specific indicators seen each month of the first half of 2022

First Stage: Initial Delivery

Microsoft Office XLS Document Executes Obfuscated Excel 4.0 Macro when Enabled

The first stage of an attack likely begins with a spam email delivering a Microsoft Office XLS document as an attachment. The XLS document uses obfuscated Excel macros. When opened, the document asks the user to ‘Enable Content’, when enabled the macro will execute.

2-1

Figure 2.1: Screenshot of Excel document prompting user to ‘Enable Content’

The actor uses various methods to obfuscate the Excel macro making static analysis of the file harder. The document uses multiple passwords protected worksheets, with these worksheets containing ‘CHAR’ formulas returning a text character. The characters are scattered throughout the sheets in different cells (as shown in figure 2.2) and are written in white-colored font to make the sheets look empty.

3-2

Figure 2.2: Characters scattered around Excel cells

Macro Downloads and Executes Emotet Loader

When executed with macros enabled, the document uses the ‘Auto_Open’ method to execute the formula shown in figure 2.3. This formula de-obfuscates the functionality of the macro revealing four CALL and EXEC functions. The macro will then try to download the Emotet Loader using the URLDownloadToFileA function and save it in the current parent directory with the ‘.ocx’ (Active control) file extension. It then tries to execute the downloaded Emotet loader using regsvr32.exe with the /S parameter. The program makes four attempts at downloading and executing the loader, even if initial attempts are successful, with the macro ending after that.

4-1

Figure 2.3: Un-obfuscated malicious excel formulas

Second Stage: Emotet Loader

Emotet Loader Decrypts and Loads Emotet Payload

The Emotet loader is a 64bit DLL, which contains the encrypted Emotet payload as an embedded resource, under the name ‘7732’.

5-1

Figure 3.1: Encrypted Emotet payload in the PE .rsrc section

The Emotet loader will load the encrypted payload into memory using the VirtualAlloc function to allocate memory. The loader passes in the value 0x1E34 (decimal 7732) which is the name of the encrypted payload resource as the second parameter to the LoadResource function.

6-left6-rightFigure 3.2: Encrypted payload in hex editor (top) and mapped into memory (bottom)

The Emotet payload is decrypted and written to the allocated area of memory. The payload is a 64bit DLL. The file is moved from %HOMEPATH%\soci2.ocx to <SYSTEM32>\qbknp\cdiwaui.dll. Persistence is created using Windows service; the created service executes the Emotet payload using regsvr32.exe.

7-1Figure 3.3: Decrypted Emotet payload in memory

Conclusion

Once the Emotet payload is completely installed, it allows the malware operator remote access to the victim’s system. This remote access allows further Emotet modules or other malware families to be loaded onto the system. The MITRE ATT&CK classification, indicators and YARA rule are available below and can help security teams track, monitor, and detect Emotet infections.

 

 
MITRE ATT&CK:
  • T1566.001: Phishing Spearphishing Attachment
  • T1204.002: User Execution: Malicious File
  • T1543.003: Create or Modify System Process: Windows Service
  • T1027: Obfuscated Files or Information
  • T1140: Deobfuscate/Decode Files or Information
  • T1218.010: System Binary Proxy Execution: Regsvr32
  • T1071.001: Application Layer Protocol: Web Protocols
Indicators:

Excel document:

  • 625121dba58742d70d59010af2a452649101cc0d6a3c956352e0c19bf31c7fc3
Download URLs:
  • https://cointrade[.]world/receipts/0LjXVwpQrhw/
  • http://www.garantihaliyikama[.]com/wp-admin/jp64lssPHEe2ii/
  • http://haircutbar[.]com/cgi-bin/BC3WAQ8zJY4ALXA4/
  • http://airhobi[.]com/system/WLvH1ygkOYQO/ 
YARA Rule:
rule emotet_xls_downloader{
meta:
id = "3B7stbUhJvOTZBIt8VYWJb"
fingerprint = "21c6a8dd0d5bd96c8bca604069c74708be3b8e6fc1f41423e2af0aabe0435fc8"
version = "1.0"
first_imported = "2022-07-21"
last_modified = "2022-07-21"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "ECLECTICIQ"
author = "EclecticIQ Threat Research Team"
description = "Yara rule to track Emotet Excel downloader documents."
category = "MALWARE"
malware = "EMOTET"
mitre_att = "S0367"
report = "Emotet Downloader Document Uses Regsvr32 for Execution"
sha256 = "625121dba58742d70d59010af2a452649101cc0d6a3c956352e0c19bf31c7fc3"


strings:
$ocx = ".ocx"
$h1 = {6F 6E 22 2C 22 55 52 4C 44 6F 77 6E 6C 6F 61 64 54 6F 46 69 6C} // on","URLDownloadToFil
$h2 = {2C 30 2C 22 68 74 74 70} // ,0,"http
$h3 = {53 79 73 74 65 6D 33 32 5C 41} // System32\A
$h4 = {3A 5C 57 69 6E 64 6F 77 73 5C 41} // :\Windows\A


condition:
uint16(0) == 0xcfd0 and filesize < 2MB and (all of ($h*) and (#ocx == 4))
}

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Appendix

  1. https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
  2. https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/
  3. https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action
  4. https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/
  5. https://www.malware-traffic-analysis.net/2020/08/10/index.html
  6. https://isc.sans.edu/diary/Emotet+infection+with+Cobalt+Strike/28824
  7. https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo