Emotet Downloader document uses Regsvr32 for execution
This article investigates a recent Emotet intrusion and details how the final Emotet payload is installed on the system. The main observations are as follows:
- Hidden Excel macros used to download and run the Emotet loader.
- Emotet loader run using regsvr32.exe.
- Embedded encrypted Emotet payload in the .rsrc section of the loader.
- Windows service used for Emotet payload persistence.
- Emotet continues to evolve delivery techniques and obfuscation to reduce detection.
Emotet is a Windows-based malware loader operated by cyber crime group TA542 (1), also called Mummy Spider (2). First discovered in mid-2014, Emotet, initially designed as a banking Trojan, was later developed into a modular malware platform capable of performing various functions such as loading other malware , information theft and spambot features (1). Emotet is mainly distributed through phishing campaigns (1). In early 2021, North American and European law enforcement disrupted Emotet’s infrastructure, resulting in an outage of Emotet’s activity (3), but Emotet resumed operations in mid-November 2021 (4). Emotet has been observed removing other malware families such as Qakbot (5) and Cobalt Strike (6). Emotet infections are high risk, having led to ransomware deployments in the past (seven).
EclecticIQ analysts observed the distribution of Emotet throughout 2022. The bar chart below highlights the number of Emotet files and network indicators observed in EclecticIQ’s internal dataset during the first half of 2022.
Figure 1.1: Bar chart of the number of Emotet-specific indicators seen each month in the first half of 2022
Step One: Initial Delivery
Microsoft Office XLS document runs a hidden Excel 4.0 macro when activated
The first stage of an attack likely starts with a spam email providing a Microsoft Office XLS document as an attachment. The XLS document uses hidden Excel macros. When opened, the document asks the user to activate the content, when activated, the macro runs.
Figure 2.1: Screenshot of an Excel document prompting the user to “Enable content”
The actor uses various methods to obfuscate the Excel macro, which makes it more difficult to statically analyze the file. The document uses several password-protected spreadsheets, these spreadsheets containing ‘CHAR’ formulas returning a character of text. The characters are scattered on the sheets in different cells (as shown in Figure 2.2) and are written in white color font to make the sheets appear blank.
Figure 2.2: Characters scattered around Excel cells
The macro downloads and runs Emotet Loader
When run with macros enabled, the document uses the ‘Auto_Open’ method to execute the formula shown in Figure 2.3. This formula de-obscures the functionality of the macro by revealing four CALL and EXEC functions. The macro will then try to download the Emotet loader using the URLDownloadToFileA function and save it to the current parent directory with the file extension ‘.ocx’ (active control). It then tries to run the downloaded Emotet loader using regsvr32.exe with the /S parameter. The program makes four attempts to download and run the loader, although the initial attempts are successful, with the macro then terminating.
Figure 2.3: Unobfuscated malicious Excel formulas
Step Two: Emoticon Loader
Emotet Loader decrypts and loads Emotet payload
The Emotet Loader is a 64-bit DLL, which contains the encrypted Emotet payload as an embedded resource, under the name “7732”.
Figure 3.1: Encrypted Emotet payload in PE .rsrc section
The Emotet loader will load the encrypted payload into memory using the VirtualAlloc function to allocate memory. The loader passes the value 0x1E34 (decimal 7732) which is the name of the encrypted payload resource as the second parameter to the LoadResource function.
Figure 3.2: Payload encrypted in hex editor (top) and memory-mapped (bottom)
The Emotet payload is decrypted and written to the allocated memory area. The payload is a 64-bit DLL. The file is moved from %HOMEPATH%soci2.ocx to
Figure 3.3: Emotet payload decrypted in memory
Once the Emotet payload is fully installed, it allows the malware operator to remotely access the victim’s system. This remote access allows other Emotet modules or other malware families to be loaded onto the system. The MITER ATT&CK classification, indicators and YARA rule are available below and can help security teams track, monitor and detect Emotet infections.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Based in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the United States with decades of experience in cybersecurity and intelligence in industry and government.
We would like to hear from you. Please send us your comments by writing to us at [email protected] Where Fill the EclecticIQ Audience Interest Survey to direct our research towards your priority area.
*** This is a syndicated blog from the Security Bloggers Network of Blog EclecticIQ authored by the EclecticIQ Threat Research Team. Read the original post at: https://blog.eclecticiq.com/emotet-downloader-document-uses-regsvr32-for-execution