Emotet Outbreak, Back in action – Hidden In XML File

Emotet Outbreak:

The Emotet banking trojan was first identified in 2014.

Emotet was originally designed as a banking malware that attempted to sneak onto your computer and steal sensitive and private information.
Later versions of the software saw the addition of spamming and malware delivery services—including other banking Trojans.

What is Emotet?

Emotet is a Trojan that is primarily spread through spam emails (malware). The infection may arrive either via malicious script, macro-enabled document files, or malicious link.

Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” ”Order Details” or possibly an upcoming shipment from well-known parcel companies.

Emotet is polymorphic, which means it can change itself every time it is downloaded, evading signature-based detection.

How does Emotet spread ?

It can be spread through phishing spam emails containing malicious attachments or links.

How to detect Emotet infection as Security Engineer/ SOC Engineer ?

Network IDS rule to catch emotet: Suricata /Snort rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”ET TROJAN Possible malicious Office doc hidden in XML file”; flow:established,from_server; file_data; content:”base64 encoded code in XML file “; flow:established,from_server; file_data; content:”<?xml”; within:5; content:””; nocase; distance:0; content:”macrosPresent=|22|yes|22|”; distance:0; fast_pattern; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/; classtype:trojan-activity; sid:2020657; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;

There have been increase in Emotet activity with some variance in it and now being downloaded in XML format which consist of Base64 encoded malicious code. Seemingly looking harmless XML file is a malicious macro document file which is compressed, encoded in base64, and stored in XML format. Below is diagram showing how the malicius document was stored.

XML file

Investigation:

Download the file and scan in through virustotal or metadefender.

Virustotal analysis of malicious XML file.

After analysing on VT, we can use sandbox to analyse the exact behaviour of the file.
Below is the link of Hybris analysis sandbox public report, You can simply google ot find more out there.

https://www.hybrid-analysis.com/sample/7dbf1569ab0472b7c6cca2c228be425b89e3ae652ce612c923ef5152f566142a/5c424a7f7ca3e14bfa1949c6

Above link contains well detailed analysis of the emotet file. Below are some snaps of analysis:

Snap of domains containing Trojan downloader payload, present in mal XML file

For more quick analysis other OSINT tools like Oletools can also be used.

Once we are sure of infection the only way to stop is to isolate the host and then reimage the host or perform full scan using some good antivirus

For NON IT People:

If you receive any email with some attachment from unknown sources always make sure do not open it straight away, because opening it enable macros leading to emotet infection which can spread out in entire organization.

How to defend against Emotet ?

You’re already taking the first step towards protecting yourself and your users from Emotet by reading this. Here’s a few additional steps you can take:

  1. Keep your computer/endpoints up-to-date with the latest patches for Windows or any other OS. Emotet may rely on the Windows Eternalblue vulnerability to do its dirty work, so don’t leave that back door open into your network.
  2. Do not download suspicious attachments or click a shady-looking link. Emotet can’t get that initial hold on your system or network if you avoid those suspicious emails.

How to Identify Emotet Infected device ?

Payload downloaded is usually dropped in UsersPublic directory and named as random numbers between 1 – 5 digits long (the filename can be found in the Powershell command issued to download the files)  

Payload moves a copy of itself in to a newly created folder in appdatalocal

We will notice modifications in syswow64 directory, for example:
C:WINDOWSSYSWOW64 485432.txt or HKLMSYSTEMCURRENTCONTROLSETSERVICES1A345B7 some thing like that.

Apart of this if you are not sure on infection run any scan tool to see any IOC.

How to Remove Emotet ?

  • Disconnect the device.
  • Disable the admin share to minimize the impact.
  • Run a full anitvirus scan on the device.
  • Reimage the host.

Level of Emotet Infection noticed throughout the world:

References:

1 thought on “Emotet Outbreak, Back in action – Hidden In XML File”

  1. Pingback: "MegaCortex" Ransomware in action -A MayDay gift no-one wanted | Security@Speaks

Leave a Comment

Your e-mail address will not be published. Required fields are marked *