Summary

Since the end of June, Art Resilia detected an increasing volume of Maldoc campaigns associated with Emotet[1]. Although Emotet has been around for a while, this campaign is particularly relevant due to the impersonation of various entities, including public ones, and the abnormal volume of events focused on Portuguese cyberspace.

This article describes the analysis performed by ArtResilia’s SOC and It is intended to help in the detection and prevention of this campaign.

Both sender recipient and the conversation content were used as subversion mechanisms, being the “From” manipulated to known sender addresses (all cases), subject reused from previous email exchanges between the victims (majority of the cases) and, in some cases, the email thread content reused as body.

The campaign used a widely distributed support infrastructure, placing Brazil on the top of more than 20 different countries. Evidence of Cyrillic encoding being used are shown, the attack typology described as well as the TTPs.

At last, a set of seven recommended actions are proposed and a few of detection rules (YARA and SIGMA) shared.

 

Technical Analysis

During the analysis preparation phase a significant amount of different email types were collected by ArtResilia, with different senders, attachments and recipients. Details of the analysis process are described in the following sections.

 

Message headers

In the analyzed emails, the attacker manipulated the “From” field to give the appearance that the message had originated from email addresses trusted by the recipient, which is not the case.  However even the real senders of the message appear to have been sent through compromised accounts that were subverted for the dissemination of malicious messages. 

 

Furthermore, content of previous email threads between the involved victims was also rescued in the same cases, namely the subject and portions of the body itself.

Although several accounts were used, as shown in the chart below, most of the addresses used for dissemination belonged to organizations registered under the Top Level Domain (TLD) .be.

Body of emails

The language used in the body of emails varied between Portuguese and English. During the analysis process, several structures of the email body were observed, although they all had the same purpose – directing the attention of the recipient of the message to the attached file and usually giving a sense of urgency.

 

It should also be noted that several attached messages contained a transcript of emails, including the same subject with the prefix “FW:” or “RE:” and the message body, previously exchanged between the recipient and the sender (personified) of the message, which probably indicate that the author of the campaign had access to one or more mailboxes involved in the original conversation.

 

Attachments

The messages were accompanied by a single attachment, whaich varies between the ZIP format and the XLS format.

 

The ZIP files (containing a single XLS format) were encrypted with a password, which was provided in the body of the email. This is a mechanism used regularly in malicious file dissemination attacks, since by encrypting the file, the attacker will have better chances to bypass malware filtering capabilities of e-mail solutions. The extracted XLS contained XLM Macros, whose purpose was to download second stage payloads from the internet and run them using the native Windows tool regsvr32 (LolBin[2]), used to register DLLs and execution of Scriptlets. The same pattern was found in the non-encrypted xls attachments.

 

When executed, these macros would download 4 remote files from the Internet, and later use regsvr32.exe to execute them.

 

Origin/Typology of attack

Regarding the addresses/URLs contacted during the infection chain, the vast majority appear to be infrastructures compromised by the attacker and subverted to host malicious files, with the infrastructure being geographically dispersed.

Most of the Websites used during this campaign appear to be sites that make use of the CMS WordPress, running outdated and/or improperly configured versions, thus being vulnerable to several different attacks.

As for the XLS files, the majority have the alias “Dream” as their author, and the last change was made by the alias “RGSGK”.

 

These aliases have already been observed in other campaigns related to the Emotet Trojan, which also had some kind of connection with infrastructures present in Brazil. 

It is also relevant the Cyrillic encoding found in the files, which can be an Indicator of the real origin of the Threat Actor.

 

It should also be noted that the same indicators observed in this campaign are being disseminated globally, which means that although some of the bodies of the emails are targeted and specific to the victims of this attack, the infrastructure and artifacts are being reused in other campaigns.

 

TTPs

 

Recommended actions

Given the fact that the received messages contain content previously shared between the target entities, it is possible that this attack involved access to exchanged messages, thus implying an Identity Theft with implications in the Confidentiality of information. Therefore, we recommend the following actions:

• Review logins to email accounts. Any abnormal session should be investigated. Grouping login events by origin, device and hours is an excellent starting point to find abnormal activity.
• Review of automatic email redirection rules. Common technique used by adversaries to exfiltrate information.
• Review of network logs, with special attention to the indicators shared in this report;
• Review of EDR or EPP, with special attention to the indicators and TTPs shared in this report.
• In a scenario of a massive email delivery, evaluate the possibility of blocking in your Secure Email Gateway messages with attachments from untrusted senders, particularly:
  • Encrypted Attachments
  • Office Files
  • Binaries
• Disable Macros when possible or use a whitelist approach with signed ones.
• Evaluate the possibility of using Attack Surface Reduction rules to prevent Office from creating child processes [3].

 

Detection Opportunities

YARA Rules

[Swipe left to scroll table contents]

rule maldoc_emotet_july
{
	meta:
    	        author="ArtResilia"
	strings:
    	        $a1 = ".ocx"
    	        $a2 = "://"
    	        $a3 = "Dream"
    	        $a4 = "RGSGK"
    	        $a5 = "URLDownloadToFil"
    	        $a6 = "32.ex"
	condition:
    5 of ($a1, $a2, $a3,$a4,$a5,$a6) and (uint32be(0) == 0xD0CF11E0 or uint32be(0) == 0x504b0304)
}

SIGMA Rules

[Swipe left to scroll table contents]

title: Emotet - Regsvr32.exe loading from Appdata/Temp folder
description: Detects regsvr32.exe loading resources from temporary folders
status: experimental
author: Art Resilia
date: 2022/07/08
tags:
	- attack.execution
	- attack.t1059
logsource:
	category: process_creation
	product: windows
detection:
	selection:
    	Image|endswith:
        	       - '\regsvr32.exe'
    	CommandLine|contains:
        	    - '\Windows\Temp'
        	    - '\AppData\Local\'
        	    - '\AppData\Roaming\Temp'
	condition: selection
falsepositives:
	- Custom binaries
level: high

 

In addition you can complement the detection capabilities with a generic Sigma Rule[4] that detects process creation of a LOLBin process from an Office Application.

 

Indicators of Compromise

Below you can find a list of collected indicators of compromise.

[Swipe left to scroll table contents]

Author

Tomás Ferraz
Sérgio Ribeiro

 

References

[1] https://www.cisa.gov/uscert/ncas/alerts/aa20-280a

[2] https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/

[3] https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference

[4] New Lolbin Process by Office Applications (Sigma HQ / Github)https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml