Overview
Thanksgiving is national holiday foreign countries, In earlier of October cyber criminals and spammers are take advantage of this festivals and start to spamming in foreign countries. This campaign leverages an improved variant of the malware that implements new features and modules, this is the first campaign that doesn’t use financial themes. According to the research, the Thanksgiving-themed campaign targeted U.S. users and delivers Emotet banking Trojan malware.
Delivery and exploitation technique
The cyber criminals are use emails for deliver
malicious document in email attachment. As par advisory’s cyber criminals are
send 27,000 per day and target to foreign customers.
 |
With this email cybercriminal was attach malicious document.xls file. In this file is contain malicious embedded macro and functions. Which is execute command line and command line has capability to execute powershell that connect to malicious domain and download malicious exe in to %appdata% directory.
Behavior Analysis of malicious document
This is a
typical macro-based Microsoft word document which has AutoOpen function. This
function is using to execute VB based macro code on document open time. when we
run document, the this ask for enable macro function.
 |
As most commonly malicious Microsoft word macros contains obfuscated VBA script, which is used to execute malicious code and hide malicious function behind unreelable text, this also use to bypass antivirus detection. This macro is executing powershell command and try to make connections to download emotet malware from malicious domain. However here the domain is not working hence request is not get successful.
 |
In the image powershell is execute VBA code and make connections to multiple malicious domain, as par analysis this domains is categorized as malicious and deliver emotet malware in past.
Debugging of malicious macros
 |
As common
methords of mecros is contain obfuscated VBA code, I have start to debug malicious
obfuscated VBA code, as par deep analysis we conclude the VBA macro has Execute
IF-
Else loop , and every loop has different variable declarations, in the
image you can see ltRzxjkitk is holds command line executions. This value is prompted
during macro code analysis and debugging time.
Malicious XML based word document file analysis:
Microsoft office
suite has many functions and file formats. This all file formats has different file
headers and file attributes. In the Thanksgiving campaigns cyber criminals are
use xml based macros execution functionality.
 |
In the image we have open file in to notepad++ where we can perform file format and header analysis. in the image 1 points is shows is word document file, this is file signature that this file is execute in Microsoft word document. In the xml attribute we can analyse XML version, encoding type and document settings. After file package attribute its start the
Hear attacker has use cap sign (^) for avoid antivirus detection and make more complex obfuscation. For reverse engineering of word document file, this command line is main function that take us to final malicious code as output. In the full string dump has many cap sign (^) that only use for make strong obfuscation. 1st I have remove all cap sign (^) from string dump. Now we have clear strings of command line, and obfuscated strings. Here we can see 2nd pointed strings is (yellow marked) command line, 3rd pointed string (green marked) is assign string in to t8vb variable which is unreadable formatted. And last 4th pointed string has for loop. Lets understand stapes by stapes of the obfuscated strings execution.
First, we execute command line:
C:/> echo cmd /c %LOCalAPpdaTA:~
-3,-2%M%SysTEmrOoT:~ +6, +1%;
; ; ; /V:o ; /%appDATa:~-7, 1%
Return value: cMD;
;;; /V:o /R
The code
extracts the substring from the value of the environment variable and from
this, it builds a command string. For example: %localappdata% environment
variable is equivalent to this path "C:\Users\Username\AppData\Local"
Then using substring command in cmd shell "%localappdata:~-3,-2%" it
extracts a character between position 3 from the end of the string and position
2 from the end string "C:\Users\Username\AppData\Local"
 |
Image 6: Command line Execution
|
In the
image you can see how command line is get values from environment variables.
Next the
string is set value of t8vb variable
and last the is for loop.
For better
understandings of for lop please see image no 7. I have reverse the t8vb variable
string. And same as for loop I pickd 4th
charter from t8vb string. You can see after the forloop executing its build
powershell command line (highlighted in image). The powershell has multiple
C&C domain which are splitting with “@” and execute malware with start-process
function.
This obfuscation call as demystify obfuscation technique.
This obfuscation call as demystify obfuscation technique.
hxxp://
danzarspiritandtruth[.]com /J7B5TiAIp
hxxp://
iuyouth.hcmiu.edu[.]vn /mVayv0I7S
hxxp://
exploraverde[.]co /mmR4TaGu8
hxxp://
turkaline[.]com /zGiFH0X
Then the
script saves the binary to the Windows temporary folder and executes it.
The binary
files at the end of the URL are Emotet - a notorious banking trojan that rolls
out different behavior such as info-stealing modules for emails and browsers.
