Ever-Changing Emotet Evolves Again with Fresh Evasion Tactic

[silversurfer]

The Emotet trojan has seen a spike in activity in the last month, with a campaign that once again showcases its ability to evolve quickly: It’s now employing a different delivery mechanism than has previously been seen, in what appears to be an effective tactic for evasion.

Emotet, which has become a bit of a chameleon in the malware world thanks to its penchant for constantly adding new functionality, is now being delivered via embedded macros inside XML files disguised as Word documents, according to Menlo Security.

“In the past, we have seen Emotet being delivered through regular macro-infested Word documents, but this technique of disguising an XML document as a Word document seems to be a recent change in the delivery technique,” the company said in a Wednesday blog post. “With such constant changes in tactics from the Emotet threat actors, we foresee that this campaign will continue to evolve and become more sophisticated.”

Krishnan Subramanian, security research engineer at Menlo Labs, told Threatpost that on average, Menlo has seen up to 15 different customers per day being targeted across its customer base, every day since mid-January. The healthcare vertical was the most targeted.

SOURCE: https://threatpost.com/emotet-evasion-ta...ml/141862/

[browneylad]

Analysis of a Fresh Variant of the Emotet Malware

Breaking Threat Analysis research paper by FortiGuard Labs  By Xiaopeng Zhang February 18, 2019

Emotet is not a new malware family. In fact, it’s been around for several years. We captured a JS file spreading Emotet in 2017, which I then analyzed it and published two research papers on it, Part I and Part II.

Recently, FortiGuard Labs captured a fresh variant of Emotet. This time, it’s embedded in a Microsoft Word document. I did a quick analysis on it, and in this blog I’ll show you how it works on a victim’s machine. 



The original file name of this infected document is PAY09735746167553.doc, and it contains malicious VBA code (Visual Basic for Applications) in a Macro. Figure 1 shows its content when it’s opened in Microsoft Word. The malicious VBA code is executed automatically using its “autoopen”  function once a victim clicks the button “Enable Content”, as shown in Figure 1. After a period of time it generates a ton of PowerShell code and then executes it. This generated PowerShell code downloads the actual Emotet file from several URLs that are dynamically generated, as shown in Figure 2.



Emotet is Relocated to %LocalAppData%

The downloaded file is the Emotet malware. The name it uses is random string, and it is located in the %temp% folder. When it runs, it compares the file path of current process, and if it is not the same as %LocalAppData%\culturesource\culturesource.exe, it moves the original exe file from the %temp% folder to the above folder (it even creates the folder if it doesn’t already exist) and renames it as culturesource.exe. The word “culturesource” is a constant string decrypted from its memory.

More info on Source HERE

Fortinet Security Blog here