Researchers uncovered an infamous and widely distributed malware Emotet, now targeting Windows users by employing a malicious Excel File after six months after its last activity.
Emotet is considered a kind of malware family among the malware research community due to its footprint and aggressive distribution method for a long while since 2014. it was developed to steal sensitive and private information from various sectors, including Educational institutes, government, defense, IT, Telecom, and also millions of individuals around the globe.
Malware developers and affiliates behind Emonet have used a different method of distribution and employes Microsoft Offices documents in a common way that was predominantly used in previous attacks.
A recently identified campaign has used a weaponized Excel file using different tactics, unlike previously identified similar attacks.
Based on the common characters identified in this Emotet campaign, researchers believe that the attackers are distributed using random malicious emails with attachments and disperse the email along with white text in the excel sheet, which consists of multiple formulas.
Attackers are using a variety of different characteristics in each and every campaign identified in the recent past.
Let’s break down the following notable technique that was identified by Ahnlab researchers and reported to Cyber Security News.
- A different method to prompt users to enable cell macro.
- Addition of sheet protection feature.
- Changes to the execution method of Emotet binary.
Unlike previous methods in which attackers trick users into directly enabling the Macro, Emotet has employed the following methods in the previous attacks.
Attackers behind the Emotet now changing the methods to Enable Macro and forcing victims to re-launch the document with the following statement:
In accordance with the requirements of your security policy, to display the contents of the document, you need to copy the file to the following folder and run it again.
for Microsoft Office 2013 x32 and earlier – C:\Program Files\Microsoft Office (x86)\Templates
for Microsoft Office 2013 x64 and earlier – C:\Program Files\Microsoft Office\Templates
for Microsoft Office 2016 x32 and later – C:\Program Files (x86)\Microsoft Office\root\Templates
for Microsoft Office 2016 x64 and later – C:\Program Files\Microsoft Office\root\Templates
In the second scenario, attackers included the Formula Macro before hiding the sheet and employed the sheet protection on it to ensure that the victims can’t view the included formula macro.
Threat actors use this trick to avoid analysis and detection of data within the sheet. “Our analysis showed that the password to disable sheet protection is ‘AABABAAABBB^‘. When the sheet protection is disabled, the dispersed and hidden data is found within the sheet,” Ahnlabs said.
A final trick used in this new campaign changes to the execution method of Emotet binary, in which the binary execution method is being upgraded to the new extension.
In previous methods, attackers utilized a .ocx file extension through rundll32.exe to execute the binary on the targeted Windows system, now it has switched to a .ooccxx file extension through regsvr32.exe.
- C:\Windows\System32\regsvr32.exe /S .. \oxnv1.ooccxx
- C:\Windows\System32\regsvr32.exe /S .. \oxnv2.ooccxx
Users are advised to refrain from opening document files from unknown and untrusted sources.
Indicators of Compromise
C&C and Download
Penetration Testing As a Service – Download Red Team & Blue Team Workspace