The cyber security expert Marco Ramilli, founder of Yoroi-Cybaze, discovers a mail of a fake a SOC “weekly report” that spread Emotet
The cybercrime group behind Emotet evolves and addresses companies having an external Security Operation Center (SOC). Cyber criminals pretend to simulate an external SOC operator who sends periodic reports to the company. It has been discovered by the cyber security expert Marco Ramilli, founder of Yoroi-Cybaze. The delivery content was a Microsoft word document within heavily obfuscated Macros who eventually drops and executes the malware. Vector is an email which claimed to deliver a SOC “weekly report” to the victim. First of all the attacker knew the target organization was protected by a SOC, so he sent the message claiming to deliver a Microsoft document wrapping out the weekly report as a normal activity in order to induce the victim to open-it. Following the original headers it is possible to figure-out the attacker used a SMPT client who left trace about the original sender IP address.
The cyber security expert: Cybercrime group uses an obfuscated Microsoft Word document which asks to enable macros in order to view its content. It drops and executes the malware
According to the cyber security expert, the attachment is an obfuscated Microsoft Word document which asks to enable macros in order to view its content. The auto-open function begins a complex obfuscated chain which tries to deter analyst by introducing junk code, variable assignments and fake apparent real comments. The macro creates on-memory objects and runs them without passing through temporary files. Once the dropper assured the persistence and to run during the start-up, it carves from itself a powershell script. It runs an encoded string hiding the dropping ULRs. It finally saves the dropped file in a userprofile location, before running it. The final run looks like Emotet, a banking trojan who steals credentials, cookies and eCoin wallets. The malware is also able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, and to send back to command and control found victim information.