ElevatedPrompt has been tracking the new variant of Emotet Trojan. Mid – January 2019, our security team has seen a drastic uptick in the Emotet related campaigns and have been tracking the different variants and delivery mechanisms. The one variant that got me interested in writing this blog was the latest campaign observed on 14th February, 2019. This Emotet variant can hide from AV and even some of the better known email filtering solutions out there by disguising itself as XML file.

On 14th February, 2019 our DET3CT appliance flagged an email with a suspicious url embedded in it. First analysis of the url [“hxxp://gslegno[.]com/De_de/MSLDAMBXHP4663794/DE_de/Fakturierung”] detected an obfuscated javascript which is related to a known malicious add network “ad[.]afy11[.]net”.

obfuscated JavaScript
traffic generated by JavaScript

We noticed the JavaScript contains escaped byte string which is often associated with obfuscated shellcode. At this point we decided that this JavaScript requires a deeper analysis.

A couple hours later when our analysts started to do a deeper dive, to our surprise the same url was now delivering Emotet. We tried directory browsing and noticed that the folder was recently modified.

At this point we decided to shift our focus on the XML document.

Malicious Word Macro file disguised as XML

The XML file contains standard header followed by a Base64 encoded section, which contains the obfuscated VBA macro code. The file itself was named with a .doc extension.(which you can see from above picture).

The malicious macro document

As usual we can see the attackers exploiting the end user to execute the macro. Once the macro executes it runs the Powershell script.

Decoded Powershell

Emotet is a well known banking Trojan and it has been very active since the start of 2019. This is probably because Emotet has evolved into a global threat delivery service.

We have observed two delivery mechanisms used by Emotet campaigns, one tricking users to click links to the malicious document and the other attaching the malicious document to the email. According to US-CERT (TA18-201A) Emotet continues to among the most costly and destructive malware affecting state, local, private and public sectors.