ElevatedPrompt has been tracking the new variant of Emotet Trojan. Mid – January 2019, our security team has seen a drastic uptick in the Emotet related campaigns and have been tracking the different variants and delivery mechanisms. The one variant that got me interested in writing this blog was the latest campaign observed on 14th February, 2019. This Emotet variant can hide from AV and even some of the better known email filtering solutions out there by disguising itself as XML file.
A couple hours later when our analysts started to do a deeper dive, to our surprise the same url was now delivering Emotet. We tried directory browsing and noticed that the folder was recently modified.
At this point we decided to shift our focus on the XML document.
The XML file contains standard header followed by a Base64 encoded section, which contains the obfuscated VBA macro code. The file itself was named with a .doc extension.(which you can see from above picture).
As usual we can see the attackers exploiting the end user to execute the macro. Once the macro executes it runs the Powershell script.
Emotet is a well known banking Trojan and it has been very active since the start of 2019. This is probably because Emotet has evolved into a global threat delivery service.
We have observed two delivery mechanisms used by Emotet campaigns, one tricking users to click links to the malicious document and the other attaching the malicious document to the email. According to US-CERT (TA18-201A) Emotet continues to among the most costly and destructive malware affecting state, local, private and public sectors.