cerrar
cerrar
Su red del mañana
Su red del mañana
Planifique su camino hacia una red más rápida, más segura y más resistente diseñada para las aplicaciones y los usuarios a los que da soporte.
          Descubra Netskope
          Ponte manos a la obra con la plataforma Netskope
          Esta es su oportunidad de experimentar de primera mano la Netskope One plataforma de una sola nube. Regístrese para participar en laboratorios prácticos a su propio ritmo, únase a nosotros para una demostración mensual del producto en vivo, realice una prueba de manejo gratuita de Netskope Private Accesso únase a nosotros para talleres en vivo dirigidos por instructores.
            Líder en SSE. Ahora es líder en SASE de un solo proveedor.
            Líder en SSE. Ahora es líder en SASE de un solo proveedor.
            Netskope debuta como Líder en el Cuadrante Mágico™ de Gartner® para Single-Vendor SASE
              Protección de la IA generativa para principiantes
              Protección de la IA generativa para principiantes
              Descubra cómo su organización puede equilibrar el potencial innovador de la IA generativa con sólidas prácticas de seguridad de Datos.
                Prevención de pérdida de datos (DLP) moderna para dummies eBook
                Prevención moderna de pérdida de datos (DLP) para Dummies
                Obtenga consejos y trucos para la transición a una DLP entregada en la nube.
                  Libro SD-WAN moderno para principiantes de SASE
                  SD-WAN moderna para maniquíes SASE
                  Deje de ponerse al día con su arquitectura de red
                    Entendiendo dónde está el riesgo
                    Advanced Analytics transforma la forma en que los equipos de operaciones de seguridad aplican los conocimientos basados en datos para implementar una mejor política. Con Advanced Analytics, puede identificar tendencias, concentrarse en las áreas de preocupación y usar los datos para tomar medidas.
                        Los 6 casos de uso más convincentes para el reemplazo completo de VPN heredada
                        Los 6 casos de uso más convincentes para el reemplazo completo de VPN heredada
                        Netskope One Private Access es la única solución que le permite retirar su VPN para siempre.
                          Colgate-Palmolive Salvaguarda su "Propiedad Intelectual" con Protección de Datos Inteligente y Adaptable
                          Colgate-Palmolive Salvaguarda su "Propiedad Intelectual" con Protección de Datos Inteligente y Adaptable
                            Netskope GovCloud
                            Netskope logra la alta autorización FedRAMP
                            Elija Netskope GovCloud para acelerar la transformación de su agencia.
                              Hagamos grandes cosas juntos
                              La estrategia de venta centrada en el partner de Netskope permite a nuestros canales maximizar su expansión y rentabilidad y, al mismo tiempo, transformar la seguridad de su empresa.
                                Soluciones Netskope
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) proporciona a los clientes potentes herramientas de integración para aprovechar las inversiones en su postura de seguridad.
                                  Soporte técnico Netskope
                                  Soporte técnico Netskope
                                  Nuestros ingenieros de soporte cualificados ubicados en todo el mundo y con distintos ámbitos de conocimiento sobre seguridad en la nube, redes, virtualización, entrega de contenidos y desarrollo de software, garantizan una asistencia técnica de calidad en todo momento
                                    Vídeo de Netskope
                                    Netskope Training
                                    La formación de Netskope le ayudará a convertirse en un experto en seguridad en la nube. Estamos aquí para ayudarle a proteger su proceso de transformación digital y aprovechar al máximo sus aplicaciones cloud, web y privadas.

                                      Emotet: Still Abusing Microsoft Office Macros

                                      Jun 27 2022

                                      Summary

                                      In April 2022, Netskope Threat Labs analyzed an Emotet campaign that was using LNK files instead of Microsoft Office documents, likely as a response to the protections launched by Microsoft in 2022 to mitigate attacks via Excel 4.0 (XLM) and VBA macros.

                                      However, we recently came across hundreds of malicious Office documents that are being used to download and execute Emotet, indicating that some attackers are still using old delivery methods in the wild. Despite the protection Microsoft released in 2022 to prevent the execution of Excel 4.0 (XLM) macros, this attack is still feasible against users who are using outdated versions of Office. It is also feasible against users who have changed the default setting to explicitly enable macros. The fact that attackers are still using Excel 4.0 Macros indicates that outdated Office versions and users who have this protection disabled are still common.

                                      Screenshot of option to enable Excel 4.0 Macros.
                                      Option to enable Excel 4.0 Macros.

                                      By searching for similar files on VirusTotal, we found 776 malicious spreadsheets submitted between June 9, 2022 and June 21, 2022, which abuse Excel 4.0 (XLM) macros to download and execute Emotet’s payload. Most of the files share the same URLs and some metadata. We extracted 18 URLs out of the 776 samples, four of which were online and delivering Emotet.

                                      Graph showing submission timeline for Emotet spreadsheets on VirusTotal.
                                      Submission timeline for Emotet spreadsheets on VirusTotal.

                                      In this blog post, we will analyze this Emotet campaign, showing the delivery mechanism to the last payload.

                                      Stage 01 – Malicious Spreadsheets

                                      The first stage is a malicious spreadsheet that abuses Excel 4.0 (XLM) macros to download and execute Emotet. These files are being delivered as email attachments.

                                      Examples of phishing emails with malicious spreadsheets attached.
                                      Phishing emails with malicious spreadsheets attached.

                                      There are also cases where the spreadsheet is attached within a password-protected ZIP file.

                                      The spreadsheet contains a message to lure the user to remove the protected view by clicking the “Enable Editing” button.

                                      Example of spreadsheet message asking to click “Enable Editing”.
                                      Spreadsheet message asking to click “Enable Editing”.

                                      The malicious code is obfuscated and spread across hidden spreadsheets and cells.

                                      Screenshot of part of the Excel 4.0 Macros.
                                      Part of the Excel 4.0 Macros.

                                      The code downloads the payload from an external URL via “URLDownloadToFileA” API and executes it with “regsvr32.exe”, which is a commonly used binary for the Living-off-the-Land technique.

                                      Screenshot of deobfuscated code from the spreadsheet.
                                      Deobfuscated code from the spreadsheet.

                                      Furthermore, most of the files we analyzed were authored by “Dream” and last saved either by “RHRSDJTJDGHT” or “TYHRETH“, indicating the files likely share an author. 

                                      Screenshot of common metadata across the spreadsheets.
                                      Common metadata across the spreadsheets.

                                      Stage 02 – Packed Emotet

                                      We were able to download samples from four different URLs out of the 18 extracted from the spreadsheets. Two of the downloaded files were unpacking the same Emotet payload.

                                      Example of four payloads downloaded from the spreadsheet URLs.
                                      Four payloads downloaded from the spreadsheet URLs.

                                      Emotet’s main payload is encrypted and stored in the PE resources of the loader, which is the same case as other Emotet packed samples we analyzed earlier in 2022.

                                      Screenshot of Emotet’s main payload stored in the PE resources.
                                      Emotet’s main payload stored in the PE resources.

                                      The unpacking/decryption process is also very similar to the samples we analyzed earlier in 2022, where a key is used in a simple rolling XOR algorithm.

                                      Example of Emotet decryption process.
                                      Emotet decryption process.

                                      Stage 03 – Emotet Payload

                                      We extracted three different payloads (64-bit DLLs) from the samples we downloaded from the URLs. 

                                      Screenshot of main Emotet payloads
                                      Main Emotet payloads.

                                      We can find some similarities by comparing these payloads with the ones we analyzed in April 2022, like the pattern used in the DLL name.

                                      Screenshot of real name for all three samples is “E.dll”.
                                      Real name for all three samples is “E.dll”.

                                      And also the persistence mechanism via Windows service that executes the payload via regsvr32.exe.

                                      Screenshot of Emotet persistence mechanism.
                                      Emotet persistence mechanism.

                                      However, there are some differences between these payloads and the ones we analyzed in April 2022. The first one is where and how Emotet decrypts its strings. In previous payloads, Emotet was storing its strings in the PE .text section.

                                      In these latest payloads, Emotet uses functions to retrieve decrypted strings. Simply put, the attacker is using the concept of stack strings, which are passed via parameter to the function that performs the decryption process.

                                      Screenshot of Emotet function to return a decrypted string.
                                      Emotet function to return a decrypted string.

                                      The decrypted strings can be easily retrieved by placing breakpoints in the return of these functions. Also, it’s possible to use a Python script to automatically extract this data using Dumpulator or any other emulation framework.

                                      Screenshot of Emotet decrypted strings.
                                      Emotet decrypted strings.

                                      The C2 addresses are also retrieved in a different way on these payloads. Instead of storing this data in the PE .data section, Emotet parses the C2 addresses via functions as well.

                                      Example of Emotet parsing the C2 server addresses.
                                      Emotet parsing the C2 server addresses.

                                      And it’s also possible to extract this information statically using an emulation script, similar to the one used for the strings.

                                      Screenshot of part of Emotet C2 server addresses.
                                      Part of Emotet C2 server addresses.

                                      Conclusions

                                      In April 2022 we analyzed an Emotet campaign that was not using Microsoft Office files to spread, as a possible response to Microsoft protections. However, we still see some attackers abusing Microsoft Office files to download and execute Emotet. We strongly recommend users to update Microsoft Office to its latest versions. Also, IT administrators may also completely block Excel 4.0 (XLM) Macros via Group Policy.

                                      Protection

                                      Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

                                      • Netskope Threat Protection
                                        • Document-Excel.Trojan.Emotet
                                        • Win64.Trojan.Emotet
                                      • Netskope Advanced Threat Protection provides proactive coverage against this threat.
                                        • Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
                                        • Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

                                      IOCs

                                      All the IOCs related to this campaign, scripts, and the Yara rules can be found in our GitHub repository.

                                      author image
                                      Gustavo Palazolo
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.

                                      ¡Mantente informado!

                                      Suscríbase para recibir lo último del blog de Netskope