{"id":18574,"date":"2022-03-23T11:40:23","date_gmt":"2022-03-23T19:40:23","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/03\/23\/news-12307\/"},"modified":"2022-03-23T11:40:23","modified_gmt":"2022-03-23T19:40:23","slug":"news-12307","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/23\/news-12307\/","title":{"rendered":"MS Office Files Involved Again in Recent Emotet Trojan Campaign \u2013 Part II"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Affected platforms:<\/b> Microsoft Windows<br \/> <b>Impacted parties:<\/b> 64-bit Windows Users<br \/> <b>Impact:<\/b> Controls a victim\u2019s device and collects sensitive information<br \/> <b>Severity level:<\/b> Critical <\/p>\n<p>Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguardlabs\">FortiGuard Labs<\/a> recently captured more than 500 Microsoft Excel files involved in a campaign to deliver a fresh Emotet Trojan onto the victim\u2019s device.<\/p>\n<p>Emotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very active, continually updating itself. It has also been highlighted in cybersecurity news from time to time. Emotet uses social engineering, like email, to lure recipients into opening attached document files (including Word, Excel, PDF, etc.) or to click links within the content of the email that downloads the latest Emotet variant onto the victim\u2019s device and then executes it.<\/p>\n<p>In <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\">Part I of this post<\/a>, I explained how this variant of Emotet is spread by malicious VBA code in Excel documents, how the downloaded Emotet malware runs within a Rundll32 program, what kind of anti-analysis techniques this variant uses., how it encrypts and submits its victim\u2019s data to its C2 server., what Emotet does when it receives response data from the C2 server, and what Emotet does to enable persistence on the victim\u2019s device.<\/p>\n<p>In this post, you will learn what the data in response packets with malicious modules look like, what modules have been received from the C2 server for the current Emotet campaign, and how they are deployed in the victim\u2019s device. You will also discover what sensitive data those modules steal from a victim\u2019s device.<\/p>\n<h2><b>When X.dll Receives a Response with a Module<\/b><\/h2>\n<p>Once the C2 server has processed and detected the first submitted packet that includes critical data\u2014such as the victim\u2019s device system version, Windows architecture, etc.\u2014it replies with malicious modules for Emotet to execute in the victim\u2019s device. All the received modules are fileless. That is, they only exist in memory and are processed by the X.dll (the core of Emotet) running in Rundll32.exe.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image.img.png\/1647987906778\/picture1blog.png\" alt=\"Screenshot of A decrypted module in the packet\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1.1 \u2013 A decrypted module in the packet<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 1.1 is a screenshot of X.dll\u2019s code and memory. The bottom is a C2\u2019s response packet, just decrypted in memory by calling a function of 10012371. Referring to Figure 5.3 in <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\">part I of this series<\/a> will help you understand the structure of the packet.<\/p>\n<p>The box marked in red is the verification data (99 DE \u2026 DD A5), a signed hash of the rest data of the packet. The following dword, <b>0x00000000,<\/b> marked in yellow, is a flag that tells Emotet how to run the replied module. 0x00 tells it to execute the module in a newly-created thread. The binary block in blue is the module. It starts with the module size, 0x79400 in this example, and the rest part is the module binary data (4D 5A 90 00 \u2026).<\/p>\n<p>Emotet has to verify the decrypted data, as shown in Figure 1.1, using the 40H verification data.<\/p>\n<p>It then deploys the received module into memory and prepares to execute it. It then calls its entry point in a newly created thread. This post will refer to this module as a \u201cthread-module.\u201d Its primary purposes are to extract and execute the final functional module that steals sensitive data from the victim\u2019s device and to submit the stolen data to its C2 server, which will be discussed later in this analysis. Figure 1.2 shows where the thread function ASM code calls the entry point of the deployed thread-module.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_1877119615.img.png\/1647992066365\/picture2.png\" alt=\"Screenshot of Emotet thread function to call the thread-module\u2019s entry point\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1.2 \u2013 Emotet thread function to call the thread-module\u2019s entry point<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>Thread-Module \u2014 Performs Process Hollowing<\/b><\/h2>\n<p>The thread-module proceeds to decrypt a PE file, the final functional module, from its .text section into memory. To execute this module, it performs process hollowing. It does this by copying a Windows file, \u201ccertutil.exe\u201d, from either \u201c%Windir%SysWOW64certutil.exe\u201d or \u201c%Windir%system32certutil.exe\u201d into the \u201c%temp%\u201d folder. It then renames it to a random file name, like \u201cuvbubqj.exe\u201d. Next, the thread-module creates a suspended process with this file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_67930512.img.png\/1648061216688\/img2.png\" alt=\"Screenshot of Call API CreateProcessW() to create a suspended process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2.1 \u2013 Call API CreateProcessW() to create a suspended process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you may see in the command line string in Figure 2.1, \u201cuvbubqj.exe\u201d is the copied \u201ccertutil.exe\u201d, \u201c\/scomma\u201d and the subsequent temporary file \u2014\u201cC:UsersBobsAppDataLocalTemp60B2.tmp\u201d \u2014 are the parameters for the process. The temporary file name is generated by calling the API GetTempFileNameW(). The path of the temporary file \u201c60B2.tmp\u201d is read by the functional module and used to save stolen information. The sixth argument to CreateProcessW() is 0x00000004, which is a creation flag indicating \u201cCREATE_SUSPENDED\u201d with which CreateProcessW() creates a process and enters suspended status.<\/p>\n<p>It then calls a group of APIs, like GetThreadContext(), VirtualAllocEx(), ReadProcessMemory(), WriteProcessMemory(), and so on, to inject the final functional module into the new process\u2019\u00a0 memory. The API SetThreadContext() is called later to set the new process EIP register pointing to the entry point of the functional module, which is invoked after calling the API ResumeThread().<\/p>\n<p>Afterward, the thread-module starts to monitor the temporary file in a loop until it is created with the stolen information from the victim\u2019s device.<\/p>\n<h2><b>Looking at the Functional Modules<\/b><\/h2>\n<p>In the above analysis, I explained how a C2 module is loaded and executed in the victim\u2019s device.<\/p>\n<p>The C2 server can return many modules, each going through the same process as described above. They will have a thread-module, run in their thread, and perform their own process hollowing.<\/p>\n<p>I received three C2 modules. I will elaborate on how they work on the victim\u2019s device in the following sections.<\/p>\n<h3><b>Module1 &#8211; Stealing Credentials from a Victim\u2019s Browsers<\/b><\/h3>\n<p>A Self-Extracting packer protects this module. It decrypts a PE file when it runs, overrides the existing code of \u201ccertutil.exe\u201d, and then gets it executed.<\/p>\n<p>The unpacked PE file is a freeware called <a href=\"https:\/\/www.nirsoft.net\/utils\/web_browser_password.html\" target=\"_blank\">\u201cWebBrowserPassView\u201d<\/a> developed by NirSoft. It was designed as a password recovery tool but has been abused by malicious actors to steal the victim\u2019s credentials. A user interface displays the saved credentials stored within several web browsers.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_7012223.img.png\/1648061163951\/img3.png\" alt=\"Screenshot of Open the WebBrowserPassView module\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.1 \u2013 Open the WebBrowserPassView module<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 3.1 shows what this module looks like when I open it in my test environment. This Emotet variant uses WebBrowserPassView v2.06.<\/p>\n<p>Its thread-module passes command line parameters like \u201c\/scomma C:UsersBobsAppDataLocalTemp7B3C.tmp\u201d to the process, which can switch WebBrowserPassView to a No-Window mode and save the retrieved credentials to a given temporary file.<\/p>\n<p>From its code, I learned it could collect the credentials from a variety of web browsers:<\/p>\n<p><b>Microsoft IE, Microsoft Edge, Google Chrome, Mozilla Firefox, Opera, Apple Safari, SeaMonkey, Yandex, Vivaldi, Waterfox, and all other Chromium-based browsers.<\/b><\/p>\n<p>The stolen credentials contain the following information:<\/p>\n<p style=\"margin-left: 40.0px;\">\u2022 URL: The URLs that credentials are saved for<br \/> \u2022 Web Browser: The browser name that holds the credentials<br \/> \u2022 User Name, Password: The credentials<br \/> \u2022 Password Strength: Strong or weak<br \/> \u2022 User Name Field: The control name type into the user name field<br \/> \u2022 Password Field: The string entered in the password field<br \/> \u2022 Created Time: When it was saved<br \/> \u2022 Modified Time: Time when credentials were updated<br \/> \u2022 Filename: What file it has stolen the credentials from <\/p>\n<p>All the credentials are saved in a temporary file.<\/p>\n<h3><b>Module2 &#8211; Stealing Email Contact Information<\/b><\/h3>\n<p>This module steals its victim\u2019s email contacts from their email folders inside Microsoft Outlook by going through the victim\u2019s emails one by one. It keeps the gathered contact information in a doubly-linked chain structure.<\/p>\n<p>Figure 4.1 shows one email contact obtained from an email within my test Outlook account that was then added into the doubly-linked chain, as shown at the bottom. The collected data shows the Person name and Email address of the email sender. In this example, it collected \u201cOutlook\u201d and \u201coutlook@email2.office.com\u201d from the displayed email message.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_2055525559.img.png\/1648061360829\/img4.png\" alt=\"Screenshot of One stolen contact in a doubly-linked chain\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.1 \u2013 One stolen contact in a doubly-linked chain<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This module enumerates all collected emails and puts the unique email contact information into the doubly linked chain. To collect Outlook\u2019s data, it has to call several APIs, including MAPIInitialize(), MAPILogonEx(), and MAPIFreeBuffer(), as well as create some COM objects by calling the API CoCreateInstance(), such as OlkAccountManager and OlkMail.<\/p>\n<p>Finally, it retrieves those email contacts from the linked chain one by one and saves them into the temporary file that comes from the command line parameter. Figure 4.2 shows a screenshot of the temporary file, \u201c%temp%6827.tmp\u201d in this example, along with the collected email contacts.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_802454471.img.png\/1648061384493\/img-4.2.png\" alt=\"Screenshot of The temporary file with stolen email contact information\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.2 \u2013 The temporary file with stolen email contact information<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b>Module3 &#8211; Stealing Account Settings of Victim\u2019s Email Clients<\/b><\/h3>\n<p>This functional module focuses on stealing its victim\u2019s email account settings and the credentials from their email clients. It is also a packer-protected module, so it does the same thing as Module1 when its entry point is called.<\/p>\n<p>According to my analysis, the unpacked PE file is an EXE file that is another freeware from NirSoft called \u201c<a href=\"https:\/\/www.nirsoft.net\/utils\/mailpv.html\" target=\"_blank\">Mail PassView<\/a>\u201d. It was originally designed as a small password recovery tool for email clients. Emotet is using the latest version\u2014v1.92. Figure 5.1 is a screenshot of this software running on my test environment.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_1454968894.img.png\/1648061121304\/img5.png\" alt=\"Screenshot of Open Mail PassView in my test environment\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.1 \u2013 Open Mail PassView in my test environment<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Going through its code and constant strings, we learned it could obtain email account settings and credentials from the following email clients or other clients that could save email credentials:<\/p>\n<p><b>Mozilla Thunderbird, Eudora, Microsoft Outlook, Microsoft Outlook Express, Windows Mail, MSNMessenger, Windows Live Mail, Group Mail, IncrediMail, Yahoo! Mail, Yahoo! Messenger, Hotmail, Google Desktop, and Google Talk.<\/b><\/p>\n<p>It collects the settings and credentials from both the system registry and the local configuration files of these email clients. Figure 5.2 is a segment of the ASM code from a common function that has predefined many value names.<\/p>\n<p>The software repeatedly reads User Name, Server Address, Server Port, and similar information from the system registry through these value-names under the subkeys &quot;<span style=\"font-size: 12.0pt;\"><span style=\"background-color: rgb(217,217,217);\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: black;\">HKCUSoftwareMicrosoftInternet Account ManagerAccounts<\/span><\/span><\/span><\/span>&quot; and &quot;<span style=\"font-size: 12.0pt;\"><span style=\"background-color: rgb(217,217,217);\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: black;\">HKCUSoftwareMicrosoftOfficeOutlookOMI Account ManagerAccounts<\/span><\/span><\/span><\/span>&quot;, which are the places to save the settings and credentials for Microsoft Outlook and Microsoft Outlook Express.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_221401660.img.png\/1648061415093\/img-5.2.png\" alt=\"Screenshot of Defined value-names for reading from the system registry\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.2 \u2013 Defined value-names for reading from the system registry<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This time, the command line parameter string to this software is &quot;\/scomma C:UsersBobsAppDataLocalTemp8042.tmp&quot;, where &quot;\/scomma&quot; allows the process to run without a window and save the retrieved information to the temporary file followed.<\/p>\n<h3><b>Thread-Module \u2013 Submit Stolen Data<\/b><\/h3>\n<p>With the functional modules working to steal sensitive data, the thread-module keeps monitoring the temporary file until it is created with the stolen information.<\/p>\n<p>It then loads the stolen data from the temporary file to memory and then deletes the file. Before submitting the stolen data to the C2 server, it compresses the data and encrypts it.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_1643299433.img.png\/1648061437321\/img-6.1.png\" alt=\"Screenshot of Call BCryptEncrypt() to encrypt the stolen data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6.1 \u2013 Call BCryptEncrypt() to encrypt the stolen data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This example, shown in Figure 6.1, is where it was about to call the API BCryptEncrypt() to encrypt the packet, which begins from 4790E0. The section outlined in red is like the packet header. It contains the packet type (0x3EA) that tells the C2 server what kind of data is in the packet, a sha256 hash code (69 35 \u2026 3C 4A) of the data, a module ID (0x14), as well as the Victim\u2019s ID. The subsequent data, marked in blue, starts with a data size (0x398) of the following data (from 10 55 52 4C \u2026 to the end), which are the compressed web browser credentials.<\/p>\n<p>This thread-module uses eleven C2 servers to receive data stolen from the victim\u2019s device. The IP and Ports of these C2 servers are encrypted in memory and get decrypted before submitting the stolen data. The three downloaded modules have the same C2 server list, which can be found in the \u201cIOC\u201d section at the end of this analysis.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image_1059282975.img.png\/1648061066617\/img6.png\" alt=\"Screenshot of Display of a captured packet to C2 server with encrypted data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6.2 \u2013 Display of a captured packet to C2 server with encrypted data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 6.2 is a screenshot of a proxy tool showing how the packet with the stolen victim\u2019s sensitive data is sent to its C2 server.<\/p>\n<p>It uses the HTTP Post method with a randomized URL to submit the stolen data in the body, which consists of a 40H-long exported key at the beginning with the encrypted data following, as shown in Figure 6.2. The C2 server can decrypt the submitted data using the 40H exported key.<\/p>\n<h2><b>Conclusion<\/b><\/h2>\n<p>In Part II of this analysis, I started with a received module packet from a C2 server and explained the structure of the packet. Next, I showed how the module (thread-module) is executed in a newly created thread. We then walked through how the thread-module performs process hollowing to execute the functional modules.<\/p>\n<p>In discussing the three received modules, I elaborated on what kind of data Emotet can steal from the victim\u2019s device, such as email contact information from the victim\u2019s email account, the email account\u2019s settings, credentials from the victim\u2019s email client, and credentials saved in a wide range of web browsers.<\/p>\n<p>Finally, going back to the thread-module, Emotet reads the stolen information from the given temporary files. It then compresses and encrypts the data, which is ultimately submitted using the HTTP Post method to the C2 server.<\/p>\n<h2><b>Fortinet Protections<\/b><\/h2>\n<p>Fortinet customers are already protected from this malware by FortiGuard\u2019s Web Filtering, AntiVirus, FortiMail, FortiClient, FortiEDR, and CDR (content disarm and reconstruction) services, as follows:<\/p>\n<p>The malicious Macro inside the Excel sample mentioned in Part I of the post can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.<\/p>\n<p>All relevant URLs have been rated as &quot;<b>Malicious Websites<\/b>&quot; by the FortiGuard Web Filtering service.<\/p>\n<p>The captured\u00a0Excel sample and the downloaded Emotet dll file are detected as &quot;<b>VBA\/Emotet.2826!tr.dldr<\/b> &quot; and &quot;<b> W32\/Emotet.B185!tr<\/b>&quot; and are blocked by the FortiGuard AntiVirus service.<b><\/b><\/p>\n<p>FortiEDR detects both the Excel file and Emotet dll file as malicious based on its behavior.<\/p>\n<p>In addition to these protections, Fortinet also provides multiple solutions designed to help train users in detecting and understanding phishing threats:<\/p>\n<p>We encourage organizations to have their end users take our\u00a0FREE\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE Training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats designed to help end-users learn how to identify and protect themselves from various types of phishing attacks.<\/p>\n<p> This training can then be reinforced using our FortiPhish phishing simulation service. It uses real-world attack scenarios to train users, test awareness and vigilance, and reinforce proper practices for handling phishing incidents.<\/p>\n<h2><b>IOCs<\/b><\/h2>\n<p><b>C2 Server List in the three thread-modules:<\/b><\/p>\n<p>144[.]217[.]88[.]125:443<\/p>\n<p>67[.]205[.]162[.]68:8080<\/p>\n<p>54[.]36[.]98[.]59:7080<\/p>\n<p>45[.]184[.]36[.]10:8080<\/p>\n<p>47[.]110[.]149[.]223:8080<\/p>\n<p>159[.]65[.]1[.]71:8080<\/p>\n<p>51[.]178[.]186[.]134:443<\/p>\n<p>131[.]100[.]24[.]199:8080<\/p>\n<p>51[.]91[.]142[.]158:80<\/p>\n<p>51[.]79[.]205[.]117:8080<\/p>\n<p>176[.]31[.]163[.]17:8080<\/p>\n<p><i>Learn more about <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a> global threat intelligence and research and the <a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/fortiguard-services-bundles.html?utm_source=blog&amp;utm_campaign=fortiguard-service-bundles\">FortiGuard Security Subscriptions and Services<\/a> portfolio.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii\/_jcr_content\/root\/responsivegrid\/image.img.png\/1647987906778\/picture1blog.png\"\/><br \/>FortiGuard Labs discovered more than 500 Microsoft Excel files involved in a campaign to deliver a fresh Emotet Trojan variant. Read part II of our analysis to learn more about malicious modules involved and how to avoid this lure.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18574","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18574"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18574\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18574"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}