{"id":18784,"date":"2022-04-17T20:40:02","date_gmt":"2022-04-18T04:40:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/04\/17\/news-12517\/"},"modified":"2022-04-17T20:40:02","modified_gmt":"2022-04-18T04:40:02","slug":"news-12517","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/17\/news-12517\/","title":{"rendered":"Trends in the Recent Emotet Maldoc Outbreak"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Affected Platforms:<\/b> Microsoft Windows<br \/> <b>Impacted Users:<\/b> Windows users<br \/> <b>Impact: <\/b>Controls victim&#8217;s device and collects sensitive information<br \/> <b>Severity Level<\/b>: Critical <\/p>\n<p>Emotet is a <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/malware?utm_source=blog&amp;utm_campaign=malware\">malware<\/a> family that steals sensitive and private information from victims&#8217; computers. The malware has infected more than a million devices and is considered one of the most dangerous threats of the decade.<\/p>\n<p>In addition to analyzing threats, <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguardlabs\">FortiGuard Labs<\/a> also focuses on how malware spreads. We have observed that the recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files, or maldocs, attached to <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/phishing?utm_source=blog&amp;utm_medium=blog&amp;utm_campaign=phishing\">phishing emails<\/a>. Once a victim opens the attached document, a VBA Macro or Excel 4.0 Macro is used to execute malicious code that downloads and runs the Emotet malware.<\/p>\n<p>In this blog, we will focus on what these malicious documents look like and how they drop Emotet malware onto a victim&#8217;s local disk. We will first look at the samples captured in this campaign and then examine their propagation trends.<\/p>\n<h2>Phishing Emails with Malicious Attachment<\/h2>\n<p>The recent Emotet outbreak uses phishing emails combined with social engineering to trick victims into loading the malware onto their devices. These emails often include &quot;Re:&quot; or &quot;Fw:&quot; in the subject line, as shown in Figure 1 and 2, to disguise the email as a reply or forwarded message to help convince the target that the email is legitimate.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649958189016\/figure-01-screen.png\" alt=\"Emotet Maldoc: Screenshot of Reply email with an attachment\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Reply email with an attachment<\/span>         <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_1519040064.img.png\/1649958204877\/picture2.png\" alt=\"Emotet Maldoc: Screenshot of Forwarded email with .xls file attachment\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Forwarded email with .xls file attachment<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 3 showcases another technique, where the malicious document is packed into a ZIP archive with a password that is attached to an email, with the password included in the body of the text.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_354781073.img.png\/1649958215443\/figure-03-screen.png\" alt=\"Emotet Maldoc: Screeshot of Email with a password-protected ZIP archive attachment\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Email with a password-protected ZIP archive attachment<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Examining the Malicious Excel Files and Word Documents<\/h2>\n<p>The attached Excel files and Word documents contain malicious macros. Once opened, they display an image requesting the victim to click the &quot;Enable Content&quot; button in the security warning bar. This enables the malicious macro to be executed.<\/p>\n<p>The images below show the techniques used to trick victims into clicking the &quot;Enable Content&quot; button in the Excel files and Word documents used in this campaign. Figure 4 shows screenshots of an opened Word document and Figure 5 is of the opened Excel file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_356781980.img.png\/1649958228687\/figure-04-screen.png\" alt=\"Emotet Maldoc: Screenshot of Word document content when opened\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Word document content when opened<\/span>         <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_1025978534.img.png\/1649958238936\/figure-05-screen.png\" alt=\"Emotet Maldoc: Screenshot of Excel file content when opened\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: Excel file content when opened<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Analyzing the Malicious Macros and their Behaviors<\/h2>\n<p>Macros in Microsoft Office files are usually written in VBA (Visual Basic for Applications). In this case, the Word documents contain malicious VBA code while the Excel files use Excel 4.0 Macro in addition to VBA Macro.<\/p>\n<p>We captured five different samples connected with this Emotet campaign that contain differences in the macro code and execution flow. For identification purposes, we have given each sample a tag name, which is from when the sample first appeared. The tag name consists of two parts, the year prefix and a suffix with the week of the month, connected by an underscore.<\/p>\n<p>The first sample appeared in the third week of November 2021 and its tag name is &quot;2021_NovW3&quot;. It is an Excel file or Word document with VBA Macro. The second is an Excel file using Excel 4.0 Macro. It appeared in the fourth week of November 2021 with the tag name &quot;2021_NovW4&quot;. The third sample is a Word document with a VBA Macro with the tag name of &quot;2021_DecW2&quot;. The fourth sample is an Excel file with an Excel 4.0 Macro. It\u2019s tag name is &quot;2021_DecW4&quot;. The fifth sample is an Excel file with a VBA Macro and the tag name of &quot;2022_FebW2&quot;.<\/p>\n<p>\u00a0<\/p>\n<p>Below is an analysis of the malicious macro component of each captured sample.<\/p>\n<h3><b>2021_NovW3:<\/b><\/h3>\n<p>This sample has a VBA function called &quot;Workbook_Open()&quot; or &quot;Document_Open()&quot; that is executed automatically when the file is opened. It then calls another function to write script data to a VBS file and save it in the &quot;C:ProgramData&quot; folder. Next, it uses &quot;Wscript.exe&quot; to execute the VBS file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_76645305.img.png\/1649958250303\/figure-06-screen.png\" alt=\"Emotet Maldoc: Screenshot of VBA code used to execute the dropped VBS file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: VBA code used to execute the dropped VBS file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the VBS file it generates a PowerShell code snippet to download the Emotet malware dll into the &quot;C:ProgramData&quot; folder and then execute it using &quot;regsvr32.exe&quot;.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_1536347957.img.png\/1649958261323\/figure-07-screen.png\" alt=\"Emotet Maldoc: Screenshot of Script code in the dropped VBS file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Script code in the dropped VBS file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b>2021_NovW4:<\/b><\/h3>\n<p>This is an Excel file that uses formulas on an Excel 4.0 Macro sheet instead of a VBA Macro to execute malicious code. As shown in Figure 8, some sheets are hidden, including the one that contains the malicious formulas. Cell A1 in sheet &quot;FEGFL&quot; is named &quot;Auto_Open&quot; and includes a built-in macro that automatically runs the formula from that cell once the file is opened.<\/p>\n<p>This macro sheet includes formulas that call the API &quot;URLDownloadToFileA&quot; to download the Emotet malware from different URLs. It attempts to download the Emotet malware from the URL in each formula until a download is successful. The Emotet malware is a dll file saved with an .ocx file extension and executed using &quot;regsvr32.exe&quot;.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_692657553.img.png\/1649958290508\/figure-08-screen.png\" alt=\"Emotet Maldoc: Screenshot of The Macro Sheet is hidden and cell A1 is named &#34;Auto_Open&#34;\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: The Macro Sheet is hidden and cell A1 is named &#34;Auto_Open&#34;<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b>2021_DecW2:<\/b><\/h3>\n<p>This VBA code includes a function called &quot;AutoOpen()&quot; that automatically runs a macro when the document is opened. In this function, it saves itself as an HTA (HTML Application) file in text format, as shown in Figure 9. At the same time, script data is displayed in the content text area below the picture that is hidden with a minimum font size and white font color (the font color has been changed to red in Figure 9 for easier viewing). Since the HTA file is in text format, the script data in the content text area is the only part included in the file. To execute the HTA file, &quot;explorer.exe&quot; on Windows system is used in the VBA Macro.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_437883308.img.png\/1649958302126\/figure-09-screen.png\" alt=\"Emotet Maldoc: Screenshot of VBA code to save ActiveDocument as HTA file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: VBA code to save ActiveDocument as HTA file<\/span>         <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_234888683.img.png\/1649957417819\/figure-10-screen.png\" alt=\"Screenshot of  VBA code to execute the dropped HTA file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: VBA code to execute the dropped HTA file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Script code in the HTA file extracts JavaScript code to download the Emotet malware. The Emotet malware is saved to the &quot;C:UsersPublic&quot; folder as a JPG file, but it is actually a dll file. In the end, the Emotet malware dll is executed with &quot;rundll32.exe&quot;.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_858540551.img.png\/1649958314948\/figure-11-screen.png\" alt=\"Emotet Maldoc: Screenshot of Script code in the HTA file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: Script code in the HTA file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b>2021_DecW4:<\/b><\/h3>\n<p>In the hidden macro sheet &quot;Macro1&quot;, cell F1 is named &quot;Auto_Open&quot; to automatically run the formula when the file is opened. There is normal text in the cells below cell F1 until cell F18, which contains the formula to execute. The simple formula, shown in Figure 12, uses &quot;mshta.exe&quot; to execute an HTML URL. The web page of HTML URL is protected by HTML Guardian, a tool that encrypts source code.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_680304575.img.png\/1649958329386\/figure-12-screen.png\" alt=\"Emotet Maldoc: Screenshot of Formula and &#34;Auto_Open&#34; in macro sheet\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Formula and &#34;Auto_Open&#34; in macro sheet<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After decrypting the HTML source code, there is a VBScript code snippet obfuscated by the string &quot;{GOOGLE}&quot;, as shown in Figure 13. It runs a PowerShell code snippet to download and execute script from a PNG URL. The PNG URL is not an image file but a PowerShell script file that contains multiple URLs to download Emotet malware. Finally, the Emotet malware is saved as a dll file in the &quot;C:UsersPublicDocuments&quot; folder and executed using &quot;rundll32.exe&quot;.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_1734875424.img.png\/1649958340720\/figure-13-screen.png\" alt=\"Emotet Maldoc: Screenshot of VBScript code used to run a PowerShell script\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13: VBScript code used to run a PowerShell script<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b>2022_FebW2:<\/b><\/h3>\n<p>This sample has the same code and execution flow as &quot;2021_DecW4&quot;. But instead of using an Excel 4.0 Macro, it uses a VBA Macro to execute its malicious behaviors. Figure 14 shows the content in the autorun function &quot;AutoOpen()&quot;. Although there are lots of comments, the VBA code is very simple, using &quot;mshta.exe&quot; to execute an HTML URL. As the script code and subsequent process in the HTML URL is identical to the contents in &quot;2021_DecW4&quot;, we can look at it for more details.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_1782562069.img.png\/1649958357417\/figure-14-screen.png\" alt=\"Emotet Maldoc: Screenshot of VBA code that an HTML URL is executed\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14: VBA code that an HTML URL is executed<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Attack Trends in the Latest Emotet Campaign<\/h2>\n<p>Emotet was first discovered in 2014 and continues to attack victims. The latest Emotet campaign broke out in mid-November of 2021 and is spread using malicious documents attached to phishing emails. <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguardlabs\">FortiGuard Labs<\/a> has been tracking these malicious documents as well as the number of variants used to evade detection in this campaign. Figure 15 shows the daily timestamps for Emotet maldocs used from mid-November 2021 to March 2022. All the samples mentioned in the previous section emerged during this period.<\/p>\n<p>The first attack appeared on November 16, 2021. After that, it spread different types of malicious documents every week until the Christmas break. Once the break ended on January 12, it surged with more frequent and consistent attacks, releasing a large number and variety of malicious documents. From the end of February through the end of March, it turned to using the same type of malicious document (2021_NovW4) with different phishing picture templates. After February 28th, new malicious documents appeared every day except for weekends, with only one or two days off.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_1913404448.img.png\/1650073033656\/figure-15.png\" alt=\"Emotet Maldoc: Screenshot of Timeline of the latest Emotet Maldoc campaign\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15: Timeline of the latest Emotet Maldoc campaign<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Conclusion<\/h2>\n<p>In the previous section, we showed that some types of malicious documents have more timestamps on the timeline than others. The pie chart in Figure 16 is based on the occurrence frequency of timestamps, showing the usage rate of each malicious document in this campaign. According to this chart, &quot;2021_NovW4&quot; has been the most active, involving more than 50% of the malicious documents discovered. The second most is &quot;2021_NovW3&quot;, consisting of 27% Excel files and 6% Word documents. It is worth mentioning that Excel files accounted for 93% of all malicious documents, much higher than Word documents at only 7%. One of the possible reasons is that the Excel 4.0 Macro only works with Excel files. Because if this, users should be especially cautious about suspicious emails with an attached Excel file from an unknown sender.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_1747999643.img.png\/1649958389750\/picture16.png\" alt=\"Emotet Maldoc: Screenshot of Types of malicious documents in the campaign\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16: Types of malicious documents in the campaign<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguardlabs\">FortiGuard Labs<\/a> also collected the Emotet malware payloads during this period. Figure 17 shows the weekly counts of Emotet malware, with timestamps for each Emotet maldoc in the timeline displayed below the bar chart. Weeks with high counts match when malicious documents appeared, while those without malicious documents were almost silent.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image_609986981.img.png\/1650073538272\/figure-17.png\" alt=\"Emotet Maldoc: Screenshot of Count of Emotet malware per week\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17: Count of Emotet malware per week<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The graph also shows that all malicious documents detected after Christmas were Excel files. Using an Excel file is more flexible because its macro type can be VBA Macro, Excel 4.0 Macro, or both. One of the benefits is that Excel 4.0 Macro, an older technique, bypasses antivirus detection more easily than a VBA Macro.<\/p>\n<p>As shown in the timeline, Emotet malware has primarily been spread since March 2022 through the malicious Excel file &quot;2021_NovW4&quot;, which uses the Excel 4.0 Macro. We believe that the authors prefer to use Excel files with Excel 4.0 Macro for malicious documents to reduce detection by antivirus engines.<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>Fortinet customers are protected from this malware by FortiGuard\u2019s <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering\">Web Filtering<\/a>, AntiVirus, <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=endpoint-web-page\">FortiClient<\/a>, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a>, and CDR (content disarm and reconstruction) services:<\/p>\n<p>The malicious macros inside the Excel sample can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.<\/p>\n<p><a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a> detects the Word and Excel files and Emotet dll file as malicious based on their behavior.<\/p>\n<p>Fortinet customers are protected from these malicious documents and malware by FortiGuard AntiVirus, which is included in <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>. It detects all malicious macro file types, including Excel 4.0 Macro samples.<\/p>\n<p>All malicious documents described in this report are detected by FortiGuard AntiVirus as follows:<\/p>\n<p>VBA\/Agent.8095!tr.dldr<br \/> VBA\/Agent.5A47!tr<br \/> VBA\/Bomber.46B3!tr.dldr<br \/> XF\/Agent.NN!tr.dldr<br \/> XF\/CoinMiner.Z!tr<br \/> MSExcel\/Agent.DVP!tr.dldr<br \/> HTML\/Sabsik.FL!tr<\/p>\n<p>The Emotet malware payloads are detected by FortiGuard AntiVirus as follows:<\/p>\n<p>W32\/Emotet.EHR!tr<br \/> W32\/GenKryptik.FSPR!tr<br \/> W32\/Emotet.1156!tr<br \/> W32\/Agent.FSUQ!tr<br \/> W32\/Kryptik.HNXJ!tr<br \/> W32\/Emotet.1143!tr<br \/> W32\/Emote.CQ!tr<\/p>\n<p>In addition, Fortinet has multiple solutions designed to train users on how to understand and detect phishing threats:<\/p>\n<p>The <a href=\"https:\/\/www.fortinet.com\/products\/phishing-simulation\">FortiPhish Phishing Simulation Service <\/a>uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.<\/p>\n<p>We also suggest that organizations have their end users go through our\u00a0FREE\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats to train end users on how to identify and protect themselves from phishing attacks.<\/p>\n<h2>IOCs<\/h2>\n<h3>Malicious documents (SHA256):<\/h3>\n<p>3e97f09fc53890ba2d5ae2539b5c8df372ed2506ed217d05ff2cf8899d15b8e6<br \/> 2ecc2a48fa4eadb80367f69799277c54a0fe6dd2220a6a2dd7b81cfba328ed19<br \/> ed180371dfec2186148bbcab99102ce45fb1fcc3764b384c2abcaceba2fa65b6<br \/> 719900e330cecd87250ac1f6c31f2d6f42f226294fb011cf47c442f8d2b7455b<br \/> 3ccb809cd97cc08ff380600dcaa5244ef2abd7afd9e7a9f2df7c4e28fee637f0<br \/> e167804a6f36dc99e96909bcededa8a733dd8633037b8b52e8d7881d20446c16<br \/> bd9b8fe173935ad51f14abc16ed6a5bf6ee92ec4f45fd2ae1154dd2f727fb245<br \/> 57fcbb058fc0dfe0cce29676569f2e30d1f8a59345ab161d8183d0769428f4e2<\/p>\n<h3><b>Emotet malware (SHA256):<\/b><\/h3>\n<p>4900d1e66cef8507b265c0eec3ff94cb5f774847d969e044dc8ccd72334181f5<br \/> 2dcfcaaf3ccd8e06043e651cd5b761ae50f3463c6420d067b661969e0500dce2<br \/> 52f6fce27184b61ceb3c02d360e04dc1489c4136a0ffcbb39c50d27474e4283b<br \/> ccbefa930edc4d5b5b34a5dea16c73c9d3f3b4167406c3ae841bc71fce45c68e<br \/> cd105196cbf17f11dbff2b623f5bfaf9ef8d91f2598fe3bc2a7da192c2cee457<br \/> 9535c3f02ee8a47ad1392f36a1ff44a3d5cb067ecef748e63e1628bc489c9d90<br \/> ca2b7c0f2a2a42ce586d63ccfcf131f8b99d73521742cc15d6255e76f9278fbc<br \/> d5f4292d4f5661ce12dd8384cfbb22a3d17908290ba80d9de3a1697064d248a7<\/p>\n<p>\u00a0<\/p>\n<p><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/Trends-in-the-recent-emotet-maldoc-outbreak\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649958189016\/figure-01-screen.png\"\/><br \/>FortiGuard Labs observed that a recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files, or maldocs, attached to phishing emails.  Read our blog to learn how the malware spreads, what the malicious documents look like, and how to avoid this scam.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18784","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18784"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18784\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18784"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}