{"id":7572,"date":"2017-05-09T10:40:09","date_gmt":"2017-05-09T18:40:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/09\/news-1357\/"},"modified":"2017-05-09T10:40:09","modified_gmt":"2017-05-09T18:40:09","slug":"news-1357","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/05\/09\/news-1357\/","title":{"rendered":"Deep Analysis of New Emotet Variant \u2013 Part 2"},"content":{"rendered":"

Credit to Author: Xiaopeng Zhang| Date: Tue, 09 May 2017 11:11:59 -0700<\/strong><\/p>\n

\n

Background<\/h2>\n

This is the second part of FortiGuard Labs\u2019 deep analysis of the new Emotet variant. In the first part<\/a> of the analysis we demonstrated that by bypassing the server-side Anti-Debug<\/strong> or Anti-Analysis <\/strong>technique we could download three or four modules (.dll files) from the C&C server. In that first blog we only analyzed one module (I named it \u2018module2\u2019). In this blog, we\u2019ll review how the other modules work. Here we go.<\/p>\n

Stealing email addresses from MS Outlook PST files<\/h2>\n

As I detailed in Part 1 of this blog, the first module we\u2019re looking at here (I\u2019ve named it \u2018module1\u2019) is loaded in a ThreadFunction, whose main function is to go through all Outlook accounts by reading the PST files. A\u00a0PST file\u00a0is a personal folder\u00a0file\u00a0in Microsoft Outlook that stores your email messages, calendar, tasks, and other items. PST files are usually located in the \u201cDocumentsOutlook Files\u201d folder on your computer. See Figure 1.<\/p>\n

\"\"<\/p>\n

Figure 1. PST files<\/p>\n

Microsoft has provided a group of APIs called MAPI (Microsoft Outlook Messaging API), which is the messaging architecture for Microsoft Outlook. Using the MAPIs you can operate PST files.\u00a0 The MAPIs are used in the module1 file.<\/p>\n

Once module1 file is executed it creates a temporary file that is used to store the stolen Outlook version information and email addresses that have been collected.\u00a0 Loading MAPI functions is the next step. Figure 2 shows how, along with what it loads.<\/p>\n

\"\"<\/p>\n

Figure 2. Loading MAPI functions<\/p>\n

It then starts reading all PST files according to the Outlook accounts on the computer, going through all email messages with an unread status in every folder (Inbox, Deleted Items, Junk E-mail, Sent Items, etc.) under one email account. It steals the sender name and the email address from each unread email. Figure 3 shows a sample unread email about a Facebook notification that was sent to me.<\/p>\n

\"\"<\/p>\n

Figure 3. Sample unread email message<\/p>\n

Figure 4 shows what module1 has stolen from the unread email message shown in Figure 3. \u201cFacebook\u201d is the sender name, and \u201cnotification+kr4yxeragnmn@facebookmail.com\u201d is the sender\u2019s email address.<\/p>\n

\"\"<\/p>\n

Figure 4. The stolen email information in the memory buffer<\/p>\n

As I mentioned before, the stolen data is saved in a temporary file. In this case, it\u2019s \u201cAE74.tmp.\u201d It will be read when module1 prepares to encrypt and send the stolen information to its C&C server. Figure 5 shows the data before encryption, which is read from \u201cAE74.tmp.\u201d<\/p>\n

\"\"<\/p>\n

Figure 5. Data before encryption<\/p>\n

As you can see, it contains the Outlook version and stolen email information. Once encrypted, the data will be sent to the C&C server through a \u201cPOST\u201d request. Figure 6 is the packet screenshot from WireShark.<\/p>\n

\"\"<\/p>\n

Figure 6. Sending the encrypted data to the C&C server<\/p>\n

Sending spam using the C&C server template<\/h2>\n

This is the largest Emotet module (I have named it \u2018module4\u2019) of the malware\u2019s four modules. Its main function is to send spam to the email addresses which were stolen and sent to the C&C server. When it is executed in a thread it generates a GUID by calling the CoCreateGuid function. It then base64-encodes the GUID and sends it as a cookie to the C&C server. The response provides the encrypted spam message, as well as the\u00a0 email addresses that the spam will be sent to. The two figures below show the packet from the C&C server, as well as the content after decryption.<\/p>\n

\"\"<\/p>\n

Figure 7. Sent GUID and response from the C&C server<\/p>\n

  \"\"  <\/pre>\n
Figure 8. Decrypted spam template and email addresses<\/p>\n
Once module4 receives the decrypted data, it reads out the spam template and the email addresses the spam message is being sent to. In module4, it supports SMTP protocol over both port 25 (regular) and port 587 (SSL). The figures below show how it uses the SMTP protocol to spread this spam, and what the spam looks like in an email client.<\/p>\n
\"\"<\/p>\n
Figure 9. Related code and data generating SMTP packets<\/p>\n
  \"\"  <\/pre>\n
Figure 10. Spam shown in Wireshark<\/p>\n
\"\"<\/p>\n
Figure 11. Spam shown in email client<\/p>\n
As you can see in Figure 11, the spam attempts to trick the email recipients into opening a URL, that points to a malicious Word file. Figure 12 shows its Antivirus detection rating on VirusTotal.<\/p>\n
  \"\"  <\/pre>\n
Figure 12. Antivirus detection rate on VirusTotal<\/p>\n
Conclusion<\/h2>\n
From this deep analysis of the new Emotet variant we can see that it focuses on stealing email-related data from a victim\u2019s device, and then uses that device and the email addresses it has collected from it to send spam that can spread other malware.<\/p>\n
NOTE: at the end of my analysis, I noticed that the Anti-Debug technique on the server side sometimes worked, and sometimes didn\u2019t.<\/p>\n
The URL attached to the spam generated by this malware has been detected as Malicious Websites <\/strong>by the FortiGuard Webfilter service, and the downloaded Word file has been detected as WM\/Agent.DEA!tr.dldr<\/strong> by the FortiGuard Antivirus service.<\/p>\n
Summary of the four Received Modules<\/h2>\n
Module1 (size 1c000H): steals email addresses and the recipients\u2019 names from Outlook PST files.<\/p>\n
Module2 (size 32000h): steals credentials from installed Office Outlook, IncrediMail, Group Mail, MSN Messenger, Mozilla ThunderBird, etc. The analysis of this module was provided in the first blog.<\/p>\n
Module3 (size 70000h): steals saved information in browsers. Since it\u2019s simple, I chose to not provide any analysis.<\/p>\n
Module4 (size 0F0000h): sends spams to spread other malware.<\/p>\n
IoC<\/h2>\n
URL:<\/strong><\/p>\n
“hxxp:\/\/ hand-ip.com\/Cust-Document-5777177439\/”<\/p>\n
Sample SHA256:<\/strong><\/p>\n
ORDER.-Document-7023299286.doc<\/p>\n
D8CFE351DAA5276A277664630F18FE1E61351CBF3B0A17B6A8EF725263C0CAB4<\/p>\n
Reference<\/h2>\n
https:\/\/support.office.com\/en-us\/article\/Introduction-to-Outlook-Data-Files-pst-and-ost-6d4197ec-1304-4b81-a17d-66d4eef30b78<\/a><\/p>\n
https:\/\/support.microsoft.com\/en-us\/help\/287070\/how-to-manage-.pst-files-in-microsoft-outlook<\/a><\/p>\n
https:\/\/msdn.microsoft.com\/en-us\/library\/office\/cc765775(v=office.14).aspx<\/a><\/p>\n
\u00a0<\/p>\n<\/div
https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/p>\n
Credit to Author: Xiaopeng Zhang| Date: Tue, 09 May 2017 11:11:59 -0700<\/strong><\/p>\n
This is the second part of FortiGuard Labs\u2019 deep analysis of the new Emotet variant. In the first part of the analysis we demonstrated that by bypassing the server-side Anti-Debug or Anti-Analysis technique we could download three or four modules (.dll files) from the C&C server. In that first blog we only analyzed one module (I named it \u2018module2\u2019). In this blog, we\u2019ll review how the other modules work. Here we go.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-7572","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7572"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7572\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}