Emotet is a trojan that steals financial information, AKA, “Banking Malware”. Trojans give cybercriminals a backdoor to systems, making it possible to spy on confidential information like banking credentials and to exfiltrate data. In order to get a trojan onto a system, an attacker will want to disguise it as something else.
Once the Christmas holiday season rolled around, the malicious actors behind Emotet started sending out some unwanted gifts to email inboxes. The emails appear to be wishing you a Merry Christmas and sending you a holiday gift card, or an E-card greeting. They include a link that downloads a malicious word document and if macros execute, the Emotet trojan is downloaded to the system. The link leads to a compromised website. The URIs in the links have been similar to “Your-Holiday-Gift-Card”. The downloaded document will be named something similar.
We’ve seen the malicious actors continue to use this tactic since Christmas, and on into this week.
The various URIs we have observed:
Throughout 2017 Emotet relied on spam messages that included attached malicious word documents of fake invoices from various companies and sometimes “voicemail” attachments. It then evolved to contain links in the message body that lead to the download of the word document.
The invoice tactic contains URIs on compromised sites using words similar to:
This URI pattern works to look legitimate to individuals that deal with accounts payable, shipping, finance, etc. Someone that deals with many invoice requests in a day may not find the type of attachment or download out of the ordinary.
Unwrapping the Gift
The macro included in the word doc executes a powershell script that downloads the payload. The emotet banking trojan is downloaded and often times additional malware.
The powershell script is obfuscated, but with some effort we can find the possible URLs that will be contacted to get the payload.
The Reason for the Season
Many of the compromised sites were running outdated WordPress versions 3.5 through 4.7 which has multiple vulnerabilities where attackers can inject malicious script and html, compromising the site.
A few of these compromised sites appeared to have tried to clean up and failed. One of the compromised sites seems to have performed a WordPress upgrade without removing the infected URLS and a SEO spam infection, showing a lingering security problem.
The latest URLs that we have seen hosting the malicious doc files:
C2 servers observed in the samples:
Cisco Umbrella will continue investigating these “gifts” in order to block new malicious infrastructure used by cybercrimminals as they continually change their tactics.