Persistent Emotet Malware with a Crafty Social Engineering Technique

Malware Family: Emotet

SHA256 Hash Vaule


View the Full VMRay Analyzer Report

With security ever more tightly integrated into operating systems, malware authors often rely on the unwitting participation of an end user to enable malicious action. Social engineering techniques have evolved significantly over the years and last week the VMRay Research Team identified a crafty spear-phishing email addressed to some our employees. The email was designed to look like it had been sent by the CEO of VMRay.

The email was designed to look like it had been sent by the CEO of VMRay (Figure 1). The CEO’s name and email address were also included in the email.

Social Engineering Email - Persistent Malware
Figure 1: Figure 1: Social Engineering – Fraudulent email from CEO to employees in the organization

The email simply states that it contains a link to a document with ‘the desired information’. A quick lookup of the URL contained in the email on VirusTotal reveals that only 4 out of 63 AV engines detect it as malicious.

VirusTotal Score - Persistent Malware
Figure 2: VirusTotal Score of the URL 4/63

On clicking the link in the email, a Word document is downloaded. The Word document contains a macro which is both obfuscated and encoded. Since Microsoft Office has security restrictions that prevent files from executing macros, especially when they are downloaded from the web, the malware author tries to trick the user to enable the macro by displaying three steps to enable the content (a social engineering technique that we also observed in the Microsoft Word ‘invoice’ analysis).

Word Doc Macro - Persistent Malware
Figure 3: Word document with macro downloaded upon clicking the link in the email

Encoded and Obfuscated Macro

The VMRay Research Team was able to decrypt and de-obfuscate the macro contained in the Word document. We can see in Figure 4 that the macro executes a series of PowerShell commands which downloads the malicious payload from a remote host in order to proceed to the next stage.

Decoded and Deobfuscated Maco - Persistent Malware
Figure 4: Decoded and De-obfuscated macro contained in the Word document

The downloaded PE file is then executed (42753.exe). It goes through several unpacking “stages” and finally creates a callback with CreateTimerQueueTimer(.) which executes the actual malicious payload (Figure 5).

Log File Timer Callback - Persistent Malware
Figure 5: VMRay Analyzer log file showing timer callback to execute malicious payload

The malicious payload collects and sends user and system information including computer name, CPU architecture and OS version, as well as a list of active processes to a remote host. This information can be seen in the function log generated by VMRay Analyzer (Figure 6).

Log File C&C Server - Persistent Malware
Figure 6: VMRay Analyzer log file showing data sent to C&C server by malware


To ensure that it persists even after the system is restarted, this malware sample adds an entry to the startup directory in the Windows registry. VMRay Analyzer detects this attempt by the malware (listed under Detected Threats) and ensures that an automatic reboot is performed in order to reveal the complete behavior of the malware sample.

Process Graph - Persistent Malware
Figure 7: Complete process flow graph generated by VMRay analyzer before and after the automatic reboot

VMRay Analyzer Results

In addition to the log file and complete process flow graph highlighted in Figures 4, 5 and 6, VMRay Analyzer also creates a summary of all the suspicious behavior patterns exhibited by the sample (Figure 8). A network activity graph is also created which shows all the hosts contacted (Figure 9).

VTI Score - Persistent Malware
Figure 8: VMRay Threat Identifier (VTI) Score and Detected Threats
Network Activity - Persistent Malware
Figure 9: VMRay Analyzer Network Activity Detection

It is important to note that VMRay Analyzer identifies the persistence attempt by the malware and initiates an automatic reboot of the system during the analysis. Perhaps more important to note is that VMRay Analyzer’s underlying technology allows it to perform a real system reboot in a matter of seconds as opposed to a less effective ‘simulated’ reboot that is often used by other sandboxing technologies.

After the reboot, the system continues to be monitored (indicated in the process flow graph in figure 6). The malware sample tries to establish contact with a C&C server to perform more malicious actions. Unfortunately, in our analysis, the malware could not successfully contact the C&C server after the reboot since the C&C server appeared to have been taken down already. Nevertheless, the connection attempt is detected by VMRay Analyzer and flagged in the report.

This example shows how social engineering techniques continue to evolve. It also highlights persistence as a technique used by malware authors to maintain access to systems even after interruptions such as system restarts.

View the complete VMRay Analyzer report for the downloaded Word document