This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Malspam delivers Emotet 6-26-2017

AhmedSonbol1
Employee
Employee
‎2017-06-27 05:48 PM

Malspam activity was noted on June 26th 2017, delivering Emotet banking trojan. It leverages malicious Word documents with embedded macros.

 

Scan results of a delivery document can be found here. An attacker can easily lure the victim to run the embedded macro:

 

0007.jpg

 

Submitting the delivery document to What's This File service shows its maliciousness:

 

emotet-wtf.png

 

Upon running the macro launches a powershell script to download and run the malware. Here is the process tree:

 

emotet-sandbox.png

 

Here is the GET request in NetWitness Logs and Packets, as well as the file checksum using the "View Files" option of the download session:

 

emotet-session.png

 

emotet-files.png

 

The Hunting pack registered the following meta values for the download sessions indicating highly suspicious traffic:

 

emotet-navigate.png

 

Analysis results on VirusTotal suggest the final payload is an Emotet variant, a banking trojan that has been around since 2014.

 

All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threadt.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

Further reading:

  1. more invoice malspam with links to download word doc deliver malware – My Online Security 
  2. New Variant of Geodo/Emotet Banking Malware Targets UK | Forcepoint 
  3. https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/ 
2 Comments
MichaelPochan
Beginner
Beginner
‎2017-06-28 01:35 PM
‎2017-06-28 01:35 PM

Is Whatsthisfile.net going to be a service that all RSA customers can use (seems open to anyone now during the pre-release stage). Also, are there any API docs or integrations with Netwitness packets planned for the future? The big one would be to be able to submit extracted files from Netwitness directly to this sandbox without having to risk downloading the extracted file locally to your machine, thus risking infection. 

0 Likes
BrianGirardi
Employee
Employee
‎2017-06-28 04:40 PM
‎2017-06-28 04:40 PM
The whatsthisfile.net site will be officially launched shortly as a project from @RSA Labs, it will be available for everyone to use free.  It is targeted towards manual submission of files for malware analysis — one-at-a-time. I can’t guarantee what the future may hold for the technology, but I do feel confident, for that specific usage scenario it will remain as freeware.  So have fun with it, and let us know what you think.
Integration with NetWitness makes a lot of sense, as well as API bulk submission, both have been discussed by the team building the service. However, at this time we don't have any timeline for future product roadmap commitment.  If you want to influence that, contact your friendly product manager and let them know!  Thanks -- BG 
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.