Advisory October 21, 2020

Emotet Campaign Advisory

Obrela SOC

The Hunt for Blue October (Part 1)

Anatomy of the attack

Since mid-October many Greek organizations have been targets of the latest Emotet campaign. OBRELA-CSIRT has been relentlessly analyzing malware samples and monitoring network traffic since the beginning of the campaign. We have observed a shift from its original keylogging, proxy sniffing techniques into more stealthy and intrusive ones like code packing, persistence mechanisms and cryptographic key creation that is indicative of ransomware attack staging. Emotet is a Trojan commonly functioning as a downloader or dropper of other malware. This increase has rendered Emotet one of the most prevalent ongoing threats.

The campaign structure as of this moment can be summarized in the following picture

Breakdown of the campaign

TTPs (Tactics, Techniques, Procedures) observed

MITRE ATT&CK related techniques currently utilized in the campaign

 

Emotet Indicators of Compromise

Current Emotet campaign is tricking the victims by impersonating known entities of their environment (partner organizations, etc..) into clicking a link to download a malicious document or opening a malicious Word document contained as attachment in the email.

A typical malicious document is asking for updates like the following:

 

Payload Domains

After the document has been opened by the victim, out-bound connections with the following domains is established through PowerShell, to download the payload: the Emotet malware

  • hxxp://hashilife.com/sitepage/GY/
  • hxxp://anjia-ceramics.com/aliner-camper/K/
  • hxxps://monicasharma.info/reviewl/i/
  • hxxp://adidasyeezy.store/welph/m/@
  • hxxp://econews.treegle.org/how-to/2V/
  • hxxp://quicktowtowing.com/wp-content/mu-plugins/uMM/
  • hxxps://timsonntag.com/cgi-bin/g/

 

  • hxxp://yourprivatelife.com/wp-admin/sq/
  • hxxps://www.firsattrade.com/wp-content/pI/
  • hxxps://ashiq.xyz/wp-content/qX/
  • hxxps://aryabhattahighschool.com/wp-includes/C1x/@
  • hxxps://angelsandfriends.com/wp-includes/d31/
  • hxxps://dmccainlaw.com/wp-content/3/
  • hxxps://tvcableinternetdeal.com/wp-content/cu/

 

  • hxxp://innhanmacquanaogiare.com/wp-includes/Jh1/
  • hxxp://www.edgeclothingmcr.com/indexing/c9/
  • hxxps://thepremiumplace.com/wp-content/5/
  • hxxps://florinconsultancy.com/wp-content/1/
  • hxxps://udaysolopiano.com/wp-content/J/
  • hxxps://sanayate.com/wp-includes/hd/
  • hxxps://www.jorgecoronel.com/webmaster/kYH/

 

  • hxxp://michaelandrewsbakery.com/wp-admin/M/
  • hxxp://forsalebyowner247.com/wp-includes/8m/
  • hxxp://webgisjambi.com/wp-content/uploads/V5a/
  • hxxps://tigerstormtraffic.com/wp-includes/h23/
  • hxxp://twogirlscleaning.com/openbayl/KaI/
  • hxxp://online2u.biz/ogretmenevi/4Yj/

 

  • hxxps://caglayann.com/wp-admin/Xt1/
  • hxxps://crechereviver.org/siteunavailable/3/
  • hxxps://logistician.org/wp-admin/aGQ/
  • hxxps://passionpastry.com/wp-admin/n/
  • hxxps://ivytheme.com/wp-admin/LyR/
  • hxxps://secuado.com/wp-content/plugins/apikey/6/
  • hxxps://m-tash.com/wp-includes/9/

 

  • hxxp://plakatjogja.com/wp-content/X/
  • hxxp://vnadevelopers.com/wp-admin/BF/
  • hxxp://nursesweekparty.com/wp-includes/bQR
  • hxxps://www.hodmunha.info/wp-includes/Ce/
  • hxxps://novaworldsmuine.com/khudothiaquacity.com/a

C2 Servers

After the malware samples are downloaded, they are executed through WMI process to establish communication with the following C2 servers, performing keylogging and proxy inspection activities.

81.214.253.80

94.23.62.116

45.16.226.117

190.92.122.226

70.39.251.94

120.72.18.91

192.175.111.212

193.251.77.110

81.214.253.80

187.162.248.237

70.32.84.74

173.68.199.157

172.86.186.21

181.123.6.86

46.101.58.37

46.105.114.137

174.118.202.24

37.187.161.206

212.71.237.140

172.104.169.32

193.251.77.110

103.13.224.53

77.78.196.173

82.76.111.249

181.61.182.143

177.107.79.214

190.188.245.242

74.135.120.91

68.183.190.199

177.23.7.151

98.103.204.12

85.214.26.7

120.72.18.91

197.232.36.108

50.28.51.143

83.169.21.32

In all the analyzed samples, the communication between the C2 servers and the infected machines is done with the same User-Agent thus linking the incidents of various organizations, into the same Emotet campaign.

User AgentMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

OBRELA-CSIRT is noticing an alarming twist in recently analyzed samples. The Emotet payloads since Monday 26/10, employ persistence mechanisms in registry and services to survive reboot on Windows systems and utilized internal Windows APIs to create cryptographic keys. The latter is extremely disturbing, given that this activity is relevant to ransomware staging as these keys will be used to lock files within infected systems with unique and asymmetric encryption, unless ransom is paid.

Recommendations

  • Exercise extreme caution with attachments and links in emails.
  • Ensure anti-virus software and associated detection databased are up to date.
  • Keep applications and operating systems running at the current released patch level.
  • Restrict PowerShell and WMI usage to users endpoints to the absolute need for administrative purposes.
  • Consider blocking and or setting up detection for all URL and IP based IoCs on your security controls.

Our team will conclude The Hunt for Blue October saga in Part 2, where technical details and attack insights will be presented.