Malspam delivers Emotet 6-26-2017

Blog Post created by Ahmed Sonbol

on Jun 27, 2017

Like • Show 1 Like1
Comment • 2

Malspam activity was noted on June 26th 2017, delivering Emotet banking trojan. It leverages malicious Word documents with embedded macros.

Scan results of a delivery document can be found here. An attacker can easily lure the victim to run the embedded macro:

Submitting the delivery document to What's This File service shows its maliciousness:

Upon running the macro launches a powershell script to download and run the malware. Here is the process tree:

Here is the GET request in NetWitness Logs and Packets, as well as the file checksum using the "View Files" option of the download session:

The Hunting pack registered the following meta values for the download sessions indicating highly suspicious traffic:

Analysis results on VirusTotal suggest the final payload is an Emotet variant, a banking trojan that has been around since 2014.

All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

threadt.source = 'rsa-firstwatch'
threat.category = 'malspam'
threat.description = 'delivery-domain'

Outcomes

Michael Pochan Jun 28, 2017 1:35 PM

Is Whatsthisfile.net going to be a service that all RSA customers can use (seems open to anyone now during the pre-release stage). Also, are there any API docs or integrations with Netwitness packets planned for the future? The big one would be to be able to submit extracted files from Netwitness directly to this sandbox without having to risk downloading the extracted file locally to your machine, thus risking infection.

Actions

Brian Girardi

@ Michael Pochan on Jun 28, 2017 4:45 PM

The whatsthisfile.net site will be officially launched shortly as a project from @RSA Labs, it will be available for everyone to use free. It is targeted towards manual submission of files for malware analysis — one-at-a-time. I can’t guarantee what the future may hold for the technology, but I do feel confident, for that specific usage scenario it will remain as freeware. So have fun with it, and let us know what you think.

Integration with NetWitness makes a lot of sense, as well as API bulk submission, both have been discussed by the team building the service. However, at this time we don't have any timeline for future product roadmap commitment. If you want to influence that, contact your friendly product manager and let them know! Thanks -- BG

Actions

2 Comments

Michael Pochan Jun 28, 2017 1:35 PM
Is Whatsthisfile.net going to be a service that all RSA customers can use (seems open to anyone now during the pre-release stage). Also, are there any API docs or integrations with Netwitness packets planned for the future? The big one would be to be able to submit extracted files from Netwitness directly to this sandbox without having to risk downloading the extracted file locally to your machine, thus risking infection.
Like • Show 0 Likes0
Actions
- Brian Girardi @ Michael Pochan on Jun 28, 2017 4:45 PM
  The whatsthisfile.net site will be officially launched shortly as a project from @RSA Labs, it will be available for everyone to use free. It is targeted towards manual submission of files for malware analysis — one-at-a-time. I can’t guarantee what the future may hold for the technology, but I do feel confident, for that specific usage scenario it will remain as freeware. So have fun with it, and let us know what you think.
  
  Integration with NetWitness makes a lot of sense, as well as API bulk submission, both have been discussed by the team building the service. However, at this time we don't have any timeline for future product roadmap commitment. If you want to influence that, contact your friendly product manager and let them know! Thanks -- BG
  Like • Show 0 Likes0
  Actions