Recently (On March 18 2023 at 23:44), a new malspam campaign has been observed in the wild ( HERE ), which caused a significant amount of concern. This campaign is designed to distribute malicious emails, which contain a harmful payload that can infect a user’s system, steal sensitive information, or launch other types of attacks.
As a professional, I have been closely monitoring this campaign and analyzing the malware samples associated with it. In this blog post, I will provide a quick analysis of the new malspam sample that I recently observed on the public version of Yomi ( HERE ), a well-known sandbox used by many security professionals.
By examining the behavior of this sample, I hope to shed light on the techniques used by the attackers and provide insights that can help security teams detect and mitigate this threat. So, without further ado, let’s dive into the analysis.
The following image shows the used technique. Random variable names, encoded strings, void functions, unused recursive code and big amount of coded was implemented to make cyber analysis harder and harder. By scrolling down functions and looking for for variables names it was clear that many piece of codes would end-up in infinitive and unused loops or in self recursive not used code.
Looking in depth it was nice to spot the following super long strings located in positions: 1019 and 1023. They looked like to be encoded and used among many functions. They definitely are an interesting initial point of analysis, to me.
If you copy-and-past the source code on your “inspection tab” console (for example in your Chrome browser) and you add a ‘console.log()’ on top of the called functions, you would be able to inspect how the software interacts with such a functions. Interacting with the browser console your would get the following and beautified code. As you might appreciate it is still a little bit obfuscated. Random variables and encoded strings have been widely used at this stage. We need to prepare one more decoding step.
Now it’s time for a simple curl or wget (your choice) to dowload the content from one of the previously dropping systems. The following table sums up what I meant. The dropped payloads is a windows portable executable dynamic function .DLL.
|Type:||Windows PE (DLL)|
They payload has been recognized from 29 Malware Engines on 64 AV on virus total. It looks to be Emotet.
Over the years, Emotet has been linked to several high-profile cyberattacks, including the attack on the City of Allentown in Pennsylvania in 2018, the attack on the Department of Justice in Canada in 2020, and the attack on the Chilean interbank network Redbanc in 2019. Emotet has been attributed to a Russian cybercriminal group known as TA542, also known as Mummy Spider, which is believed to operate out of Russia or Eastern Europe.
Emotet is typically distributed through spam emails containing malicious attachments or links to infected websites. Once installed on a machine, it can spread throughout a network and download additional malware. In addition to stealing sensitive information, Emotet can also be used to launch other types of cyberattacks such as ransomware and credential stuffing attacks.