{"id":37740,"date":"2023-03-10T10:41:19","date_gmt":"2023-03-10T09:41:19","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=37740"},"modified":"2023-03-13T10:24:36","modified_gmt":"2023-03-13T09:24:36","slug":"the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns","status":"publish","type":"post","link":"https:\/\/www.secuinfra.com\/en\/news\/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns\/","title":{"rendered":"The Whale surfaces again: Emotet Epoch4 Spam-Botnet returns"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.secuinfra.com\/en\/news\/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns\/#Current_Malspam_Campaign\" >Current Malspam Campaign<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.secuinfra.com\/en\/news\/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns\/#Outlook\" >Outlook<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.secuinfra.com\/en\/news\/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns\/#Indicators_of_Compromise\" >Indicators of Compromise<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>The prolific Emotet Spam-Botnet, more specifically the Epoch4 (E4) Cluster, has made a comeback after about three months of inactivity.<\/strong> In this news, we want to inform about the current spam campaign and the threat it poses to businesses around the world.<\/p>\n<p>Emotet, which was initially conceived to target Online-Banking information in 2014, evolved into a comprehensive platform for Threat Actors over time. It features Information theft, running Malspam-Campaigns and delivers later-stage malware and thereby enables large scale intrusions. The Infrastructure behind Emotet frequently changes, as seen after the attempted takedown <a  href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/world%e2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >coordinated by Europol in 2021<\/a>, which resulted in a 10 month gap in the spread of Emotet. After this break the Threat Actors, who took over the Botnets, bounced back and created the second significant peak in Emotet activity.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Current_Malspam_Campaign\"><\/span>Current Malspam Campaign<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The new Emotet E4 Campaign kicked off at around 12 AM UTC on the 7<sup>th<\/sup> of March 2023 (as observed by the <a  href=\"https:\/\/twitter.com\/Cryptolaemus1\/status\/1633099154623803394\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Cryptolaemus Group<\/a>, which specializes in tracking Emotet activity) and features a distinct Modus Operandi across the observed Malspam E-Mails.<\/p>\n<p>The Threat Actors behind Emotet adopted a technique currently employed by many other Crimeware Actors: inflating malicious files with Null Bytes to avoid being scanned by Anti-Virus or EDR Solutions, which generally avoid large files due to the performance impact. To hide the size of the file from the user, malicious document lures are delivered as Archive files (e.g. zip). Once unzipped the analyzed Emotet samples weigh in at over 500 MBs, as can be seen in Figure 1.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_37726\" aria-describedby=\"caption-attachment-37726\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-37726 size-large\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/emotet-size-1024x391.png\" alt=\"\" width=\"1024\" height=\"391\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-size-1024x391.png 1024w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-size-300x114.png 300w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-size-768x293.png 768w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-size-1536x586.png 1536w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-size-24x9.png 24w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-size-36x14.png 36w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-size-48x18.png 48w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-size.png 1581w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-37726\" class=\"wp-caption-text\">Figure 1: Related Malware samples; left: first stage, right: second stage<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>To better visualize the artificial inflation of the samples we created a graphical representation of the files in Figure 2, with dark blue showing Null-Bytes (essentially empty space that compresses very well).<\/p>\n<figure id=\"attachment_37728\" aria-describedby=\"caption-attachment-37728\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-37728 size-large\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/emotet-viz-1024x404.png\" alt=\"\" width=\"1024\" height=\"404\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-viz-1024x404.png 1024w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-viz-300x118.png 300w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-viz-768x303.png 768w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-viz-1536x605.png 1536w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-viz-2048x807.png 2048w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-viz-24x9.png 24w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-viz-36x14.png 36w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-viz-48x19.png 48w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-37728\" class=\"wp-caption-text\">Figure 2: Visualization of the inflated samples<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>The malicious Word documents currently sent via Emotet Spam are referred to as the \u201cRed Dawn\u201d Template (Figure 3) by the Cryptolaemus Group. The lure tries to convince the user that the document is encrypted\/protected and for it to be viewed, one would have to enable the Macro Code contained in the document. By clicking the \u201cEnable Content\u201d button in the upper left corner the AutoOpen() routine of the Macro code will be activated and the next stage of the Malware will be downloaded and executed in the background.<\/p>\n<figure id=\"attachment_37730\" aria-describedby=\"caption-attachment-37730\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-37730 size-large\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/emotet-reddawn-template-1024x432.png\" alt=\"\" width=\"1024\" height=\"432\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-reddawn-template-1024x432.png 1024w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-reddawn-template-300x127.png 300w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-reddawn-template-768x324.png 768w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-reddawn-template-24x10.png 24w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-reddawn-template-36x15.png 36w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-reddawn-template-48x20.png 48w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-reddawn-template.png 1055w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-37730\" class=\"wp-caption-text\">Figure 3: Word Template &#8220;Red Dawn&#8221; used by Emotet<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>In an effort to let the document appear more legitimate than it actually is, it contains a hidden block of text, which can be seen in the screenshot of our Hex-Editor in Figure 4. The text is a section of \u201cMoby Dick\u201d by Herman Melville, which also inspired the title of our blog post you are reading right now.<\/p>\n<figure id=\"attachment_37732\" aria-describedby=\"caption-attachment-37732\" style=\"width: 492px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-37732 size-full\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/emotet-mobydick.png\" alt=\"\" width=\"492\" height=\"630\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-mobydick.png 492w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-mobydick-234x300.png 234w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-mobydick-19x24.png 19w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-mobydick-28x36.png 28w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-mobydick-37x48.png 37w\" sizes=\"(max-width: 492px) 100vw, 492px\" \/><figcaption id=\"caption-attachment-37732\" class=\"wp-caption-text\">Figure 4: Excerpt from &#8220;Moby Dick&#8221; contained in the Word file<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>The Macro Code used in Emotet Maldocs (Figure 5) is heavily obfuscated and changes from sample to sample, which makes detecting these samples consistently more difficult. This technique is commonly known as \u201cHashbusting\u201d and can only be observed in a handful of other sophisticated Crimeware strains.<\/p>\n<figure id=\"attachment_37734\" aria-describedby=\"caption-attachment-37734\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-37734 size-large\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/emotet-macros-1024x534.png\" alt=\"\" width=\"1024\" height=\"534\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-macros-1024x534.png 1024w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-macros-300x156.png 300w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-macros-768x400.png 768w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-macros-1536x801.png 1536w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-macros-2048x1068.png 2048w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-macros-24x13.png 24w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-macros-36x19.png 36w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-macros-48x25.png 48w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-37734\" class=\"wp-caption-text\">Figure 5: Macros contained in the Word file, highly obfuscated<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>The mentioned second-stage payload in Figure 6 shows some metadata of the DLL. Again, this payload is heavily obfuscated and consists of multiple modules. The timestamp shows the Hashbusting technique at work again, at the time of writing this payload was compiled very recently.<\/p>\n<figure id=\"attachment_37736\" aria-describedby=\"caption-attachment-37736\" style=\"width: 754px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-37736 size-full\" src=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/emotet-die.png\" alt=\"\" width=\"754\" height=\"404\" srcset=\"https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-die.png 754w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-die-300x161.png 300w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-die-24x13.png 24w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-die-36x19.png 36w, https:\/\/www.secuinfra.com\/wp-content\/uploads\/\/emotet-die-48x26.png 48w\" sizes=\"(max-width: 754px) 100vw, 754px\" \/><figcaption id=\"caption-attachment-37736\" class=\"wp-caption-text\">Figure 6: Information on the second stage DLL<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Outlook\"><\/span>Outlook<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>It remains to be seen if Emotet returns back to its old strength, but we estimate that the E5 Botnet Cluster will also join the Spam-Fest. Down the road, there is a highly likelihood of a swift shift in techniques. Given the fact that <a  href=\"https:\/\/www.theverge.com\/2022\/2\/7\/22922032\/microsoft-block-office-vba-macros-default-change\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Microsoft globally disabled Macros<\/a> a while ago, utilization of other templates, encrypted archives and documents or even OneNote Notebooks would be options. That said, let\u2019s do not give the attack group too many ideas.<\/p>\n<p><strong>In any case, for businesses a high priority will remain to closely monitor E-Mail traffic, use state of the art security software like EDRs and lower the attack surface while blocking Office Macros or native executables.<\/strong><\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Indicators_of_Compromise\"><\/span>Indicators of Compromise<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>b2bb80310dca2ee1127f4723ca27cf6a59f0243760e139f6f108cdb692b795f7 <strong>PO.doc<\/strong><br \/>\n53477cf7d42a766819d25df062b62aa39d89beba993262b2bd9251d55fdc59dc <strong>PO.zip<\/strong><\/p>\n<p>b3fd2051fc1b96c495d355db0d334436e1c6d4438cd0beab23a5b1cbca869fd2 <strong>PU7syr1XAm.zip<\/strong><br \/>\nefcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc <strong>VdaN1GI2TTwnq1xfcuZGiVPNHHbdxkEOc.dll<\/strong><\/p>\n<p>&nbsp;<\/p>\n<div class=\"fazit\"><\/p>\n<p><strong>Do you need help regarding this threat?<\/strong> We are happy to support you with our managed and co-managed detection and response services! <a href=\"https:\/\/www.secuinfra.com\/en\/contact\/\">Contact our experts online<\/a> or via phone: \u00a0+49 30 5557021 11<\/p>\n<p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>In this news the SECUINFRA Falcon team informs about the current Epoch4 (E4) Cluster spam campaign and the threat it poses to businesses.<\/p>\n","protected":false},"author":6,"featured_media":37724,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[60],"tags":[],"dpc_coauthors":[],"class_list":["post-37740","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/37740","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=37740"}],"version-history":[{"count":0,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/37740\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/37724"}],"wp:attachment":[{"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=37740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=37740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=37740"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/www.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=37740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}