The Emotet Botnet Epoch4: A Highly Sophisticated and Dangerous Malware Campaign

Background

Emotet has been active since 2014 and has evolved significantly over time. In this blog, we will discuss the latest version of Emotet, known as Epoch4, which has been responsible for several high-profile attacks in recent months.

Emotet Epoch4 Campaign

The Emotet Epoch4 campaign starts with a phishing email that uses subject lines related to fake invoices or finances. The email contains a .zip or .doc attachment that appears to be a legitimate document. When the victim opens the attachment, they are prompted to enable content to view the document. If the content is enabled, the document contains a malicious macro that executes when the victim closes the document. The macro uses rundll32 regsvr32 to load a malicious DLL file from a non-standard directory.

The DLL file creates a suspicious file using regsvr32 and adds malicious entries in the Registry Run to maintain persistence. The malware uses System Network Discovery to spread to other machines on the network, making it extremely difficult to contain. Once installed, the malware contacts the Command and Control (C2) server to download additional payloads and receive commands.

The Emotet Epoch4 campaign is particularly dangerous because of its use of advanced techniques to evade detection. The malware uses AutoOpen VBA MalDoc macro to execute code, which makes it difficult for antivirus software to detect the malicious code. The DLL files are loaded using rundll32 regsvr32 from non-standard directories, making it difficult to detect and block the malicious code. Additionally, the malware uses encryption to protect the C2 communications, making it difficult for security researchers to monitor the malware’s activities.

The Emotet Epoch4 campaign has been responsible for several high-profile attacks in recent months. In February 2021, the campaign targeted the European Union’s diplomatic communication network, resulting in a significant data breach. The campaign has also targeted several government agencies, financial institutions, and healthcare organizations.

Indicators of Compromise (IOC)

Below are the IOC details of which our research team found from our analysis of a recent phishing campaign Emotet Epoch4:

.zip (The name and hash of the zip file are seeming to change in each email)

• Rechnungs-Details.zip
• bdyNOvA2SxCsH0GwY.zip
• comments 832.zip’
• p3EYV8Vp6F6PlpSqFJJybA.zip
• UUHQJkWQxbu.zip
• 0e88o8QRKnRzLlOlle.zip

.dll (The name and hash of the dll file are seeming to changing in each email)

• DdVVhFMLWLV2SBtp2r0.dll
• jvCKZsDZKG4sYvClk.dll
• sL3dLa5pFl5O.dll
• xwkE3aXsZPVB.dll
• yQ8scBrDeQRFHMML6u6pGL5JViR0bMYIlj2.dll

.doc (The name and hash of the doc file are seeming to changing in each email)

• PO 2023-03-08_0827, United States.doc
• Rechnungs-Details.doc

Executes:

“C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE” /n “C:\Users\Admin\AppData\Local\Temp\Rechnungs-Details.doc” /o “”
“C:\Windows\System32\regsvr32.exe” /s “C:\Users\Admin\AppData\Local\Temp\200907.tmp”
C:\Windows\system32\regsvr32.exe “C:\Windows\system32\IlcUPATwCvCfouM\oxwMME.dll”

“C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE” /n “C:\Users\Admin\AppData\Local\Temp\PO 2023-03-08_0827, United States.doc” /o “”
“C:\Windows\System32\regsvr32.exe” /s “C:\Users\Admin\AppData\Local\Temp\133800.tmp”
C:\Windows\system32\regsvr32.exe “C:\Windows\system32\KLxFDtChb\BfsctIeSkpSo.dll”

GET request for downloading zip file which contain DLL:

• https://diasgallery.com/about/R/?140152
• http://ly.bi3x.org/magazini/pWKy5V5/?133800&c=1
• https://esentai-gourmet.kz/404/EDt0f/?200907&c=1
• httpp://mtp.evotek.vn/wp-content/L/?140152
• httpp://www.189dom.com/xue80/C0aJr5tfI5Pvi8m/?140152
• https://esentai-gourmet.kz/404/EDt0f/?140152
• http://139.219.4.166/wp-includes/XXrRaJtiutdHn7N13/?140152
• https://www.snaptikt.com/wp-includes/aM4Cz6wp2K4sfQ/?140152
• https://midcoastsupplies.com.au/configNQS/Es2oE4GEH7fbZ/?135704

POST request:

• https://91.121.146.47[:]8080/scei/sbddxb/ctxnepxndvythplu/
• https://91.121.146.47[:]8080/tfxow/bjikgzwmgvc/adggdeml/tlvpmakorpplayf/

C2

129.232.188.93:443
164.90.222.65:443
159.65.88.10:8080
172.105.226.75:8080
115.68.227.76:8080
187.63.160.88:80
169.57.156.166:8080
185.4.135.165:8080
153.126.146.25:7080
197.242.150.244:8080
139.59.126.41:443
186.194.240.217:443
103.132.242.26:8080
206.189.28.199:8080
163.44.196.120:8080
95.217.221.146:8080
159.89.202.34:443
119.59.103.152:8080
183.111.227.137:8080
201.94.166.162:443
103.75.201.2:443
149.56.131.28:8080
79.137.35.198:8080
5.135.159.50:443
66.228.32.31:7080
91.121.146.47:8080
153.92.5.27:8080
45.235.8.30:8080
72.15.201.15:8080
107.170.39.149:8080
45.176.232.124:443
82.223.21.224:8080
167.172.199.165:8080
213.239.212.5:443
202.129.205.3:8080
94.23.45.86:4143
147.139.166.154:8080
167.172.253.162:8080
91.207.28.33:8080
188.44.20.25:443
104.168.155.143:8080
110.232.117.186:8080
164.68.99.3:8080
1.234.2.232:8080
173.212.193.249:8080
182.162.143.56:443
160.16.142.56:8080
101.50.0.91:8080

Conclusion

The Emotet Epoch4 campaign is one of the most sophisticated and dangerous malware campaigns currently in existence. It uses advanced techniques to evade detection and can cause significant damage to organizations that are targeted. It is essential for organizations to be vigilant and implement robust security measures to protect against this threat. This includes implementing security best practices, such as regularly updating software and educating employees on how to recognize and avoid phishing attacks.