Disclaimer

Monday, June 25, 2018

Emotet Spam Push IceID Banking Trojan - Part 1 [Spam & Network Traffic]

It is not new that Emotet malware pushes IceID Banking Trojan but the approach and how each component of the infection chain are evolving from time to time to bypassed AV detection and persist to the infected machine are really interesting. malware-traffic-analysis is a really good site to learn and be updated in most prevalent malware in wild.

Mal-Spam E-Mail:

Security Industries are using all their different field of resources(cloud, signatures, USE CASES, firewall, machine learning and etc...) to block malicious attachment in every spam campaign of the attacker. In this campaign, aside from using the well known malicious attachment technique vector, it also used URL link that push the user to click to download a malicious office file that contain  macro code. I think this approach bypassed some detection rules because there are no file attachment involve to it. URL classifier using machine learning is much harder to implement than a classifier to distinguish malicious file attachment.


fig.1- spam e-mail

since the spam e-mail message is quite luring, users may click the link and the infection start.

Network Traffic:

when the user click the link it will automatically download the malicious document as well as the emotet and then the banking trojan ICEID. Using the PCAP in malware traffic analysis website I tried to analyzed what happened (one of my way to learn new stuff :) ) .

We can see right away on the start of the PCAP how the infected host machine are connecting to the malicious URL link.
  • First the IP address of the malicious URL link was resolved by using DNS query.
  • Then do the handshake connection (SYN, SYN/ACK, ACK) to the resolved IP Address 
  • Execute the first http.request.method command GET to download the malicious Macro document.
fig. 2 - Network Traffic in downloading Macro malware


The screenshot below is the ending packet of the download activity for macro file. we can see some useful information in the said packet.
  • it cause 65 frames before it finish the download.(this may vary on the network hardware you use)
  • the type of server: Apache/2.4.33 (cPanel) OpenSSL/1.0.2o mod_bwlimited/1.4 Phusion_Passenger/5.1.12
  • filename of the downloaded file "BVS-INV-9563373426884.doc"
  • filesize: 110080 bytes
  • how much time was consumed to finish the download. in this case it was 1.609704000 sec.
fig. 3 - some info regarding the download packet

Then using some filter , we can see that there are 3 http "GET" packet happened to the said network traffic. the first packet is the downloading of macro and the next is the downloading of the emotet and last is the whoami.php (possible for gathering info to the infected machine).

fig. 4 - the GET download traffic


fig. 5 - the malicious word document

fig. 6 - emotet malware

using statistics menu > Resolved Addresses we can the resolved the IP address of malicious URL link.


fig. 7 - resolved IP addresses
based on the Resolved Addresses, there are network traffic connection happened to percalabia.com so I try to filter the pcap using "ip.addr == 5.187.0.158"and found out that it was an encrypted HTTP "HTTPS" packet. we can also notice that there was another domain name "urnachay.com" that are resolved also by DNS as 5.187.0.158. Base on Malware Traffic this ip address was the ICEID banking trojan download.



fig. 8 - the dns query for the said 2 ICEID malware domain
Conclusion:
Now we have some background how infection happened to the infected machine lets go check the macro documents as well as the powershell that will download the emotet malware.

The Macro and Powershell analysis part is below:

"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...