Recently (On March 18 2023 at 23:44), a new malspam campaign has been observed in the wild ( HERE ), which caused a significant amount of concern. This campaign is designed to distribute malicious emails, which contain a harmful payload that can infect a user’s system, steal sensitive information, or launch other types of attacks.
As a professional, I have been closely monitoring this campaign and analyzing the malware samples associated with it. In this blog post, I will provide a quick analysis of the new malspam sample that I recently observed on the public version of Yomi ( HERE ), a well-known sandbox used by many security professionals.
By examining the behavior of this sample, I hope to shed light on the techniques used by the attackers and provide insights that can help security teams detect and mitigate this threat. So, without further ado, let’s dive into the analysis.
Quick Analysis
The delivered Javascript file is a clear “mess”. The actor used a code obfuscation technique inserting many unused source code functions to make loosing analysis time. Code obfuscation is a common technique used by malware authors to make their code difficult to understand and analyze. This technique involves modifying the structure and syntax of the code to make it look different from the original code and harder to read. The goal of code obfuscation is to confuse and deceive malware analysts, making it more difficult for them to reverse engineer the code and understand its functionality. Some common techniques used in code obfuscation include variable renaming, function renaming, and code splitting, which all serve to make the code harder to understand and trace. As a result, code obfuscation has become an essential tool for attackers seeking to evade detection and continue to spread their malware undetected.
| Hash: | f25f69c71066b18364cd405ae80048a8b615c4b0f2cc4cb51b916ef08ba246db |
| File Type: | Javascript file |
| Threat: | Dropper (Emotet) |
The following image shows the used technique. Random variable names, encoded strings, void functions, unused recursive code and big amount of coded was implemented to make cyber analysis harder and harder. By scrolling down functions and looking for for variables names it was clear that many piece of codes would end-up in infinitive and unused loops or in self recursive not used code.
Looking in depth it was nice to spot the following super long strings located in positions: 1019 and 1023. They looked like to be encoded and used among many functions. They definitely are an interesting initial point of analysis, to me.
If you copy-and-past the source code on your “inspection tab” console (for example in your Chrome browser) and you add a ‘console.log()’ on top of the called functions, you would be able to inspect how the software interacts with such a functions. Interacting with the browser console your would get the following and beautified code. As you might appreciate it is still a little bit obfuscated. Random variables and encoded strings have been widely used at this stage. We need to prepare one more decoding step.
You may decode the previous stage in many different ways. Nowadays many tools help you in deobfuscating javascript code but I personal find most of the beauty of this job in performing deobfuscation by hands. Deobfuscation by hands forces you to read a very “complex-to-read-code” and to find out the right spot for breakpoints. Moreover it trains you to find the right variables to be tracked and to focus on “return statements” instead of micro-fuinctionalities. Of course it would be slower but still more accurate. Deobfuscation by hands usually is not the right path to follow if you are working on a vast amount of Malware. I am doing this way, since here, in my blog, everything is passion driven and aims to simply be notes to myself. Once you have run your decoding function, you will see a nice list of dropping url as follows!
Now it’s time for a simple curl or wget (your choice) to dowload the content from one of the previously dropping systems. The following table sums up what I meant. The dropped payloads is a windows portable executable dynamic function .DLL.
| Hash: | 3e50dbd417d9aa062dd14899b795a6dfe73fc9507318d15cb7db2d875e7b3b26 |
| Type: | Windows PE (DLL) |
| Threat: | Emotet |
They payload has been recognized from 29 Malware Engines on 64 AV on virus total. It looks to be Emotet.
Conclusion
An interesting new Javascript downloader bringing to the victims Emotet threat. Emotet is a type of malware that first emerged in 2014 as a banking Trojan but has since evolved into a multifunctional botnet used for various cybercrime activities. It is primarily used to steal sensitive information such as login credentials, financial data, and personal information from infected machines. Emotet is known for its sophisticated distribution methods, social engineering tactics, and ability to evade detection.
Over the years, Emotet has been linked to several high-profile cyberattacks, including the attack on the City of Allentown in Pennsylvania in 2018, the attack on the Department of Justice in Canada in 2020, and the attack on the Chilean interbank network Redbanc in 2019. Emotet has been attributed to a Russian cybercriminal group known as TA542, also known as Mummy Spider, which is believed to operate out of Russia or Eastern Europe.
Emotet is typically distributed through spam emails containing malicious attachments or links to infected websites. Once installed on a machine, it can spread throughout a network and download additional malware. In addition to stealing sensitive information, Emotet can also be used to launch other types of cyberattacks such as ransomware and credential stuffing attacks.
