Fidelis Cybersecurity
Research Report

November 2021 Threat Intelligence Summary

Emotet Returns

Cybercriminal actors affiliated with Emotet are rebuilding their botnet through Trickbot. Emotet has an established history of delivering Trickbot, thus this reciprocal relationship is not at all surprising. Emotet resurgence will likely contribute to an increased level of ransomware activity coinciding with the US holiday season. We are tracking the newest Emotet command and control servers as they come online.

  • In January 2021, Operation Ladybird (a multi-national law enforcement effort coordinated through Europol) dealt a significant disruption to the Emotet malware botnet.
  • Law enforcement agents took control of the botnet, arrested two key affiliate operators, and removed global infections using the bots own uninstall features.

Emotet remains a pernicious threat – namely because of the cooperative relationships involved with malware distribution networks and the socio-political dynamics allowing the group a relatively protected position.

Evil Corp Living-off-the-Land

Cybercriminal threat actors affiliated with Evil Corp, the notorious OFAC-sanctioned cybercriminal group – leverage living-off-the-land binaries (LOLBins), which support their intrusion efforts while evading detection. LOLBins are digitally signed applications. They are inherently trusted by the operating system and most third-party security auditing tools, which makes them particularly dangerous.

  • In the instance observed, Evil Corp affiliated cybercriminal actors were likely attempting to deliver and execute a backdoor payload by compiling it dynamically with exe.
  • Applications such as exe are inherently designed for power-user flexibility. Their use would expectedly be uncommon when contrasted against role-based access controls for users whose role and function would not necessitate the use of these tools. Detection of such use could indicate an ongoing attack.

Dridex Abuses Trusted Domains

This particular malware is historically associated with the operations of Evil Corp. Cybercriminal actors likely affiliated with Dridex abuse the inherent trust relationship of popular third-party hosting services to stage their malicious payloads for delivery. This is not a new technique. Though simple, it remains quite effective because of how such services are often allowed in most environments.

  • In the specific instances observed, Dridex affiliated cybercriminal actors staged payloads on individual private folder paths hosted through cdn[.]discordapp[.]com and api[.]onedrive[.]com.
  • Threat actors are almost certainly taking advantage of the fact that domains for Discord and Microsoft are expectedly allowed in many networks.
  • Payloads delivered in these campaigns were DLL executables with randomized filenames. Human users engaging with these services would rarely use this type of filename, which provides a reliable criteria for identification of the threat and the need for an appropriate mitigation.

Evasion Using Obscure MSOffice Document File Formats

In November 2021 we observed multiple threat actors leveraging obscure MSOffice file formats (e.g., .ppam, .xlsb) to conceal malicious macro code that ultimately delivers a binary payload. These techniques are not necessarily new, but they remain quite effective because they abuse legitimate file formats. The malicious content therein can be readily updated and obfuscated.

XLSB

  • Cybercriminal actors likely affiliated with Dridex and Quakbot are leveraging Excel spreadsheets (.xlsb) containing malicious VBA (Visual Basic for Applications) macro code.
  • The technique is easily adopted and is not exclusive to just these groups.
  • XLSB is likely chosen to evade static detection and popular forensic tools such as OLEDump
  • The threat actors embed the malicious macros in hidden sheets. These sheets get stored in a binary format (BIFF12), making the macro difficult to parse and analyze.

PPAM

  • Static analysis of the malicious macro involving PowerPoint (.ppam) revealed follow-on payload staging that referenced an HTML page hosted on a compromised personal blog site (e.g., Blogspot).
  • Dynamic analysis of the malicious macro revealed that it launched exe to execute embedded JavaScript from a remote resource – a technique identified as HTML smuggling.
  • HTML smuggling is also a technique notably attributed to Russian state-sponsored actor NOBELIUM (a.k.a., Dark Halo), implicated in the SolarWinds breach earlier this year.

The binary payload observed in our specific instance was an open-source modular remote access tool (RAT), identified as 3losh Rat