Emotet trojan evolves to evade detection using malicious macros through XML files

• Two different types of malicious document formats are used to deliver malware.
• Once the trojan arrives on the infected host, it connects to a list of URLs that are hosted on the attackers’ C2 servers.

A new variant of Emotet trojan has been observed to be active since mid-January. It obfuscates the initial infection VBA macro code to avoid detection by anti-virus software.

Propagation method

The Menlo Security research team observed that the new variant is delivered into two different ways: First, via a URL that is hosted on attacker-controlled infrastructure and second, as an email attachment.

Additionally, two different types of malicious document formats are used to deliver malware.

Explaining on the first type, researchers said, “The first type, and the more prominent one, was an XML file that contains the standard XML header, plus the Microsoft Word Document XML format tags. This is followed by Base64 encoded data, which contains the compressed and obfuscated VBA macro code. The file itself was named with a .doc extension.”

The second type of malicious document consists of regular Microsoft Word documents that have malicious macros embedded in them.

Once the trojan arrives on the infected host, it connects to a list of URLs that are hosted on the attackers’ C2 servers to perform its final attack process.

Threat actor behind this malware

The MealyBug threat actor group is behind this new detection evasion capability added to the Emotet trojan. The trojan is known to be very active, showing up in new campaigns almost every month, from October. In November, the bad actors moved its Command & Control infrastructure to the US.

In January 2019, the trojan made a comeback in the form of an updated variant capable of checking if the victim’s IP address is either blacklisted or on spams list maintained by Spamhaus, SpamCop, or SORBS.