Researching Emotet in Hong Kong

How spam campaigns can threaten regional transport hubs

Emotet is among the most widespread cybercriminal campaigns to date. Originally developed as a banking trojan to steal victims’ banking credentials, it eventually evolved in a vehicle to spread third party malware via large spam campaigns. Emotet developers have been collaborating for months with those of Trickbot and Qakbot to deliver ransomware, which means that an Emotet infection would likely lead to widespread system unavailability.

The most recent wave of Emotet emerged in July, and in September it was reportedly sending large amount of spam emails to Japan and New Zealand, among other target countries.  

DarkLab researchers found evidence that between August and September Emotet also targeted organisations in Hong Kong, a region previously unreported to be affected by this threat.

According to phishing emails uploaded to a popular malware repository, organisations in the retail, transport, and telecommunications sectors were among Emotet’s targets, although more companies are likely to have received their malicious emails.

Among the targets identified, particularly worrying is the presence of Hong Kong’s main airport. The organisation was very likely not compromised, or they would not have uploaded the phishing email to a malware repository, but as Emotet often leads to ransomware, a successful infection would have likely had serious impact on one of the largest airports in Asia Pacific.

Figure 1 – screenshot of Emotet phishing email to a Hong Kong victim

Attack chain analysis

DarkLab analysts observed that the emails were sent by Emotet’s epoch2 botnet, abusing or spoofing previously compromised organisations in other countries. The phishing emails contain MS Word attachments with relatively generic filenames such as invoice.doc and MJ-1759 report.doc. Upon opening the document, the user is enticed to click an enable content button, a standard technique to activate malicious macros.

Figure 2 – screenshot of MJ-1759 report.doc (MD5:e1b8b7b710a639b0697a5f3b5e6a00bb)

The heavily obfuscated malicious macros then load a base64-encoded Powershell script into memory, which is used to download an executable from one of seven hardcoded URLs. The use of multiple dropper sites is to ensure successful malware delivery even if one or more malicious sites are taken down

Figure 3 – decoded and partially deobfuscated powershell script reveals the dropper URLs (highlighted)

This first stage payload, which can have different names in different samples analysed, is by default saved in %TEMP%\APPDATA or USERFOLDER. When the first stage executable is run it gains persistence by copying itself in the system root folder with a different name, and by modifying registries entries to ensure that the process is run every time the endpoint boots up. The new executable in system root is the actual Emotet payload, named kbdrost.exe, and reaches out to a command and control server via a HTTP post request.

Figure 4 – Emotet’s connection to remote C2 IP following successful infection

According to previously observed behaviour, Emotet will eventually drop the Trickbot or Qakbot trojans, which will then deliver the Ryuk or Prolock ransomware respectively.

Emotet’s large spam campaigns and relatively sophisticated delivery mechanisms are likely to continue to pose a threat to companies in Asia Pacific in the foreseeable future. DarkLab’s discovery of Emotet’s targeting of Hong Kong organisations shows how companies in the region should maintain awareness of global threat trends to ensure effective network defences and a proactive approach to cyber security.

Indicators of Compromise

The following IOCs relate to the samples analysed, include the hardcoded C2 IP addresses. However, Emotet’s attack infrastructure changes rapidly. We suggest readers to refer to Cryptolaemus’ daily IOC lists for an updated and comprehensive overview of Emotet’s infrastructure.

FilenameSHA-256 Hash
MJ-1759 report.doc5a378819ab9e17bc93ed9c3d01b31f2b1ff6c39cb3cbaff66933fe096a527450
Executable dropper URLs

C2 IPs

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Leave a Reply