Emo..Qak? Geodo/Emotet Botnet Delivers Qakbot Malware as First-Stage Payload
By Max Gannon, Mollie MacDougall, Darrel Rendell, and Aaron Riley
In the past few days, CofenseTM has detected double trouble from the Geodo/Emotet malware. Not only have we seen Geodo botnets directly delivering non-Geodo malware via phishing campaigns, we’ve also observed Geodo campaigns use more precise targeting.
Geodo botnets are now directly delivering the Qakbot banking trojan through a spam campaign. Moreover, threat actors have used more surgical targeting to take aim at employees of a US state-level government agency.
By adding delivery services to their portfolio, Geodo operators can offer to distribute other payloads. It’s one more sign they’re continuing to invest in this scourge. Cofense IntelligenceTM has reported extensively on Geodo/Emotet, most recently noting how Geodo came roaring back in January after a holiday lull. Learn more about our phishing-specific threat intelligence services.
As of at least January 28th, Geodo botnets have been observed directly delivering non-Geodo malware to victims via phishing and Geodo campaigns have demonstrated increased targeting in phishing campaigns. Cofense Intelligence noticed such behavioral changes taking place within the Geodo botnets, which included the direct delivery of the Qakbot banking trojan via a spam campaign. The campaign ends with replacing the binary’s content with that of calc.exe in an attempt to hide in plain sight. These changes reaffirm the consistent investment in and evolution of Geodo – a scourge that shows no signs of waning.
The structure of the campaign delivering Qakbot followed the typical Geodo lifecycle: a weaponized Office document containing hostile macros delivered via a phishing campaign, except the initial payload—Qakbot— was anything but typical. While this phish directly delivered Qakbot, others have also reportedly identified direct delivery of IcedID. One phishing campaign was in French and included an invoice-theme. Figure 1 shows the email body from that campaign. Notice the attachment is a Microsoft Word document that lacks an extension. Figure 2 displays an attempt to open the document directly in Word.
Figure 1: the email body and the attachment without an extension
Figure 2: the attempt to execute the Office macro from a file without an extension
Provided the environment aligns with the parameters required for further infection and the prompts are accepted to open the document, a small macro will execute and attempt to retrieve a payload from any of 5 hardcoded locations. The macro itself features several de-obfuscation iterations before it executes the final PowerShell payload. Figure 3 shows the final layer of script, which still contains minor obfuscation within its variable names and structure.
Figure 3: the PowerShell script used by the Office macro
This macro bears all the hallmarks of a typical Geodo script, including the list of URLs separated by the ‘@’ symbol. However, this macro presents a subtle new feature: toward the end of the script, there is a size check for the retrieved payload, ensuring it is over 40KB. This check ensures that what gets download is likely to be an executable, and not rogue HTML or other unexpected content. A simple blob of HTML is quite likely to be well under 40KB in size, whereas a well-formed executable, certainly that of Qakbot and Geodo, is going to exceed several KB.
While analyzing this campaign, Cofense Intelligence noticed that the first of the five payload locations delivered Qakbot, while the others all delivered Geodo. The direct Qakbot delivery represents a major departure from typical Geodo behavior, as campaigns disseminated from the Geodo botnet have previously delivered identical binaries—the Geodo malware— from each of the 5 payload locations.
Figure 4: the network GET request for the Qakbot payload
Once the Qakbot payload is downloaded, the name is changed to 914.exe and placed within the C:/Users/Admin/AppData/Local/Temp directory.
Figure 5: the placement of 914.exe within the Temp directory
During this infection cycle, when the payload in %temp% is executed, it performs standard anti-analysis and anti-sandbox checks before attempting to drop a copy of itself into a different location, which varies depending on the permissions of the executed binary. Standard behavior is to simply leave the original binary – almost always named in the same way: <3 numbers>.exe – in %temp%. During this campaign, however, further efforts were made to reduce the detection footprint by hiding in plain sight. The binary was replaced in %temp% with the contents of the legitimate windows Calculator application: calc.exe. Figure 6 shows the script used for this behavior.
Figure 6: overwriting the dropped binary with a copy of calc.exe
The first part of the above command— everything before the first ‘&’ symbol—simply pings the local machine with 6 ICMP packets. This is used somewhat frequently by different malware for time delay or to slightly obfuscate the latter part of the command. The ‘type’ is used to read the content of a file. In this instance, the command reads the content of calc.exe and overwrites the content of the binary dropped in %temp%.
Since the 28th of January, we have observed several failed campaigns and attempts to deliver a new form of template (dubbed The Violet Template by independent Geodo researchers). Figures 7 and 8 detail an example of the buggy campaign; figure 9 shows a typical Violet template. These failed attempts seemingly all occurred within the Epoch 1 Geodo botnet – this is presumed by many researchers to be the development or dogfood botnet, whereas Epoch 2 is their version of production.
Figure 7: a broken macro delivered by the Geodo botnet
Figure 8: a Geodo sample crashes upon execution
Figure 10: an example of a “Violet Template” message
In addition to the technical changes – both functional and broken – Geodo began targeting employees at a US state level government department using internal signatures, targeted addressing, and including previous threads. This represents further improved and targeted templating – an extension and improvement upon of what we reported on in November 2018. Due to the sensitive nature of the targeting, images are excluded here. The phishing emails targeting those employees purported to come from other employees within the department and included threads from previous emails sent amongst employees of that company. These threads were likely scraped from the email accounts of users at that department who had previously been infected with Geodo.
Geodo – both the malignant binary and the botnet – poses an ever-evolving threat whose revenue model appears to be at the heart of its operators’ strategy. By moving away from firsthand theft and into the Delivery-as-a-Service model, Geodo established itself as the primary nexus for malware distribution. Until now, that distribution model required the direct deployment of Geodo to a compromised machine. By updating this model, Geodo operators have widened their portfolio by offering delivery services, not just installation services. Such services do not guarantee infection, as is most often the case with similar infection services. However, this model allows the actors to offer the Geodo botnet’s services to distribute other payloads.
Cofense Intelligence customers can find all relevant IOCs within TID 17502.
To keep up with the latest phishing and malware threats, sign up for free Cofense Threat Alerts.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.