Wednesday18 May 2022

Emotet Leveraging Excel 4.0 Macros and Unconventional IP Addressing

Reading time is around minutes.

In a list of things that should be killed with fire, Excel 4.0 Macros are high up. However, the fat that Spamming “services” like Emotet are still using Excel 4.0 Macros tells me that some are not getting the hint. According to recent research from TrendMicro, Emotet is using some very unconventional methods of obfuscating the C2 server IP addresses. The attack patter is the same, email with a poisoned Excel spreadsheet. This spreadsheet contains HTA with the command script, you know the drill.

The difference here is that Emotet is now hiding the IP addresses in Hexadecimal and Octal formats to avoid pattern detection systems. Most operating systems will happily convert these back to dotted decimal format for easy connection.

Going into a little more detail than above Emotet leverages the older Excel 4.0 Macro system because it is easier to set up and has less controls in place to prevent abuse. By utilizing this and the Auto_Open function they get the macro to execute as soon as the document is opened by the target. Now, in most cases Excel will alert the user that the spreadsheet was created in an older version of Excel and ask the target to enable macros to view the content.

Once the user does this it enables the 4.0 Macro functions, and the embedded code can execute. The command string and URL that is part of the command is obfuscated via carets (i.e., h^tt^p^:/^/^^.html). Emotet has always called on the built-in HTA (HTML Application) function to execute the second part of its attack. This part of the attack, which is downloaded from the server identified in the 4.0 Macro, contains the payload and payload execution script (usually Trickbot or Cobalt Strike). The TrendMicro team also observed a similar obfuscation technique using Octal format instead of hexadecimal.

This evolution has also come with what appears to be a new selectivity in targets. The possibility that the attackers are identifying where they need to use this level of obfuscation and/or gathering intel on their intended targets is a bit new for this campaign, but not for attacks in general.

Security teams will need to alter their response to these new changes, if they are relying on pattern detection. They can expand that to look for non-standard commands or the use of hexadecimal and octal formats. These should then be treated as suspicious and potentially linked to attacker activity. It is also highly advised to completely disable Excel 4.0 Macros in your environment.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.