I've posted several diaries about malicious spam (malspam) pushing Emotet malware. In recent years, I've made sure to include information on the follow-up malware, since Emotet is also a distributor for other malware families. Not much has changed since my previous diary about Emotet malspam in November 2018. In the past two or three weeks, I've consistently seen Trickbot as the follow-up malware; however, this past Monday I also saw Qakbot as the follow-up malware. Today's diary examines an Emotet infection from Monday 2019-03-11 that had Qakbot as the follow-up malware.
Shown below is an example of Emotet malspam with a link for the XML document. Clicking on the link downloaded an XML document with a .doc file extension that opens in Microsoft Word by default, if Word is installed on the victim's host.
Downloaded XML doc
The downloaded XML document has macros that, if enabled, will infected a vulnerable Windows host with Emotet.
Infection traffic was typical for what I've seen with Emotet, and the Qakbot traffic was similar to patterns seen the last time I documented an example of Emotet + Qakbot in December 2018.
The infected Windows host had post-infection artifacts similar to the last time I saw Emotet + Qakbot. Both Emotet and Qakbot were kept persistent through the Windows registry. Emotet generally saves follow-up malware under the C:\ProgramData folder, and that was where the Qakbot EXE was originally saved. However, when Qakbot executed, it copied itself to another directory and replaced the original file with a re-named calc.exe.
The following is data from malware I retrieved from my infected Windows host:
On Monday 2019-03-11, I also saw Emotet + Trickbot on another lab host within an hour after I infected my first lab host with Emotet + Qakbot. Pcap and malware from these two infections can be found here.
Mar 13th 2019
4 months ago