{"id":5847,"date":"2021-01-12T09:50:15","date_gmt":"2021-01-12T17:50:15","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5847"},"modified":"2024-04-26T13:20:59","modified_gmt":"2024-04-26T20:20:59","slug":"valyria-trojan-drops-emotet","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/valyria-trojan-drops-emotet\/","title":{"rendered":"Valyria Trojan Drops Emotet"},"content":{"rendered":"

Author: Jeremy Ware<\/strong>
\nTLP: WHITE<\/strong>
\n <\/p>\n

Overview<\/h3>\n

During the week of 4 January, we observed a malspam campaign distributing the Valyria trojan. The emails in this campaign contain malicious Microsoft Office Word documents (DOCs) that display an error message when opened and execute a PowerShell script via Windows Management Instrumentation (WMI).<\/p>\n

Customer Impact<\/h3>\n

Threat actor(s) have distributed Valyria via weaponized email attachments, social media, fake Windows updates, third-party programs and pirated content from torrent sites.1<\/sup><\/p>\n

In this campaign, Valyria uses malicious DOC files to distribute additional malware payloads. In other recent campaigns the malware has distributed Emotet,2<\/sup> although it has also been reported to deliver Agent Tesla, Lokibot, and Kriptik, among others.3<\/sup><\/p>\n

Campaign Analysis<\/h3>\n

The campaign we observed used a number of seemingly unrelated subject lines and sender data. These subject lines include R:, Re: Francisco Sanchez, Hola, SALES ORDER CONFIRMATION,<\/em> etc. The sender information also varied; with displayed emails such as Comercial@binarysoul[.]net, jgarratt@spectrumfloor[.]com, info@studiogabaldo[.]it, <\/em><Empty>, etc<\/em>. However, the emails in the campaign all carried an attachment with a single filename of KISL06788466.doc<\/em>, and the body of the message was always empty.<\/p>\n

Attack Chain<\/h3>\n

When the user opens the attached document, they will see the error message: Word experienced an error while trying to open the file. While this displays an executable (cmd.exe) runs to execute a PowerShell script via WMI and creates a file at C:\\Users\\admin\\AppData\\Local\\Temp\\<\/em>.<\/p>\n

The script then executes the Valyria payload (rundll32.exe<\/em>) and makes an AutoRun change to the registry, reaches out to the command and control (C&C) server and downloads an additional malware payload, which was Emotet in this campaign. <\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

The Valyria trojan is spread via spam email and abuses Microsoft Word Docs to execute PowerShell scripts via WMI. Infoblox recommends the following actions to reduce the risk of infection:<\/p>\n