Hello, welcome to the March 1st, 2019 edition of the Sandinut Storm Center's Stormcast. My name is Johannes Ulrich,

and today I'm recording from Augusta, Georgia. If you have written about the Emotet malware multiple times

in the past, in particular, of course, Brad has written about quite a number of variants.

If you don't remember it, while Emmethead is typically arriving as an attachment claiming to be an

invoice. This invoice then usually triggers a number of word macros that are used to download

additional code. Security researcher Max Kirsten wrote an interesting blog post about the latest version of

this malware.

And what's different about the blog post is that he doesn't just analyze the Emotet sample

itself that he found, but he was also able to get access to the web server that's actually delivering

the malware and to the PHP code used to accomplish this.

The PHP code actually turned out to be quite involved, and like the malware itself,

the PHP code goes through quite a few steps and obfuscation in order to make it

more difficult to identify this PHP code. Probably the authors that are deploying this

PHP code, typically on compromised websites, are somewhat afraid that anti-malware on the web server

may actually identify this code.

So, for example, the code itself is obfuscated and encoded, then written to a file on the file

system on the web server, not necessarily in the document route, and then read back and the Eval command in PHP is used to actually execute that code.

Also, a rather large list of regular expressions is being used to identify the operating system of the victim based on the user agent and then a specific response is

crafted based on whatever operating system was identified. The only thing that's really not clear

from the blog post is how that particular code ended up on this web server, but of course,

that could be any number of particular web application

vulnerabilities and users of Kaspersky aniris are having issues for about a month now if they're

...