www.fortinet.com
Open in
urlscan Pro
2600:1f18:1492:1702:852f:d87f:6683:b05a
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains?&web_view=true
Submission: On September 05 via api from IN — Scanned from US
Submission: On September 05 via api from IN — Scanned from US
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog
* Categories
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Life at Fortinet
* Partners
* Customer Stories
* PSIRT Blogs
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Life at Fortinet
* Partners
* Customer Stories
* PSIRT Blogs
* CISO Collective
* Subscribe
FortiGuard Labs Threat Research
EMANSREPO STEALER: MULTI-VECTOR ATTACK CHAINS
By Pei Han Liao | September 03, 2024
* Article Contents
* Attack Flow
* Python Infostealer
* New Campaign
* Conclusion
Fortinet Protections
* IOCs
AddressEmail addressPhishing mailDeliveryMalware
By Pei Han Liao | September 03, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
In August 2024, FortiGuard Labs observed a python infostealer we call Emansrepo
that is distributed via emails that include fake purchase orders and invoices.
Emansrepo compresses data from the victim’s browsers and files in specific paths
into a zip file and sends it to the attacker’s email. According to our research,
this campaign has been ongoing since November 2023.
The attacker sent a phishing mail containing an HTML file, which was redirected
to the download link for Emansrepo. This variant is packaged by PyInstaller so
it can run on a computer without Python.
Figure 1: Attack flow in November 2023
Figure 2: The download link for Emansrepo is embedded in RTGS Invoices.html.
As time goes by, the attack flow has become increasingly complex. Below are the
attack flows we found in July and August 2024:
Figure 3: Attack flow in August and July 2024
Various stages are being added to the attack flow before downloading Emansrepo,
and multiple mailboxes are used to receive different kinds of stolen data. This
article will provide a detailed analysis of each attack chain and its behavior.
We will then provide a quick summary of the next campaign.
ATTACK FLOW
* Chain 1
Figure 4: The phishing mail in chain 1 contains a fake download page
The attachment is a dropper that mimics a download page. It creates a link
element that points to the data of Purchase-Order.7z and uses the click() method
to “download” Purchase-Order.7z. Six seconds later, it redirects to a completely
unrelated website.
Figure 5: Source code of the attachment
Purchase-Order.exe, the file embedded in Purchase-Order.7z, is an
AutoIt-compiled executable. It doesn’t include any files, and the AutoIt script
determines its behavior. The script has many unused functions, frustrating its
analysis. The only meaningful code downloads preoffice.zip to the Temp folder
and unzips it into % TEMP%\PythonTemp. The zip archive contains necessary Python
modules and tester.py, the malicious script for information stealing.
Figure 6: The AutoIt script downloads the Python infostealer
* Chain 2
Figure 7: The phishing mail in chain 2
The innermost file in P.O.7z is an HTA file. Its source file is a JavaScript
file that shows a hidden window named PowerShell Script Runner and downloads the
PowerShell script, script.ps1, with VBScript for the next stage.
Figure 8: The decryption algorithm of the JavaScript file and the result
The behavior of script.ps1 is similar to the AutoIt script in chain 1. It
downloads preoffice.zip to the Temp folder and unzips it to %TEMP%\PythonTemp,
but it executes Emansrepo using run.bat.
Figure 9: script.ps1 executes run.bat to run the infostealer
* Chain 3
Figure 10: The phishing mail in chain 3
The 7z file from the link in the phishing mail contains a batch file obfuscated
by BatchShield.
Figure 11: The obfuscated batch file
After deobfuscation, we can see that it is not as complicated as it first seems.
It simply downloads and executes script.ps1 using PowerShell.
Figure 12: The deobfuscated batch file
PYTHON INFOSTEALER
According to the email receiving the data, the infostealer behavior can be
divided into three parts. It creates folders to temporarily store the stolen
data for each part and deletes them after sending the data to the attacker. The
stolen data is attached to the email sent to the attacker.
* Part 1 – User information and text files
In part 1, the Python stealer collects login data, credit card information, web
history, download history, autofill, and text files (less than 0.2 MB) from the
Desktop, Document, and Downloads folders.
Sender
minesmtp8714@maternamedical[.]top
Receiver
minestealer8412@maternamedical[.]top
Target
Browsers
amigo, torch, kometa, orbitum, cent-browser, 7star, sputnik, vivaldi,
google-chrome-sxs, google-chrome, epic-privacy-browser, microsoft-edge, uran,
yandex, brave, iridium
Folder and files
%TEMP%\Browsers:
* Text files (less than 0.2 MB) copied from Desktop, Document, Downloads
%TEMP%\Browsers\{browser name}:
* Saved_Passwords.txt, Saved_Credit_Cards.txt, Browser_History.txt,
Download_History.txt, Autofill_Data.txt
Attachment
Zip file of %TEMP%\Browsers folder
Part 1 includes the initial features of Emansrepo since there is only code for
part 1 in the November 2023 variant
(e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5). It’s worth
noting that emans841 report has been used as the divider in Saved_Passwords.txt
since the December 2023 variant
(ae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a). Because of
this, we call it Emansrepo.
Figure 13: The content of Saved_Passwords.txt
The variant used in November 2023 uses Prysmax Premium as the divider.
By comparing the variant in November 2023 with the first edition of the Prysmax
stealer shared on GitHub, we find they contain many similar functions, though
the Emansrepo stealer had fewer features. However, as parts 2 and 3 were added
to Emansrepo, it has become quite different from the Prysmax stealer.
Figure 14: Left: Variant in November 2023. Right: First edition of Prysmax
Stealer on GitHub
* Part2 – PDF files, extensions, crypto wallets, and game platform
Part 2 copies PDF files (less than 0.1 MB) from the Desktop, Document,
Downloads, and Recents folders and compresses folders of browser extensions,
crypto wallets, and game platforms into zip files.
Sender
extensionsmtp@maternamedical[.]top
Receiver
filelogs@maternamedical[.]top
Target
Browsers
Opera, Chrome, Brave, Vivaldi, Yandex, Edge
Crypto wallet
Atomic Wallet, Guarda, Zcash, Armory, Bytecoin, Exodus, Binance, Electrum,
Coinomi, jaxx
Game platform
Steam, Riot Games
Browser extension
MetaMask, BNB Chain Wallet, Coinbase Wallet, Ronin Wallet, Trust Wallet, Venom
Wallet, Sui Wallet, Martian Aptos & Sui Wallet, TronLink, Petra Aptos Wallet,
Pontem Crypto Wallet, Fewcha Move Wallet, Math Wallet, Coin98 Wallet,
Authenticator, Exodus Web3 Wallet, Phantom, Core | Crypto Wallet & NFT,
TokenPocket - Web3 & Nostr Wallet, SafePal Extension Wallet, Solflare Wallet,
Kaikas, iWallet, Yoroi, Guarda, Jaxx Liberty, Wombat, Oxygen - Atomic Crypto
Wallet, MEW CX, GuildWallet, Saturn Wallet, Station Wallet, Harmony, EVER
Wallet, KardiaChain Wallet, Pali Wallet, BOLT X, Liquality Wallet, XDEFI Wallet,
Nami, MultiversX Wallet, Temple - Tezos Wallet, XMR.PT
Folder and files in temp folder
%TEMP%\pdf_temps:
* PDF files (less than 0.1 MB) copied from Desktop, Document, Downloads and
Recents folder
* {extension ID}.zip
* {data folder}.zip
Attachment
All files in pdf_temp
* Part 3 – Cookies
Part 3 copies cookie files and zips it into {process_name}_cookies.zip.
Sender
cookiesmtp@maternamedical[.]top
Receiver
cooklielogs@maternamedical[.]top
Target
Browsers
Chrome, msedge, brave, opera, 360se, 360browser, yandex, UCBrowser, QQBrowser
Folder and files in temp folder
%TEMP%\cookies_data:
* {process_name}_cookies.zip
Zip file
Zip files in cookies_data
NEW CAMPAIGN
We recently found another attack campaign using the Remcos malware, which we
believe is related to the same attacker because of the phishing email.
Figure 15: Left: the email for the Python infostealer. Right: The email for
Remcos.
As the above screenshot shows, these attacks have the same content but use
different methods to distribute malware. The attack flow for Remcos is much
simpler. The attacker just sends phishing emails with a malicious attachment.
The attachment is a DBatLoader, which downloads and decrypts data for the
payload. The payload is a Remcos protected by a packer.
Figure 16: Attack flow of new Remcos campaign
CONCLUSION
Emansrepo has been active since at least last November, and the attack method is
continuously evolving. The attack vectors and malware are ever-changing and
pervasive, so it’s vital for organizations to maintain cybersecurity awareness.
FortiGuard will continue monitoring these attack campaigns and providing
appropriate protections as required.
FORTINET PROTECTIONS
The malware described in this report is detected and blocked by FortiGuard
Antivirus as:
W32/Kryptik.EB!tr
JS/Agent.FEI!tr
BAT/Downloader.2C22!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus
service. The FortiGuard AntiVirus engine is part of each solution. As a result,
customers who have these products with up-to-date protections are already
protected.
The FortiGuard CDR (content disarm and reconstruction) service can disarm the
embedded link object inside the Excel document.
To stay informed of new and emerging threats, you can sign up to receive future
alerts.
We also suggest our readers go through the free Fortinet Cybersecurity
Fundamentals (FCF) training, a module on Internet threats designed to help end
users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block
these attacks by aggregating malicious source IP data from the Fortinet
distributed network of threat sensors, CERTs, MITRE, cooperative competitors,
and other global sources that collaborate to provide up-to-date threat
intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your
organization, please contact our Global FortiGuard Incident Response Team.
IOCS
ADDRESS
hxxps://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta[.]ipfs[.]dweb[.]link/wetrankfr[.]zip
hxxps://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y[.]ipfs[.]w3s[.]link/myscr649612[.]js
https://estanciaferreira[.]com[.]br/wp-includes/TIANJIN-DOC-05082024-xls[.]7z
hxxps://dasmake[.]top/reader/timer[.]php
hxxps://hedam[.]shop/simple/Enquiry.7z
191[.]101[.]130[.]185
192[.]236[.]232[.]35
EMAIL ADDRESS
stealsmtp@dasmake[.]xyz
hanbox@dasmake[.]xyz
publicsmtp@dasmake[.]xyz
publicbox@dasmake[.]xyz
minesmtp8714@dasmake[.]xyz
minestealer8412@dasmake.xyz
minesmtp8714@maternamedical[.]top
minestealer8412@maternamedical[.]top
extensionsmtp@maternamedical[.]top
filelogs@maternamedical[.]top
cookiesmtp@maternamedical[.]top
cooklielogs@maternamedical[.]top
PHISHING MAIL
a6c2df5df1253f50bd49e7083fef6cdac544d97db4a6c9c30d7852c4fd651921
9e5580d7c3c22e37b589ec8eea2dae423c8e63f8f666c83edabecf70a0948b99
9bd3b8d9ac6ad680b0d0e39b82a439feedd87b9af580f37fa3d80d2c252fef8c
915bad0e2dbe0a18423c046f84d0ff7232fff4e5ba255cc710783f6e4929ab32
64e5c9e7b8dfb8ca8ca73895aa51e585fa7e5414f0e1d10659d3a83b9f770333
b343cce5381b8633b3fd3da56698f60db70c75422e120235a00517d519e37d8d
32bcbce53bfee33112b447340e7114d6d46be4ccf1a5391ad685431afdc8fb86
DELIVERY
bee8da411e71547ac765a5e63e177b59582df438432cc3b540b57a6f1a56dd16
70ba3d67b476e98419ecbbbb5d81efcb5a07f55a92c96e7b9207176746e3b7a6
a2fa6790035c7af64146158f1ed20cb54f4589783e1f260a5d8e4f30b81df70d
4cd8c9fa7f5e2484b73ed9c7be55aa859969c3f21ca2834610102231d337841d
6670e5c7521966e82d091e7adff4e16335f03f2e2740b653adcc9bfe35c7bf9b
dd656953a6844dd9585f05545a513c4e8c2ded13e06cdb67a0e58eda7575a7a4
9866934dd2b4e411cdabaa7a96a63f153921a6489f01b0b40d7febed48b02c22
MALWARE
e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5
8e43c97e5bc62211b3673dee13e376a1f5026502ebe9fd9f7f455dc17c253b7f
ae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a
7a9826be22b6d977d6a0e5179f84d8e88b279fe6d9df8f6c93ebc40a6ba70f06
18459be33cd4f59081098435a0fbaa649f301f985647a75d21b7fc337378e59b
6e7313b6aa37a00b602e620a25a0b71a74503ea967f1814c6c7b8b192535a043
222dd76c461e70c3cb330bacfcf465751b07331c4f8a4415c09f4cd7c4e6fcd9
6e7313b6aa37a00b602e620a25a0b71a74503ea967f1814c6c7b8b192535a043
Tags:
infostealer, security attack
RELATED POSTS
FortiGuard Labs Threat Research
RANSOMWARE ROUNDUP - UNDERGROUND
FortiGuard Labs Threat Research
DEEP ANALYSIS OF SNAKE KEYLOGGER’S NEW VARIANT
FortiGuard Labs Threat Research
A DEEP DIVE INTO A NEW VALLEYRAT CAMPAIGN TARGETING CHINESE SPEAKERS
FortiGuard Outbreak Alerts
x
FortiGuard Outbreak Alerts
Don’t miss out on key information about on-going cybersecurity attacks.
Subscribe Today
*
*
*
*
*
*
NEWS & ARTICLES
* News Releases
* News Articles
SECURITY RESEARCH
* Threat Research
* FortiGuard Labs
* Threat Map
* Ransomware Prevention
CONNECT WITH US
* Fortinet Community
* Partner Portal
* Investor Relations
* Product Certifications
COMPANY
* About Us
* Exec Mgmt
* Careers
* Training
* Events
* Industry Awards
* Social Responsibility
* CyberGlossary
* Sitemap
* Blog Sitemap
CONTACT US
* (866) 868-3678
Copyright © 2024 Fortinet, Inc. All Rights Reserved
Terms of Services Privacy Policy | Cookie Settings
PRIVACY PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* ADVERTISING COOKIES
YOUR PRIVACY
A website may store or retrieve certain information about your browser by using
cookies. Cookies store information about how a visitor interacts with a website.
The information may be about you, your preferences, your browser, or may be used
just to make the website function. We allow certain advertising and analytics
partners to collect information from our site through cookies and similar
technologies to deliver ads which are more relevant to you, and assist us with
advertising-related analytics (e.g., measuring ad performance, optimizing our ad
campaigns). This may be considered "selling" or "sharing” / disclosure for
targeted online advertising under certain laws. To opt out of these activities,
move the toggles for "Performance" and "Advertising" to the left and press
"Confirm My Choices." You can also click on the different category headings if
you would like to read more about the cookies that we use, and adjust your
preferences. Please note that your choice will apply only to your current
browser/device. You can choose not to allow some types of cookies; however,
please note that blocking some categories of cookies may impact your experience
of the site. You can visit our Privacy Policy for more information. privacy
policy
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the basic functionality of the website. The
website would not work without these cookies, so they cannot be switched off in
our systems. You can set your browser to block or alert you about these cookies,
but some parts of the site will not work.
PERFORMANCE COOKIES
Performance Cookies
These cookies help us collect certain data, such as count visits and traffic
sources, so that we can measure the performance of our site, improve the
content, and build better features that enhance your experience. They help us to
know which pages are the most and least popular and see how visitors move around
the site. They also allow us to measure the effectiveness of our ads on other
sites.
FUNCTIONAL COOKIES
Functional Cookies
These cookies allow our website to remember your preferences and choices made on
the website, such as region and language, which help us provide enhanced
functionality and personalization. These cookies may be set by us or by third
party providers whose services we have added to our pages. If you disable these
cookies, then some or all of these features may not function properly.
ADVERTISING COOKIES
Advertising Cookies
These cookies may be set through our website by our advertising partners, and
use information uniquely identifying your browser and internet device to build a
profile of your interests and show you relevant ads on other websites. If you
disable these cookies, you will experience less targeted advertising.
BACK BUTTON BACK
Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1