Emotet botnet, known for its innovative trick and tactics, is once again in the news with a new one-click attack technique that leverages self-unlocking RAR files.
What has happened?
Trustwave researchers identified an increase in threats packaged in password-protected ZIP files. Emotet is one of the major distributors of these malicious packages delivering about 96% of the packages, using an innovative trick.
The new trick
In the latest attack wave, attackers are using invoice-themes phishing lures with password-protected archive files.
- These files contain a nested self-extracting (SFX) archive that can act as a conduit to launch the second. These files require just one click and no password input is needed to compromise a target.
- One such SFX archive was observed using a PDF or Excel icon to appear legitimate and contains components such as a batch file, RARsfx archive, and images or PDF file.
- Further, these files are used to drop CoinMiner and Quasar RAT on compromised systems.
Payload details
- CoinMiner is a cryptocurrency miner that can double up as a credential stealer. It uses Windows Management Instrumentation (WMI) to gather hardware information and antivirus installed on the system to avoid sandboxing and hinder analysis.
- The other payload, Quasar RAT is an open-source .NET-based RAT with powerful capabilities. It uses the threat actor’s domain and free dynamic DNS domain for accessing its C2 server.
Conclusion
Password-protected files are difficult to scan for their contents, and therefore pose among end users. Adoption of this tactic by Emotet, that too at such massive levels, is a clear red flag for end users as well as security professionals. This new attack tactic further allows threat actors to perform a multitude of attacks like crypto jacking, data theft, ransomware, and others.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7dfa_shutterstock_2010567164.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7b9a_shutterstock_1764741107.jpg)
