Emotet has fixed a bug that was preventing infection on targeted systems. The botnet has seemingly moved away from using Microsoft Office macros as it could be disabled by the host. Threat actors now use Windows shortcut files, including PowerShell commands, to infect victims' computers.

The obstructing bug

Emotet is reportedly spreading via a phishing campaign.
  • The malware distributors launched an email campaign using password-protected ZIP file attachments, including Windows LNK (shortcut) files disguised as Word documents.
  • When a user double-clicks on the shortcut, it runs a command that searches the file for a particular string containing VBS code, adds found code to the new VBS file, and runs it.
  • However, this command had a bug. It used a static shortcut name 'Password2[.]doc[.]lnk,' which was not matching with the real name of the attached shortcut file. Due to this mismatch, the code did not execute further.

This bug has caused the command to fail, as the Password2[.]doc[.]lnk file did not exist and the VBS file was not created. Therefore, the email campaign was shut down at that time.

Fixing the bug

Emotet resumed spamming users with malicious emails containing password-protected zip files and shortcut attachments.
  • These shortcuts now cite the correct filenames. Upon execution, the VBS files are created successfully on the victim’s devices.
  • Moreover, the actors have actively started spamming users with malicious emails containing zip files and shortcut attachments.

Active campaigns and target

Emotet is now using this technique at an accelerated pace.
  • Upon infection, the malware scans for and steals email addresses for further campaigns. 
  • Additionally, it drops payloads such as Cobalt Strike or other malware commonly used for ransomware attacks.
  • The countries most affected by this new technique are Italy, Japan, Mexico, Canada, and Turkey.

Conclusion

The use of LNK files is not new, as Emotet had already used them in a combination with VBS code. However, this is the first time shortcut files are used to directly execute PowerShell commands. This indicates that the malware developers are continuing the trend of bringing in innovative tricks to stay at the top of their game.

Cyware Publisher

Publisher

Cyware