Experts at ESET have analyzed the propagation technique used by the attackers in their latest Emotet campaign which affected several users in Latin America. Researchers noted the use of a downloader incorporated into an Office file to propagate in the recent campaign.
“In recent years we have seen how cybercriminals have taken advantage of the Microsoft Office suite to propagate their threats, from simple macros embedded in files to the exploitation of vulnerabilities. On this occasion though, the implementation is a little unusual, consisting of a downloader incorporated into an Office file. This caused confusion among many users, who asked us to explain how the threat works,” read the analysis published by ESET.
The attack started with a phishing email along with an malicious attachment. Upon downloading and opening the attached document, it will ask the victims to enable the macros.
The trick used by the attackers in this latest campaign is equipped with unusual features such as the macro does not attempt to connect to a website to download some malicious content. However, the macro’s function is to read text from an “all-but-imperceptible object in the page.
In the top left corner of the page appears a very small, square, solid black box, which can be expanded. Upon expanding, the text box contains a “cmd” command, which launches a PowerShell script that attempts to connect to five sites and then download the payload, an obfuscated variant of Emotet.
Once the payload is executed, it establishes persistence on the computer and connects to its C2 server. The payload can attempt further downloads thereby, installing attack modules and secondary payloads which perform malicious activities on the compromised system.
The additional attack modules carries out various malicious actions in order to steal credentials, infiltrate sensitive information, spread itself on the network, execute port forwarding, and other operations.
“Though not at all a new technique, this small change in the way Emotet’s action is hidden within the Word file demonstrates how sneaky cybercriminals can be when it comes to concealing their malicious activity and trying to compromise user information,” ESET concluded.