This new variant of Emotet trojan distributes Nozelesn ransomware via Nymaim malware downloader

• Researchers noted the emergence of the new variant in February 2019.
• This particular variety of trojan has been found targeting the hospitality sector.

Researchers have discovered a new variant of Emotet trojan distributing a malware downloader for ransomware. This particular variety of trojan has been found targeting the hospitality sector.

The bigger picture - In a detailed analysis, researchers from Trend Micro have discovered a new version of the infamous Emotet trojan that distributes Nymaim, the malware downloader. This malware, in turn, tends to download the Nozelesn ransomware.

Researchers noted the emergence of the new variant in February 2019. For this, they investigated 580 similar Emotet file attachment samples recorded between January 9, 2019, and February 7, 2019.

Modus Operandi - The researchers investigated one of the MDR-monitored endpoints EP01 using Root Cause Chain analysis (RCA) and found suspicious files called ‘How_Fix_Nozelesn_files.htm’. These files were hosted on a server called S01. With the type of files hosted on the server S01, it indicated that the server was infected with Nozelesn ransomware and that the files appeared to be written to disk on around February 15, 2019.

Furthermore, the researchers noted that the new Emotet trojan is distributed in the form of a Microsoft Word doc. Once the Word doc is opened, it downloads the PowerShell.exe on to the infected system and later connects to various malicious IP addresses.

“Based on the RCA, the malicious document file was opened in Microsoft Word and was downloaded via Google Chrome. We knew for a fact that the organization was using Office 365 within their environment, so this fit their normal daily operations. Immediately after the malicious document was opened, PowerShell.exe was spawned. This connected to various IP addresses and eventually created another file in the system named 942.exe,” the researchers wrote.

About Nymaim - Nymaim is delivered to the infected systems as secondary payloads. In 2018, security researchers linked the malware downloader to the Nozelesn ransomware. In the attack campaign, Nymaim was found using fileless execution technique to load the ransomware to the machine’s memory.

After running a thorough analysis, the researchers came to the conclusion that there can be two possible scenarios of distributing the Nozelesn ransomware:

1. Emotet variant was first downloaded and executed on the S01 via an administrative share. After that, the trojan downloaded the Nymaim malware, which in turn loaded the ransomware in memory, or
2. Nymaim loaded the ransomware in EP01, which then encrypted files in S01 via shared folders.

Expert note that attackers may have leveraged the first scenario to install the malware as there is no indication of Nozelesn ransomware infection in EP01.