Jump to content
  • Emotet malware now installs via PowerShell in Windows shortcut files


    Karlston

    • 644 views
    • 3 minutes
     Share


    • 644 views
    • 3 minutes

    The Emotet botnet is now using Windows shortcut files (.LNK) containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default.

     

    The use of .LNK files is not new, as the Emotet gang previously used them in a combination with Visual Basic Script (VBS) code to build a command that downloads the payload. However, this is the first time that they utilized Windows shortcuts to directly execute PowerShell commands.

    New technique after botched campaign

    Last Friday, Emotet operators pulled the plug on a phishing campaign because they botched their installer after using a static file name to reference the malicious .LNK shortcut.

     

    Launching the shortcut would trigger a command that extracted a string of VBS code and added it to a VBS file to execute.

     

    However, as the distributed shortcut files had a different name than the static one they were looking for, it would fail to create the VBS file correctly. The gang fixed the problem yesterday.

     

    Today, security researchers noticed that Emotet switched to a new technique that uses PowerShell commands attached to the LNK file to download and execute a script on the infected computer.

     

    The malicious string appended to the .LNK file is obfuscated and padded with nulls (blank space) so that it does not show in the target field (the file the shortcut points to) of the file’s properties dialog box.

     

    Emotet_LNK_PowerShell.jpg

    source: BleepingComputer

     

    Emotet’s malicious .LNK file includes URLs for several compromised websites used for storing the PowerShell script payload. If the script is present at one of the defined locations, it is downloaded to the system’s temporary folder as a PowerShell script with a random name.

     

    Below is the deobfuscated version of the malicious string Emotet attached to the .LNK payload:

     

    EmotetLNK_PowerShell.jpg

    source: BleepingComputer

     

    This script generates and launches another PowerShell script that downloads the Emotet malware from a list of compromised sites and save it to the %Temp% folder. The downloaded DLL is then executed using the regsvr32.exe command.

     

    Executing the PowerShell script is done using the Regsvr32.exe command-line utility and ends with downloading and launching Emotet malware.

     

    Security researcher Max Malyutin says that along with using PowerShell in LNK files, this execution flow is new to Emotet malware deployment.

    New technique on the rise

    The Cryptolaemus researcher group, which is closely monitoring Emotet activity, notes that the new technique is a clear attempt from the threat actor to bypass defenses and automated detection.

     

    Security researchers at cybersecurity company ESET also noticed that the use of the new Emotet technique has increased in the past 24 hours.

     

    Emotet_LNK_PS_Metrics.png
    source: ESET

     

    ESET’s telemetry data shows that the countries most affected by Emotet via the new technique are Mexico, Italy, Japan, Turkey, and Canada.

     

    Apart from switching to PowerShell in .LNK files, the Emotet botnet operators have made a few other changes since they resumed activity to steadier levels in November, such as moving to 64-bit modules.

     

    The malware is typically used as a gateway for other malware, particularly ransomware threats like Conti.

     

     

    Emotet malware now installs via PowerShell in Windows shortcut files


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...