Pierluigi Paganini January 02, 2019

ESET analyzed the distribution technique used by cyber criminals in new Emotet campaign that has recently affected various countries in Latin America.

In November, experts from ESET uncovered a massive spam campaign that was distributing the Emotet malware. The campaign targeted several users in some Latin American countries and ESET shared details on the propagation used in this campaign.

Unlike past campaigns, attackers used a downloader incorporated into an Office file-

“In recent years we have seen how cybercriminals have taken advantage of the Microsoft Office suite to propagate their threats, from simple macros embedded in files to the exploitation of vulnerabilities. On this occasion though, the implementation is a little unusual, consisting of a downloader incorporated into an Office file.” reads the analysis published by ESET.

“This caused confusion among many users, who asked us to explain how the threat works.”

The attack begins with an email message with a weaponized document that once opened will ask the victim to enable macros using social engineering tricks.

The trick used by the crooks in this campaign has unusual features, for example, the macro does not seem to be one of those known macros that attempt to connect to a website to download some malicious content.

The macro includes a function is to read text from an “all-but-imperceptible object in the page“. In the top-left of the page, there is very small, square, solid, black box that could be expanded to see the content.

The text box contains a “cmd” command that executes a PowerShell script that tries to connect to five sites and then download and obfuscated variant of Emotet.

Once the payload is executed, it will gain persistence on the computer and connects to the C&C server. The payload could also download and execute additional components of the malware or other payloads to carry out other malicous activities,

The malware could steal credentials, make lateral movements, harvest sensitive information, carry out port forwarding, and other operations.

“Though not at all a new technique, this small change in the way Emotet’s action is hidden within the Word file demonstrates how sneaky cybercriminals can be when it comes to concealing their malicious activity and trying to compromise user information. ” concludes ESET.

Pierluigi Paganini

(SecurityAffairs – Emotet, malware)

[adrotate banner=”5″] [adrotate banner=”13″]