Malware

Experts analyzed the distribution technique used in a recent Emotet campaign

ESET analyzed the distribution technique used by cyber criminals in new Emotet campaign that has recently affected various countries in Latin America.

In November, experts from ESET uncovered a massive spam campaign that was distributing the Emotet malware. The campaign targeted several users in some Latin American countries and ESET shared details on the propagation used in this campaign.

Unlike past campaigns, attackers used a downloader incorporated into an Office file-

“In recent years we have seen how cybercriminals have taken advantage of the Microsoft Office suite to propagate their threats, from simple macros embedded in files to the exploitation of vulnerabilities. On this occasion though, the implementation is a little unusual, consisting of a downloader incorporated into an Office file.” reads the analysis published by ESET.

“This caused confusion among many users, who asked us to explain how the threat works.”

The attack begins with an email message with a weaponized document that once opened will ask the victim to enable macros using social engineering tricks.

The trick used by the crooks in this campaign has unusual features, for example, the macro does not seem to be one of those known macros that attempt to connect to a website to download some malicious content.

The macro includes a function is to read text from an “all-but-imperceptible object in the page“. In the top-left of the page, there is very small, square, solid, black box that could be expanded to see the content.

The text box contains a “cmd” command that executes a PowerShell script that tries to connect to five sites and then download and obfuscated variant of Emotet.

Once the payload is executed, it will gain persistence on the computer and connects to the C&C server. The payload could also download and execute additional components of the malware or other payloads to carry out other malicous activities,

The malware could steal credentials, make lateral movements, harvest sensitive information, carry out port forwarding, and other operations.

“Though not at all a new technique, this small change in the way Emotet’s action is hidden within the Word file demonstrates how sneaky cybercriminals can be when it comes to concealing their malicious activity and trying to compromise user information. ” concludes ESET.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Emotet, malware)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

7 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

14 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.