Wednesday06 July 2022

Yet Another New Attack Method Shows Up From the Group Behind Emotet

Reading time is around minutes.

Yesterday we told you that the gang behind Emotet was looking to used Excel add-ins as a possible new technique to compromise systems as part of their spamming campaigns. The detected techniques were labeled as potentially being part of research and development efforts on the part of the group TA542 due to changes Microsoft is making in Office (and ones many admins already push). The R&D efforts do not stop there though as multiple security research teams are now saying they have identified another new technique associated with Emotet.

The new technique is a bit interesting and not terribly complex. Instead of their usual pivot via macros, or even via XLL, they are using .LNK files that are just links to PowerShell commands. The commands are obfuscated in a couple of ways, the first I by adding null characters to the LNK so the command is not visible in the properties window (like adding spaces and a double extension to a malicious binary [.]pdf [.]exe). The group has also moved to 64bit modules to ensure they are spreading the love around properly.

The command referenced in the LNK file appears to create a second PS script which then uses the Regsvr32.exe command to not only run the new script, but also to register a dll completing the infection. As previously reported, TA542 took a bit of a break after law enforcement went after their infrastructure. However, it is clear that the group is not finished as they have been observed ramping up new activities with new TTPs. Emotet is known to be part of follow-on campaigns for groups like Conti. The recent leak of messages from the Conti group confirms cooperation between the two groups.

Threat groups really never stop developing, they might not expose new techniques and tactics while the old ones still work, but they also always have fun stuff in their back pocket for when current campaigns fail. This means that organizations need to be better prepared to detect and counter threats, especially when they rapidly evolve during renewed operations. As with the XLL file attack, the risk of infection/compromise can be reduced though the use of behavior based anti-malware, security culture training, anti-phishing techniques and good URL inspection and blocking.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.