Emotet Trojan Growers Fix Oblique Installer And Resume Spam Mailings

Last weekend, information security experts detected a new spam campaign to seep the Emotet Trojan. However, it turned out that when the file attached to the letter is opened, no infection occurs. Over the weekend, the attackers found and fixed the bug and began bombarding users with malicious attachments.

Emotet operators have been very aggressive lately, trying to revive the once formidable botnet with the help of malicious emails. To this end, the malware inserts fake emails with an attachment or a link into the correspondence of its victims to ensure further distribution.

A new spike in Emotet spam was reported on Friday, April 22nd. Attackers used attachments in ZIP format; the password-protected archive contained an LNK file disguised as a Word document.

When opening this file, analysts noticed an attempt to execute a command to search for a string with a VBS code (placed at the end of .lnk). When creating a new VBS file with a random name in the %temp% folder, its contents should be copied and added.

Emotet shortcut commands from Friday's campaign
Emotet shortcut commands from Friday’s campaign
As it turned out, the execution of this command is impossible since it uses a static link to the Password2.doc.lnk file. At the same time, as part of the launched campaign, the malicious Windows shortcut was hidden under other names – for example, it was called INVOICE 2022-04-22_1033, USA.doc.

As a result, all infection attempts failed: no VBS file was created on the attacked systems because the required script was not found. Having discovered the bug, Emotet operators suspended spam mailings and started fixing it. However, yesterday, April 25, malicious emails appeared again, and this time, unfortunately, everything went smoothly – the malware is regularly downloaded and installed on the machine if the owner forgot about vigilance and opened the archived LNK file.

Fixed Emotet attachment command
Fixed Emotet attachment command

Watchers from Cofense have spotted the following attachments being used in the current Emotet campaign:

  • form.zip
  • Form.zip
  • Electronic form.zip
  • PO 04252022.zip
  • Form – Apr 25, 2022.zip
  • Payment Status.zip
  • transaction.zip
  • ACH form.zip
  • ACH payment info.zip

If you receive an email with similar password-protected attachments, it is strongly advised that you do not open them.

Instead, you should contact your network or security admins and let them examine the attachment to determine if they are malicious or not.

In addition, I want to remind you that you need to beware of viruses, especially Trojans.

Leave a Comment