Emotet, one of the first Malware-as-a-Service (MaaS), an ever-evolving botnet and banking trojan active since 2014, recently added new techniques to its arsenal. Initially intended to extract sensitive banking information from a victim’s computer and operate using other malware trojans, this notorious malware continues evolving by implementing new techniques in the malware delivery stage.
This document is an update to the technical report on Emotet from December 2021.
Until recently, Emotet’s infection flow and execution included the first phase of malspam activity, which lures the user to open an attachment, thereby triggering a macro code to run on the victims’ system. In previous versions of Emotet, the macro would directly launch PowerShell to download the payload. After the macro phase, each version would act differently, for example, lateral spreading, dropping additional malware, and deploying Emotet modules. We have already witnessed Ryuk, Trickbot, and other notorious malware using Emotet to gain initial access.
Shortcuts, Regsvr32, and 64-bit Loaders
In recent versions of Emotet, we detected something different in the infection chain: The macro code that was previously in use has been replaced with an LNK file.
One of the reasons this change took place relates to Microsoft’s announcement about VBA protection, which will eventually block any macro file of internet origin from being executed.
The LNK initiates an encoded Powershell code, which calls regsvr32.exe (Windows command-line utility to register and unregister OLE controls) from the Syswow64 folder to run the payload, allowing 32-bit binary to run in 64-bit OS. This might indicate that Emotet’s new variants will drop the ability to act on 32-bit OS.
The Obfuscated Base64 Encoded PowerShell code defines the Preference Variable (ProgressPreference) mode of “Silently Continue” (suppresses the error message and continues executing the command) and multiple links to communicate with in order to fetch the payload to the newly created folder.
LNK Current Volume and Prior Usage
Cyberint Research Team has detected 45 LNK samples over the past month; most of the LNK files appeared as Emotet-related and shared the same cmdlets structure. However, the Powershell employment using the LNK technique appeared in the wild in 2021 while being used in the Document Stealer OutSteel and the Downloader SaintBot, according to Unit 42 Report. Emotet operators might become inspired by the technique and implement it in their infection chain.
In addition, the Cyberint Research Team detected several instances of LNK payload builders for sale on known Darknet Forums. This kind of payload is already gaining traction and will probably increase its presence in new malware variants.
Conclusions and Recommendations
As malware and stealers keep evolving and becoming more complex in their evasion methods, the race to detect new techniques and bypasses will continue at high intensity. Although the malware contains multiple layers of obfuscation and encoding, the entry point is the employee who might mistakenly enable the macro code/LNK file that will lead to the infection of the machine.
- Ensure that your organization is set for the new VBA protection, use a Group Policy to disable macros running in Microsoft Office applications.
- Educate users on the standard TTP used and reinforce the message that documents encouraging them to “Enable Editing,” “Enable Content”, or disable any other security setting are almost undoubtedly malicious.
- Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, and implement protocols and security controls such as DKIM, DMARC, and SPF.
- Continuous monitoring of unusual endpoint behaviors such as excessive requests to specific web hosts using unique user-agent strings, can be an early indication of compromise.
- Consider applying deep content inspection to ensure that any downloaded content filetype matches the actual file content and blocks dangerous filetypes, such as executables, for standard users.