Emotet malware now installs via PowerShell in Windows shortcut files

The Emotet botnet now uses Windows shortcut files (.LNK) containing PowerShell commands to infect victim computers, moving away from Microsoft Office macros which are now disabled by default.

The use of .LNK files is nothing new, as the Emotet gang previously used them in combination with Visual Basic Script (VBS) code to create a command that downloads the payload. However, this is the first time they have used Windows shortcuts to directly execute PowerShell commands.

New technique after a botched campaign

Last Friday, Emotet operators put an end to a phishing campaign because they botched their installer after using a static filename to reference the malicious .LNK shortcut.

Launching the shortcut would trigger a command that extracted a string of VBS code and added it to a VBS file to run.

However, since the distributed shortcut files had a different name than the static one they were looking for, creating the VBS file would fail. The gang fixed the problem yesterday.

Today, security researchers noticed that Emotet has moved to a new technique that uses PowerShell commands attached to the LNK file to download and run a script on the infected computer.

The malicious string added to the .LNK file is masked and padded with null values ​​(blank space) so that it does not display in the target field (the file the shortcut points to) of the properties dialog of the file.

Emotet using PowerShell in LNK files
source: BleepingComputer

Emotet’s malicious .LNK file includes the URLs of several compromised websites used to store the PowerShell script payload. If the script is present in one of the defined locations, it is downloaded to the system temporary folder as a PowerShell script with a random name.

Below is the deobfuscated version of the Emotet malicious string attached to the .LNK payload:

Malicious string of Emotet with PowerShell commands attached to LNK file
source: BleepingComputer

This script generates and launches another PowerShell script that downloads the Emotet malware from a list of compromised sites and saves it to the %Temp% folder. The downloaded DLL is then executed using the regsvr32.exe command.

The execution of the PowerShell script is done using the Regsvr32.exe command line utility and ends with the download and launch of the Emotet malware.

security researcher Max Malyutin indicates that in addition to using PowerShell in LNK files, this execution flow is new for deploying Emotet malware.

A booming new technique

Research group Cryptolaemus, which closely monitors Emotet activity, notes that the new technique is a clear attempt by the threat actor to circumvent defenses and automated detection.

Security researchers from cybersecurity firm ESET have also noticed that the use of the new Emotet technique has increased over the past 24 hours.

Telemetry data from ESET shows that the countries most affected by Emotet via the new technique are Mexico, Italy, Japan, Turkey and Canada.

Besides the switch to PowerShell in .LNK files, Emotet botnet operators have made a few other changes since resuming business at more stable levels in November, such as moving to 64-bit modules.

The malware is usually used as a gateway for other malware, especially ransomware threats like Conti.

Comments are closed.