After the threat actors repaired a problem that prevented victims from getting infected when they opened malicious email attachments, the Emotet malware phishing operation is again running.
Emotet is a malware infection spread by spam campaigns incorporating malicious attachments. When a user launches the attachment, malicious scripts or macros will load the Emotet DLL into memory after downloading it. Once loaded, the virus will look for and steal emails to employ in future spam operations, as well as drop additional payloads such as Cobalt Strike or other ransomware-related malware.
Emotet malware distributors began a new email campaign last Friday that featured password-protected ZIP file attachments carrying Windows LNK (shortcut) files masquerading as Word documents. When a user double-clicks on the shortcut, it launches a program that searches the shortcut file for a particular string containing Visual Basic Script code, appends the code to a new VBS file, and runs the VBS file.
This command, however, had a flaw in that it employed a static shortcut name of ‘Password2.doc.lnk,’ even though the actual name of the attached shortcut file, such as ‘INVOICE 2022-04-22_1033, USA.doc,’ was different. As described by the Emotet research group Cryptolaemus, the command failed because the Password2.doc.lnk file did not exist, so the VBS file was not produced.
According to Cryptolaemus researcher Joseph Roosen, Emotet shut down the new email campaign at around 00:00 UTC on Friday after realizing that the flaw prevented people from getting infected. When Emotet corrected the flaw, users were again bombarded with fraudulent emails with password-protected zip files and shortcut attachments.
When the command is run, these shortcuts now reference the right filenames, allowing the VBS files to be appropriately produced and the Emotet malware to be downloaded and installed on victims’ devices. According to email security firm Cofense, the following attachments were employed in recent Emotet campaigns:
- Electronic form.zip
- PO 04252022.zip
- Form – Apr 25, 2022.zip
- Payment Status.zip
- BANK TRANSFER COPY.zip
- ACH form.zip
- ACH payment info.zip
It is strongly suggested that you should not open any emails that include similar password-protected attachments. Instead, call your network or security administrators and have them review the attachment to see whether it is malicious.