{"id":18865,"date":"2022-04-27T03:10:06","date_gmt":"2022-04-27T11:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/27\/news-12598\/"},"modified":"2022-04-27T03:10:06","modified_gmt":"2022-04-27T11:10:06","slug":"news-12598","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/27\/news-12598\/","title":{"rendered":"Emotet fixes bug in code, resumes spam campaign"},"content":{"rendered":"<p><strong>Credit to Author: Jovi Umawing| Date: Wed, 27 Apr 2022 10:15:34 +0000<\/strong><\/p>\n<p>Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.<\/p>\n<p>The bug\u2014a flaw in how Emotet is installed onto a system after a victim opens a malicious email attachment\u2014forced the actors to prematurely halt their campaign.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" data-attachment-id=\"55977\" data-permalink=\"https:\/\/blog.malwarebytes.com\/cybercrime\/malware\/2022\/04\/emotet-fixes-bug-in-code-resumes-spam-campaign\/attachment\/fq-puumwuaernf2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/04\/FQ-puUmWUAERnF2.jpeg\" data-orig-size=\"1906,1246\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"FQ-puUmWUAERnF2\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/04\/FQ-puUmWUAERnF2-300x196.jpeg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/04\/FQ-puUmWUAERnF2-600x392.jpeg\" loading=\"lazy\" width=\"600\" height=\"392\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/04\/FQ-puUmWUAERnF2-600x392.jpeg\" alt=\"\" class=\"wp-image-55977\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/04\/FQ-puUmWUAERnF2-600x392.jpeg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/04\/FQ-puUmWUAERnF2-300x196.jpeg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/04\/FQ-puUmWUAERnF2-1536x1004.jpeg 1536w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/04\/FQ-puUmWUAERnF2.jpeg 1906w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><figcaption><em>Sample email of an Emotet spam containing a defective attachment. <br \/>(Source: <a href=\"https:\/\/twitter.com\/malware_traffic\/status\/1517622327000846338\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">@malware_traffic<\/a>)<\/em><\/figcaption><\/figure>\n<\/div>\n<p>Emotet is spammed around in emails claiming to contain invoices, forms, or payment details. The attachment is a password-protected ZIP file with a shortcut link file (has the .LNK extension) inside pretending to be a Word document file.<\/p>\n<p>Normally, once users double-click the file, Emotet is loaded into memory, steals email addresses to use in future campaigns, and drops a payload, usually another malware like ransomware or <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/cobalt-strike\/\">Cobalt Strike<\/a>. However, the bug happened immediately after the attachment was clicked.<\/p>\n<p>You see, double-clicking the file sets off a chain. A command looks for a string hidden in the .LNK file containing code written in Visual Basic. This code is then appended to a new VBS file before executing that file. But, the shortcut file a command statically calls to does not match the actual name of the attached shortcut file. For example, the command code calls for &#8220;Password2.doc.lnk&#8221;, but the attached file itself is named &#8220;INVOICE 2022-04-22_1033, USA.doc&#8221;. This error breaks the infection chain.<\/p>\n<p>Cryptolaemus (<a href=\"https:\/\/twitter.com\/Cryptolaemus1\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">@Cryptolaemus1<\/a>) has provided a more technical explanation in this Twitter thread:<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/emotet?src=hash&amp;ref_src=twsrc%5Etfw\">#emotet<\/a> Update &#8211; As of the last few hours Ivan is running some tests on E4 to try to bypass detection by appending a VBS at the end of an LNK file in a zip. The LNK when launched will find a string in itself and then copy the remainder from that string after to a VBS file. 1\/x <a href=\"https:\/\/t.co\/pEcOWdbfOa\">https:\/\/t.co\/pEcOWdbfOa<\/a><\/p>\n<p>&mdash; Cryptolaemus (@Cryptolaemus1) <a href=\"https:\/\/twitter.com\/Cryptolaemus1\/status\/1517634855940632576?ref_src=twsrc%5Etfw\">April 22, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>Emotet&#8217;s current use of .LNK files as attachments is a tried-and-tested tactic that can bypass antivirus detection and Mark-of-the-Web (MOTW) &#8220;marking.&#8221; Mark of the Web is a Windows feature that determines the origin of a file downloaded from the Internet.<\/p>\n<p>Our Threat Intelligence Team has seen APT threat actors use .LNK files in their attack campaigns (the <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2020\/06\/higaisa\/\">Higaisa APT<\/a> comes to mind). It&#8217;s no surprise that other cybercriminal groups have adopted this. Proponents of Emotet and <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1518710838424752133\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">IcedID<\/a> were just some of them.<\/p>\n<p>Emotet has been revolutionizing its way of reaching victims during its years of activity. Historically, it was spread via malicious Windows App Installer packages and malformed Word documents. Emotet is a sophisticated and versatile Trojan, which has been used by other criminal groups to drop their own malware, causing multiple system infections. Some of the files it drops are QBot, QakBot, TrickBot, and Mimikatz (a legitimate tool used to steal credentials).<\/p>\n<p>BleepingComputer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-malware-infects-users-again-after-fixing-broken-installer\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">shared<\/a> a list of attachment names the new Emotet email spam campaign is using, courtesy of Cofense, a security company specializing in email security:<\/p>\n<ul>\n<li>ACH form.zip<\/li>\n<li>ACH payment info.zip<\/li>\n<li>BANK TRANSFER COPY.zip<\/li>\n<li>Electronic form.zip<\/li>\n<li>form.zip<\/li>\n<li>Form.zip<\/li>\n<li>Form &#8211; Apr 25, 2022.zip<\/li>\n<li>Payment Status.zip<\/li>\n<li>PO 04252022.zip<\/li>\n<li>Transaction.zip<\/li>\n<\/ul>\n<p>If you have received any emails bearing attachments with the above names, it would be wise to delete them immediately to prevent the risk of accidentally opening the attachment.<\/p>\n<p>Stay safe out there!<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/malware\/2022\/04\/emotet-fixes-bug-in-code-resumes-spam-campaign\/\">Emotet fixes bug in code, resumes spam campaign<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/malware\/2022\/04\/emotet-fixes-bug-in-code-resumes-spam-campaign\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Jovi Umawing| Date: Wed, 27 Apr 2022 10:15:34 +0000<\/strong><\/p>\n<p>Emotet is back with a new spam campaign. And it&#8217;s now spreading itself as a shortcut link file pretending to be Word document.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/malware\/2022\/04\/emotet-fixes-bug-in-code-resumes-spam-campaign\/\">Emotet fixes bug in code, resumes spam campaign<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[25827,15715,16784,3764,25828,12165,24883,23802,10740,13256],"class_list":["post-18865","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-email-spam-campaign","tag-emotet","tag-icedid","tag-malware","tag-mark-of-the-web","tag-mimikatz","tag-motw","tag-qakbot","tag-qbot","tag-trickbot"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18865","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18865"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18865\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18865"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18865"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18865"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}