Back in January of 2022, Microsoft announced that VBA macros would be blocked by default in files downloaded from the internet, as an attempt to mitigate increasing numbers of attacks using malicious Office documents. Office documents containing VBA macros that include PowerShell and/or WMI commands have been the most popular delivery mechanism used by attackers to spread Emotet. First seen used against multiple banks in 2014, Emotet has evolved into one of the most prolific and dangerous trojans in the world.
On April 26, 2022, a new campaign from Emotet was discovered in the wild. This new campaign includes some adjustments that are clearly intended to circumvent Microsoft’s new VBA macro-blocking strategy. Rather than abusing VBA macros to download and execute a payload, this new form of Emotet abuses the LNK file format to execute a PowerShell script. Analyzing the malicious LNK file’s properties will show that the target is actually pointing to the system’s PowerShell executable. Within that LNK file is a base64 string that includes Emotet’s PowerShell script. It includes a list of URL’s where Emotet’s payload is hosted. Once Powershell runs the command, the system will check these URL’s until it reaches an active one and pulls down the payload. The malicious script then deletes itself.
Witnessed Indicators of Compromise (IOCs) that have been observed at this time can be found here, including hashes of .LNK files, Payload URLs, and Command and Control IP addresses that can be blocked: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Emotet/IOCs/2022-05-06
