Project Hyphae

Emotet Evolves Its Delivery Tactics Again

Share This Post

Back in January of 2022, Microsoft announced that VBA macros would be blocked by default in files downloaded from the internet, as an attempt to mitigate increasing numbers of attacks using malicious Office documents. Office documents containing VBA macros that include PowerShell and/or WMI commands have been the most popular delivery mechanism used by attackers to spread Emotet. First seen used against multiple banks in 2014, Emotet has evolved into one of the most prolific and dangerous trojans in the world.

On April 26, 2022, a new campaign from Emotet was discovered in the wild. This new campaign includes some adjustments that are clearly intended to circumvent Microsoft’s new VBA macro-blocking strategy. Rather than abusing VBA macros to download and execute a payload, this new form of Emotet abuses the LNK file format to execute a PowerShell script. Analyzing the malicious LNK file’s properties will show that the target is actually pointing to the system’s PowerShell executable. Within that LNK file is a base64 string that includes Emotet’s PowerShell script. It includes a list of URL’s where Emotet’s payload is hosted. Once Powershell runs the command, the system will check these URL’s until it reaches an active one and pulls down the payload. The malicious script then deletes itself.

Witnessed Indicators of Compromise (IOCs) that have been observed at this time can be found here, including hashes of .LNK files, Payload URLs, and Command and Control IP addresses that can be blocked:

Reach out to our incident response team for help

More To Explore

Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks Article Link: Requests via Facebook Messenger Lead to Hijacked Business Accounts Article Link:

Information Security News 9-11-2023

University of Michigan Requires Password Resets After Cyberattack Article Link: Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.