Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts analyzed the distribution technique used in a recent Emotet campaign

ESET analyzed the distribution technique used by cyber criminals in new Emotet campaign that has recently affected various countries in Latin America. In November, experts from ESET uncovered a massive spam campaign that was distributing the Emotet malware. The campaign targeted several users in some Latin American countries and ESET shared details on the propagation used […]

ArchivoDoc emotet 2

ESET analyzed the distribution technique used by cyber criminals in new Emotet campaign that has recently affected various countries in Latin America.

In November, experts from ESET uncovered a massive spam campaign that was distributing the Emotet malware. The campaign targeted several users in some Latin American countries and ESET shared details on the propagation used in this campaign.

Unlike past campaigns, attackers used a downloader incorporated into an Office file-

“In recent years we have seen how cybercriminals have taken advantage of the Microsoft Office suite to propagate their threats, from simple macros embedded in files to the exploitation of vulnerabilities. On this occasion though, the implementation is a little unusual, consisting of a downloader incorporated into an Office file.” reads the analysis published by ESET.

“This caused confusion among many users, who asked us to explain how the threat works.”

The attack begins with an email message with a weaponized document that once opened will ask the victim to enable macros using social engineering tricks.

The trick used by the crooks in this campaign has unusual features, for example, the macro does not seem to be one of those known macros that attempt to connect to a website to download some malicious content.

The macro includes a function is to read text from an “all-but-imperceptible object in the page“. In the top-left of the page, there is very small, square, solid, black box that could be expanded to see the content.

emotet 2

The text box contains a “cmd” command that executes a PowerShell script that tries to connect to five sites and then download and obfuscated variant of Emotet.

Once the payload is executed, it will gain persistence on the computer and connects to the C&C server. The payload could also download and execute additional components of the malware or other payloads to carry out other malicous activities,

The malware could steal credentials, make lateral movements, harvest sensitive information, carry out port forwarding, and other operations.

“Though not at all a new technique, this small change in the way Emotet’s action is hidden within the Word file demonstrates how sneaky cybercriminals can be when it comes to concealing their malicious activity and trying to compromise user information. ” concludes ESET.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Emotet, malware)

[adrotate banner=”5″] [adrotate banner=”13″]