The operators of Emotet, one of the world’s most dangerous malware variants, have moved away from using Microsoft Office macros for distribution, and towards Windows shortcut files (.lnk).
As per a BleepingComputer report, cybersecurity researchers have observed Emotet using PowerShell commands attached to the .lnk file to download and run a malicious script on the target endpoint (opens in new tab).
The script is said to be relatively well hidden, not showing in the file’s properties, under “Target”.
Disabling macros
The shortcut file carries URLs for “several” compromised websites that store the malicious PowerShell script. If a victim runs the shortcut file, and the website still hosts the malware, it will download it to the system’s Temp folder with a random name, and then run it using regsvr32.exe.
Cybersecurity researchers from ESET are claiming that Emotet’s new distribution method works best in Mexico, Italy, Japan, Turkey, and Canada.
Emotet was forced into abandoning macros after Microsoft made it impossible for users of Word, Excel, Access, PowerPoint, and Visio, to run any VBA macros in “untrusted” documents.
In an announcement made in early February this year, it was said that all files shared from outside the company network will be deemed “untrusted”, meaning all files coming from the same domain should still be able to keep their macros.
> Emotet might be gone – but malware is here to stay (opens in new tab)
> Microsoft Office is finally making this vital security change across Excel, Word and more (opens in new tab)
> Microsoft to disable old-school macros to shield users from attacks (opens in new tab)
Macros are a big deal, for both businesses, and cybercriminals. They are usually used to automate various tasks, such as importing or updating data coming from third-party sources. But the problem is that they can easily be abused by malicious actors to distribute ransomware (opens in new tab), malware, steal sensitive data, or for other nefarious deeds.
For years, criminal groups have been sharing macro-powered malicious Office documents, preying on gullible or exhausted workers. Payment receipts, warnings of failed payments, job offers, Covid-19 and vaccine information, are just some of the document types crooks would share to have people run macros and infect their endpoints with viruses.
Via BleepingComputer (opens in new tab)