Hackers have found a sneaky new way to infect Windows devices

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

The operators of Emotet, one of the world’s most dangerous malware variants, have moved away from using Microsoft Office macros for distribution, and towards Windows shortcut files (.lnk).

As per a BleepingComputer report, cybersecurity researchers have observed Emotet using PowerShell commands attached to the .lnk file to download and run a malicious script on the target endpoint

The script is said to be relatively well hidden, not showing in the file’s properties, under “Target”.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Disabling macros

The shortcut file carries URLs for “several” compromised websites that store the malicious PowerShell script. If a victim runs the shortcut file, and the website still hosts the malware, it will download it to the system’s Temp folder with a random name, and then run it using regsvr32.exe.

Cybersecurity researchers from ESET are claiming that Emotet’s new distribution method works best in Mexico, Italy, Japan, Turkey, and Canada. 

Emotet was forced into abandoning macros after Microsoft made it impossible for users of Word, Excel, Access, PowerPoint, and Visio, to run any VBA macros in “untrusted” documents.

In an announcement made in early February this year, it was said that all files shared from outside the company network will be deemed “untrusted”, meaning all files coming from the same domain should still be able to keep their macros.

Macros are a big deal, for both businesses, and cybercriminals. They are usually used to automate various tasks, such as importing or updating data coming from third-party sources. But the problem is that they can easily be abused by malicious actors to distribute ransomware, malware, steal sensitive data, or for other nefarious deeds.

For years, criminal groups have been sharing macro-powered malicious Office documents, preying on gullible or exhausted workers. Payment receipts, warnings of failed payments, job offers, Covid-19 and vaccine information, are just some of the document types crooks would share to have people run macros and infect their endpoints with viruses.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.