Newly Discovered Emotet Campaign Spreads Malware Through PowerShell Commands
Cybersecurity researchers have discovered that the threat actors are testing new attack techniques to distribute malware. Indeed, the latest version of the highly sophisticated Emotet botnet uses PowerShell commands attached to the XLL files to target Windows PCs.
Emotet is an advanced Trojan that is primarily used to spread malware via phishing emails on compromised Windows systems. It was widely used as a backdoor to distribute ransomware before a global law enforcement operation shut down the servers in January 2021. The Emotet botnet reemerged in November with a massive email campaign aimed at thousands of customers worldwide.
According to the security researchers at Proofpoint, the attackers are now targeting compromised email accounts to send phishing emails. These emails contain catchy subject lines (such as Salary) that entice the recipient to click on them. However, the email body includes a OneDrive URL that hosts zip files with Microsoft Excel Add-in (XLL) files. Once the recipient clicks and runs the Emotet payload, the XLL files infect Windows machines with malware.
Emotet campaigns are moving away from VBA macros
Unlike previous Emotet attacks, the latest campaign uses the XLL files containing PowerShell commands rather than Visual Basic for Applications (VBA) scripts. This change follows Microsoft’s announcement about its plans to block VBA macros by default across its products in April 2022. The Redmond giant says that this move should help protect customers from phishing attacks.
“After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns,” explained Sherrod DeGrippo, VP of threat research and detection at Proofpoint.
Cybersecurity researchers have advised organizations to create awareness among employees regarding the new phishing techniques. It is also recommended that they should use simulated attacks and train employees in the cybersecurity domain.
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
Microsoft Detects 254% Spike in XorDDoS Attacks on Linux Servers
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
F5 Confirms New Remote Code Execution Flaw in BIG-IP Systems
May 9, 2022 | Rabia Noureen
Most popular on petri