Home Technology

Emotet Pivots From Office Macros to OneDrive URLs and PowerShell, Security Researchers Warn – TechDecisions

My TechDecisions
April 27, 2022 Leave a Comment
Notorious botnet Emotet is reportedly testing out new attack methods that bypass new Microsoft protections against Macros in Office documents and leverage OneDrive URLs and PowerShell.
The Emotet botnet began its reemergence in November 2021 after its January 2021 takedown by a multinational coalition of law enforcement, with the group associated with the botnet targeting “thousands of customers with tens of thousands of messages in multiple geographic regions,” with some message volumes reaching over 1 million per campaign, according to cybersecurity firm Proofpoint. However, the newly discovered Emotet activity suggests that the Emotet group is testing new techniques on a smaller scale and in a more selective, targeted nature— a departure from its typical massive scale email campaigns.
According to Proofpoint, the firm detected a low volume of emails distributing the Emotet malware via compromised sender emails not sent by the Emotet spam module. Email subject lines contained one word, such as “Salary” with bodies containing only OneDrive URLs that hosted zip files containing Microsoft Excel Add-in (XLL) files.
In its analysis of the newly discovered campaign, Proofpoint says the zip archives and XLL files used the same lures as the email subject lines, with one archive containing four copies of the same XLL file with names such as “ “Salary_and_bonuses-04.01.2022.xll.” When those files are executed, they drop and run Emotet, leveraging the Epoch 4 botnet.
The low-volume nature of the activity, the use of OneDrive URLs and XLL files set this campaign apart from historic Emotet campaigns marked by a high volume of emails and Microsoft Office documents containing VBA or XL4 macros.
Microsoft in February announced that it would be disabling VBA macros for Office apps by default to help prevent malware deployments to unwitting end users, covering Access, Excel, PowerPoint, Visio and Word on Windows devices. Those changes began rolling out earlier this month.
With Office macros no longer a reliable distribution vehicle for malware, this new Emotet campaign suggests that threat actors are adapting their techniques and finding new ways to attack victims.
Proofpoint says this low-volume campaign began during a quiet period for Emotet earlier this month, using a break from its high-volume campaigns to test this new attack vector and others.
Also this week, security researchers have discovered another new Emotet attack vector that uses PowerShell in LNK attachments instead of Office macros.
According to Slovakia-based cybersecurity company ESET, if a victim is tricked into downloading and running the attachment, the Emotet binary (.DLL) is downloaded and executed.
#BREAKING Another day at #ESETresearch, another #Emotet campaign with a new technique. Instead of the usual Office macros, operators use PowerShell in LNK attachments – filename “form.lnk”. If the victim runs the file, Emotet binary (.DLL) is downloaded and executed. 1/4 pic.twitter.com/iLzFl5t8M5
— ESET research (@ESETresearch) April 26, 2022

The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to making business decisions. Check out our new report to see what your peers in IT think about top concerns and opportunities in 2022.
Your email address will not be published.

document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to ma…
Many of us have been working in a hybrid environment for two years now. Our editors thought this would be a good time to take a look at what’s work…
Here are 10 cloud, data and security certifications that we identify as critical to an IT professional’s resume in 2022 and beyond, according to a …
Learn More About the
Windows Collaboration Display

Get the latest news about AV integrators and Security installers from our sister publications:
Commercial IntegratorSecurity Sales
FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets
Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.
© 2022 Emerald X, LLC. All rights reserved.


Previous articleCrypto casinos: How bitcoin opened up a new online gambling world – NBC News
Next articleApple Watch Series 7 review: Time for a minor upgrade – Ars Technica