Emotet botnet, known for its innovative trick and tactics, is once again in the news with a new one-click attack technique that leverages self-unlocking RAR files.
What has happened?
Trustwave researchers identified an increase in threats packaged in password-protected ZIP files. Emotet is one of the major distributors of these malicious packages delivering about 96% of the packages, using an innovative trick.
The new trick
In the latest attack wave, attackers are using invoice-themes phishing lures with password-protected archive files.
These files contain a nested self-extracting (SFX) archive that can act as a conduit to launch the second. These files require just one click and no password input is needed to compromise a target.
One such SFX archive was observed using a PDF or Excel icon to appear legitimate and contains components such as a batch file, RARsfx archive, and images or PDF file.
Further, these files are used to drop CoinMiner and Quasar RAT on compromised systems.
Payload details
CoinMiner is a cryptocurrency miner that can double up as a credential stealer. It uses Windows Management Instrumentation (WMI) to gather hardware information and antivirus installed on the system to avoid sandboxing and hinder analysis.
The other payload, Quasar RAT is an open-source .NET-based RAT with powerful capabilities. It uses the threat actor’s domain and free dynamic DNS domain for accessing its C2 server.
Conclusion
Password-protected files are difficult to scan for their contents, and therefore pose among end users. Adoption of this tactic by Emotet, that too at such massive levels, is a clear red flag for end users as well as security professionals. This new attack tactic further allows threat actors to perform a multitude of attacks like crypto jacking, data theft, ransomware, and others.