Emotet recently launched a new email campaign that included a bug preventing people from becoming infected when they opened malicious email attachments. This occurred as the threat actors behind Emotet started testing new ways to deliver their malicious payloads.
This new campaign included password-protected ZIP file attachments containing Windows LNK (shortcut) files pretending to be Word documents. When the LNK file was executed, a fndstr.exe command would be executed that would search the shortcut file for a particular string. This string contains Visual Basic Script (VBS) code that would then be appended to a new VBS file and executed. However, the command to search for the string was set to search an LNK file named “Password2.doc.lnk” which may not have been the name of the LNK file that was included in the ZIP file. This would then cause the command to fail, which in turn would prevent the full infection chain from running on the system. This error likely occurred due to the threat actors hardcoding the filename within the command, while using various templated names for the actual LNK file being sent to victims.
This issue has now been fixed by the Emotet threat actors, with the shortcuts now referencing the correct filenames when the command is executed. This allows the VBS files to be created and executed successfully, which continues the infection chain to the final Emotet payload.
While threat actors do sometimes make mistakes when creating their malicious payloads, they are usually fixed very quickly. Due to this, it is important to have appropriate prevention and detection mechanisms in place to prevent the payloads from executing properly. It is highly recommended to prevent LNK files and, if possible, password-protected ZIP files from being received as attachments in emails. This can be achieved by using appropriate email security controls that have the capability to apply content filtering policies on inbound emails. Likewise, it is recommended to maintain appropriate endpoint security controls that can help detect or prevent certain malicious behavior. Preventing VBS files from being executed in the Temp directory, for example, will go a long way in helping stop many different types of malware. In cases where prevention may not be possible, having appropriate logging and detection can help alert an organization to an infection. Activity like cmd.exe launching a findstr.exe command that outputs to a VBS file, wscript.exe launching a randomly named VBS file out of the Temp directory, and wscript.exe making outbound network connections can all be detected and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.