Emotet recently launched a new email campaign that included a bug preventing people from becoming infected when they opened malicious email attachments. This occurred as the threat actors behind Emotet started testing new ways to deliver their malicious payloads.
This new campaign included password-protected ZIP file attachments containing Windows LNK (shortcut) files pretending to be Word documents. When the LNK file was executed, a fndstr.exe command would be executed that would search the shortcut file for a particular string. This string contains Visual Basic Script (VBS) code that would then be appended to a new VBS file and executed. However, the command to search for the string was set to search an LNK file named “Password2.doc.lnk” which may not have been the name of the LNK file that was included in the ZIP file. This would then cause the command to fail, which in turn would prevent the full infection chain from running on the system. This error likely occurred due to the threat actors hardcoding the filename within the command, while using various templated names for the actual LNK file being sent to victims.
This issue has now been fixed by the Emotet threat actors, with the shortcuts now referencing the correct filenames when the command is executed. This allows the VBS files to be created and executed successfully, which continues the infection chain to the final Emotet payload.