Home>Blog>The Hacker News Headlines>Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware
The Hacker News Headlines

Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware

The notorious Emotet botnet[1]
has been linked to a new wave of malspam campaigns that take
advantage of password-protected archive files to drop CoinMiner and
Quasar RAT on compromised systems.

In an attack chain[2]
detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP
file lure was found to contain a nested self-extracting (SFX)
archive, the first archive acting as a conduit to launch the
second.

While phishing attacks like these traditionally require
persuading the target into opening the attachment, the
cybersecurity company said the campaign sidesteps this hurdle by
making use of a batch file to automatically supply the password to
unlock the payload.

CyberSecurity

The first SFX archive file further makes use of either a PDF or
Excel icon to make it appear legitimate, when, in reality, it
contains three components: the password-protected second SFX RAR
file, the aforementioned batch script which launches the archive,
and a decoy PDF or image.

“The execution of the batch file leads to the installation of
the malware lurking within the password-protected RARsfx
[self-extracting RAR archive],” researchers Bernard Bautista and
Diana Lopera said in a Thursday write-up.

The batch script achieves this by specifying the archive’s
password and the destination folder to which the payload will be
extracted, in addition to launching a command to display the lure
document in an attempt to conceal the malicious activity.

Lastly, the infection culminates in the execution of CoinMiner,
a cryptocurrency miner that can also double up as a credential
stealer, or Quasar RAT[3], an open source
.NET-based remote access trojan[4], depending on the
payload packed in the archive.

CyberSecurity

The one-click attack technique is also notable in that it
effectively jumps past the password hurdle, enabling malicious
actors to carry out a wide range of actions such as cryptojacking,
data exfiltration, and ransomware.

Trustwave said it has identified an increase in threats packaged
in password-protected ZIP files, with about 96% of these being
distributed by the Emotet botnet.

“The self-extracting archive has been around for a long time and
eases file distribution among end users,” the researchers said.
“However, it poses a security risk since the file contents are not
easily verifiable, and it can run commands and executables
silently.”

References

  1. ^
    Emotet
    botnet     (thehackernews.com)
  2. ^
    attack
    chain     (www.trustwave.com)
  3. ^
    Quasar
    RAT     (malpedia.caad.fkie.fraunhofer.de)
  4. ^
    remote
    access trojan     (www.cisa.gov)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.