The infamous Emotet botnet has been linked to a brand new wave of malspam campaigns that reap the benefits of password-protected archive recordsdata to drop CoinMiner and Quasar RAT on compromised methods.
In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was discovered to comprise a nested self-extracting (SFX) archive, the primary archive appearing as a conduit to launch the second.
Whereas phishing assaults like these historically require persuading the goal into opening the attachment, the cybersecurity firm stated the marketing campaign sidesteps this hurdle by making use of a batch file to robotically provide the password to unlock the payload.
The primary SFX archive file additional makes use of both a PDF or Excel icon to make it seem respectable, when, in actuality, it incorporates three elements: the password-protected second SFX RAR file, the aforementioned batch script which launches the archive, and a decoy PDF or picture.
“The execution of the batch file results in the set up of the malware lurking inside the password-protected RARsfx [self-extracting RAR archive],” researchers Bernard Bautista and Diana Lopera stated in a Thursday write-up.
The batch script achieves this by specifying the archive’s password and the vacation spot folder to which the payload will likely be extracted, along with launching a command to show the lure doc in an try to hide the malicious exercise.
Lastly, the an infection culminates within the execution of CoinMiner, a cryptocurrency miner that may additionally double up as a credential stealer, or Quasar RAT, an open supply .NET-based remote access trojan, relying on the payload packed within the archive.
The one-click assault method can also be notable in that it successfully jumps previous the password hurdle, enabling malicious actors to hold out a variety of actions similar to cryptojacking, information exfiltration, and ransomware.
Trustwave stated it has recognized a rise in threats packaged in password-protected ZIP recordsdata, with about 96% of those being distributed by the Emotet botnet.
“The self-extracting archive has been round for a very long time and eases file distribution amongst finish customers,” the researchers stated. “Nevertheless, it poses a safety threat for the reason that file contents usually are not simply verifiable, and it could run instructions and executables silently.”