The infamous Emotet botnet has been linked to a brand new wave of malspam campaigns that make the most of password-protected archive recordsdata to drop CoinMiner and Quasar RAT on compromised methods.
In an assault chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was discovered to include a nested self-extracting (SFX) archive, the primary archive performing as a conduit to launch the second.
While phishing assaults like these historically require persuading the goal into opening the attachment, the cybersecurity firm mentioned the marketing campaign sidesteps this hurdle by making use of a batch file to mechanically provide the password to unlock the payload.
The first SFX archive file additional makes use of both a PDF or Excel icon to make it seem official, when, in actuality, it comprises three parts: the password-protected second SFX RAR file, the aforementioned batch script which launches the archive, and a decoy PDF or picture.
“The execution of the batch file results in the set up of the malware lurking inside the password-protected RARsfx [self-extracting RAR archive],” researchers Bernard Bautista and Diana Lopera mentioned in a Thursday write-up.
The batch script achieves this by specifying the archive’s password and the vacation spot folder to which the payload can be extracted, along with launching a command to show the lure doc in an try to hide the malicious exercise.
Lastly, the an infection culminates within the execution of CoinMiner, a cryptocurrency miner that may additionally double up as a credential stealer, or Quasar RAT, an open supply .NET-based distant entry trojan, relying on the payload packed within the archive.
The one-click assault method can be notable in that it successfully jumps previous the password hurdle, enabling malicious actors to hold out a variety of actions corresponding to cryptojacking, knowledge exfiltration, and ransomware.
Trustwave mentioned it has recognized a rise in threats packaged in password-protected ZIP recordsdata, with about 96% of those being distributed by the Emotet botnet.
“The self-extracting archive has been round for a very long time and eases file distribution amongst finish customers,” the researchers mentioned. “However, it poses a safety danger for the reason that file contents should not simply verifiable, and it will probably run instructions and executables silently.”