Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 985880" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">SWH vs. Emotet campaign</span></strong></p><p></p><p>[URL unfurl="true"]https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/[/URL]</p><p>[URL unfurl="true"]https://malwaretips.com/threads/emotet-malware-infects-users-again-after-fixing-broken-installer.113427[/URL]</p><p></p><p><strong>Infection chain:</strong></p><p><span style="color: rgb(41, 105, 176)"><strong>Malspam (ZIP attachment or URL) ---> LNK dropped (with hidden VBScript code) ---> .vbs script created/executed ---></strong></span> <strong><span style="color: rgb(184, 49, 47)">script downloads DLL (Emotet) and run it via Regsvr32 LOLBin</span></strong></p><p></p><p>The blue part of the attack is not malicious (but very suspicious) and is used to deliver the final malware (Emotet).</p><p>SWH will block this attack on the delivery stage by blocking shortcuts (LNK files) in the UserSpace. Even if the user whitelisted this shortcut, the .vbs script would be blocked in UserSpace.</p><p></p><p>The attack would be also blocked on the delivery stage by the FirewallHardening tool, because the outbound Internet connections for wscript.exe (VBScript Interpreter) are disabled.</p><p></p><p>The attack is interesting, because when the user clicks the shortcut (LNK file) dropped to the disk, then the CmdLine embedded in the shortcut performs some unusual actions:</p><ol> <li data-xf-list-type="ol">It reads the VBScript code embedded somewhere in the shortcut body;</li> <li data-xf-list-type="ol">It writes this code to the .vbs script;</li> <li data-xf-list-type="ol">It executes this script.</li> </ol><p>These actions are suspicious because the shortcut is usually used to run the executable located somewhere on the disk and not to read something embedded in the shortcut to create & execute the scripting code.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 985880, member: 32260"] [B][SIZE=5]SWH vs. Emotet campaign[/SIZE][/B] [URL unfurl="true"]https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/[/URL] [URL unfurl="true"]https://malwaretips.com/threads/emotet-malware-infects-users-again-after-fixing-broken-installer.113427[/URL] [B]Infection chain:[/B] [COLOR=rgb(41, 105, 176)][B]Malspam (ZIP attachment or URL) ---> LNK dropped (with hidden VBScript code) ---> .vbs script created/executed --->[/B][/COLOR] [B][COLOR=rgb(184, 49, 47)]script downloads DLL (Emotet) and run it via Regsvr32 LOLBin[/COLOR][/B] The blue part of the attack is not malicious (but very suspicious) and is used to deliver the final malware (Emotet). SWH will block this attack on the delivery stage by blocking shortcuts (LNK files) in the UserSpace. Even if the user whitelisted this shortcut, the .vbs script would be blocked in UserSpace. The attack would be also blocked on the delivery stage by the FirewallHardening tool, because the outbound Internet connections for wscript.exe (VBScript Interpreter) are disabled. The attack is interesting, because when the user clicks the shortcut (LNK file) dropped to the disk, then the CmdLine embedded in the shortcut performs some unusual actions: [LIST=1] [*]It reads the VBScript code embedded somewhere in the shortcut body; [*]It writes this code to the .vbs script; [*]It executes this script. [/LIST] These actions are suspicious because the shortcut is usually used to run the executable located somewhere on the disk and not to read something embedded in the shortcut to create & execute the scripting code. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
