Security News > 2022 > April > Emotet malware now installs via PowerShell in Windows shortcut files
The Emotet botnet is now using Windows shortcut files containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default.
LNK files is not new, as the Emotet gang previously used them in a combination with Visual Basic Script code to build a command that downloads the payload. However, this is the first time that they utilized Windows shortcuts to directly execute PowerShell commands.
As the distributed shortcut files had a different name than the static one they were looking for, it would fail to create the VBS file correctly.
Today, security researchers noticed that Emotet switched to a new technique that uses PowerShell commands attached to the LNK file to download and execute a script on the infected computer.
This script generates and launches another PowerShell script that downloads the Emotet malware from a list of compromised sites and save it to the %Temp% folder.
Security researcher Max Malyutin says that along with using PowerShell in LNK files, this execution flow is new to Emotet malware deployment.
News URL
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)