Security News > 2022 > April > Emotet malware now installs via PowerShell in Windows shortcut files
The Emotet botnet is now using Windows shortcut files containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default.
LNK files is not new, as the Emotet gang previously used them in a combination with Visual Basic Script code to build a command that downloads the payload. However, this is the first time that they utilized Windows shortcuts to directly execute PowerShell commands.
As the distributed shortcut files had a different name than the static one they were looking for, it would fail to create the VBS file correctly.
Today, security researchers noticed that Emotet switched to a new technique that uses PowerShell commands attached to the LNK file to download and execute a script on the infected computer.
This script generates and launches another PowerShell script that downloads the Emotet malware from a list of compromised sites and save it to the %Temp% folder.
Security researcher Max Malyutin says that along with using PowerShell in LNK files, this execution flow is new to Emotet malware deployment.
News URL
Related news
- Detecting Windows-based Malware Through Better Visibility (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Malicious PowerShell script pushing malware looks AI-written (source)
- Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)