How To Protect Your Network from the New Emotet Attack Abusing LNK File

Summary

Emotet is considered the most common as well as the most destructive and costly-to-remediate malware currently (1). It primarily spreads through phishing emails containing a malicious link or an infected document. Once the victims download the file or click on the link, additional malware is automatically downloaded onto their device and then multiplies within the enterprise network.

Despite its massive takedown in January 2021 thanks to international law enforcement and judicial authorities (1), Emotet continues to flourish and spread malware with more sophisticated tricks. One of the tactics utilizes a Windows shortcut file (.LNK) containing PowerShell commands to download the Emotet payload on the victims' device that we analyzed in our last blog. The threat author made this adaptation in response to the VBA protection launched by Microsoft.

In April 2022, a new Emotet campaign abusing zipped .LNK files was spotted in the wild. In this blog, we analyze this vector and demonstrate how you can prevent these types of malware with OPSWAT MetaDefender.

Emotet Infection Chain

The Emotet botnet operators start the attack with a spam email containing a password-protected malicious zip file with an embedded shortcut link file (.LNK). They abuse the shortcut file as it is difficult to distinguish. The file is disguised as a document file with an icon and the extension is not displayed by default in Windows.

Right after the victims extract the zip file and execute the .LNK file, it drops a harmful Microsoft VBScript (Visual Basic Script) in the temporary folder on their device.

The dropped VBScript executes and downloads the Emotet payload from a remote server. Once the binary is downloaded, it saves the file to Windows' temporary directory and executes it using regsvr32.exe. Once infected, Emotet duplicates itself to spread to other computers in the network.

How to prevent Emotet and similar advanced attacks

There are a lot of recommendations and guidance from government agencies and cybersecurity experts across the globe to help users recognize and defend against sophisticated Emotet campaigns (2), such as:

• Do not open dubious email attachments or click on suspicious links in the body of the email.

• Make sure that your employees are sufficiently trained to identify suspicious email links and attachments

• Keep your OS, applications, and security software up to date.

It is easy for you to comprehensively protect your organization from Emotet as well as other advanced evasive threats with OPSWAT Email Gateway Security and OPSWAT MetaDefender Core. Our market-leading Deep CDR (Content Disarm and Reconstruction) disables both known and unknown threats concealed inside files. Per our zero-trust philosophy, we assume all files entering your network are malicious, so we scan, sanitize, and rebuild every file before it reaches your users. All active content concealed in files is neutralized or removed ensuring a threat-free environment for your organization.

The current Emotet threat is prevented as follows:

1. OPSWAT Email Gateway Security quarantines password-protected attachments.

2. To download the attachment, recipients need to provide the file's password to the quarantined system.

3. MetaDefender Core scans the file for known malware with our multiscanning solution called Metascan. As shown below, 11/16 engines successfully detected the threat.

4. MetaDefender Core extracts the attachment and recursively sanitizes every nested file using the Deep CDR engine. The result below shows that an object was found and removed.

During the sanitization process, Deep CDR replaced the malicious command of the .LNK file with dummy.txt to neutralize the threat. 

5. Email Gateway Security releases the email with a threat-free attachment to users. Here's the scan result of the file after sanitization. No threat was detected.

6. The users can now unzip the attachment on their machine and generate the LNK file without worrying about any safety issues. Even if users open the LNK file, no malware will be downloaded because the malicious command of the LNK file is replaced.

Learn more about OPSWAT Deep CDR or get in touch with us to discover the best security solutions to protect your corporate network and users from dangerous and complex cyberattacks.

Reference

(1) CyberNews. 2022. 'World’s most dangerous malware' Emotet disrupted. [online] Available at: <https://cybernews.com/news/worlds-most-dangerous-malware-emotet-disrupted>; [Accessed 9 June 2022].

(2) Ipa.go.jp. 2022. 「Emotet(エモテット)」と呼ばれるウイルスへの感染を狙うメールについて:IPA 独立行政法人 情報処理推進機構. [online] Available at: <https://www.ipa.go.jp/security/announce/20191202.html#L20%3E>; [Accessed 8 June 2022].

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.