The notorious Emotet botnet has been linked to a wave of new malware campaigns that utilize password-protected archive files to drop CoinMiner and Quasar RAT onto compromised systems.

and attack chain An invoice-themed ZIP file lure detected by Trustwave SpiderLabs researchers was found to contain a nested self-extracting (SFX) archive.

While such phishing attacks traditionally require the target to be persuaded to open the attachment, cybersecurity firms have reported that the campaign utilizes a batch file to automatically provide the password to unlock the payload. By providing it, it says it bypasses this hurdle.

cyber security

The first SFX archive file also uses a PDF or Excel icon to appear legitimate, but is actually a second password-protected SFX RAR file, the aforementioned batch script to launch the archive, and a decoy. PDF or image.

“Running the batch file installs malware hidden inside a password-protected RARsfx. [self-extracting RAR archive]said researchers Bernard Bautista and Diana Lopera in an article on Thursday.

The batch script accomplishes this by specifying the password for the archive and the folder where the payload should be extracted, as well as launching a command to display the lure document to hide the malicious activity.

Finally, the infection culminates in the execution of CoinMiner. CoinMiner is a cryptocurrency miner that can also steal credentials. Quasar RATopen source .NET based remote access trojandepending on the payload packed in the archive.

cyber security

One-click attack techniques are also notable for effectively bypassing password barriers, enabling malicious actors to perform a wide range of actions including cryptojacking, data exfiltration, and ransomware.

Trustwave has seen an increase in threats packaged in password-protected ZIP files, saying about 96% of them are distributed by the Emotet botnet.

“Self-extracting archives have been around for a long time, facilitating file distribution between end users,” said the researchers. “However, it poses a security risk because you cannot easily see the contents of the file and can run commands and executables in silent mode.”

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ยฉ๏ธ All rights reserved. | Blue Training Academy Blog