One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 8020780 |
| Date de publication | 2022-11-14 21:30:35 (vue: 2022-11-15 06:05:59) |
| Titre | Emotet Distributed Through U.S. Election Themed Link Files |
| Texte | FortiGuard Labs has discovered that Emotet was recently delivered through an archive file that has a file name targeting those interested in the U.S. midterm elections. The archive file is "US midterm elections The six races that could decide the US Senate.zip" that has a link file with the same name, which leads to Emotet.Why is this Significant?This is significant because Emotet is trying to leverage the interest of the U.S. midterm elections for infection. While FortiGuard Labs has not observed the infection vector, the file name "US midterm elections The six races that could decide the US Senate.zip" was likely distributed via emails. "The six races" likely refers to Arizona, Georgia, Michigan, Nevada, Pennsylvania, and Wisconsin where Democrats and Republican are expected to have close race in the elections, which gives better chance that recipients will open the archive contents. Emotets' modus operandi includes distribution via malicious spam campaigns and thread hijacking of emails.What's in "US midterm elections The six races that could decide the US Senate.zip"?The zip file contains a link file named "US midterm elections The six races that could decide the US Senate.lnk". When the link file is executed, it drops a further script in %tmp% that will attempt to cycle through several URLs to download a Emotet DLL.The downloaded Emotet connects to C2 server and will likely deliver additional malware.FortiGuard Labs discovered that the same script is present in other link files "New York Election news and updates....lnk" and "Amazon warns of slower sales as economy weakens.lnk" that were submitted to VirusTotal at the end of October and beginning of November respectively.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for the archive and link file involved in the attack:• LNK/Agent.AMY!tr.dldr• PossibleThreat.PALLAS.HC2 address is blocked by FortiGuard Webfiltering Client. |
| Envoyé | Oui |
| Condensat | additional address amazon amy archive are arizona attack:• attempt because beginning better blocked campaigns chance client close connects contains contents could cycle decide deliver delivered democrats discovered distributed distribution dldr• dll download downloaded drops economy election elections emails emotet emotets end executed expected file files following fortiguard further georgia gives has have hc2 hijacking includes infection interest interested involved labs leads leverage likely link lnk lnk/agent malicious malware michigan midterm modus name named nevada new news not november observed october open operandi other pallas pennsylvania possiblethreat present protection provides race races recently recipients refers republican respectively sales same script senate server several signatures significant six slower spam status submitted targeting themed those thread through tmp trying updates urls vector virustotal warns weakens webfiltering what when where which why will wisconsin york zip |
| Tags | Spam Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.