Emotet Distributed Through U.S. Election Themed Link Files

FortiGuard Labs has discovered that Emotet was recently delivered through an archive file that has a file name targeting those interested in the U.S. midterm elections. The archive file is “US midterm elections The six races that could decide the US Senate.zip” that has a link file with the same name, which leads to Emotet.Why is this Significant?This is significant because Emotet is trying to leverage the interest of the U.S. midterm elections for infection. While FortiGuard Labs has not observed the infection vector, the file name “US midterm elections The six races that could decide the US Senate.zip” was likely distributed via emails. “The six races” likely refers to Arizona, Georgia, Michigan, Nevada, Pennsylvania, and Wisconsin where Democrats and Republican are expected to have close race in the elections, which gives better chance that recipients will open the archive contents. Emotets’ modus operandi includes distribution via malicious spam campaigns and thread hijacking of emails.What’s in “US midterm elections The six races that could decide the US Senate.zip”?The zip file contains a link file named “US midterm elections The six races that could decide the US Senate.lnk”. When the link file is executed, it drops a further script in %tmp% that will attempt to cycle through several URLs to download a Emotet DLL.The downloaded Emotet connects to C2 server and will likely deliver additional malware.FortiGuard Labs discovered that the same script is present in other link files “New York Election news and updates….lnk” and “Amazon warns of slower sales as economy weakens.lnk” that were submitted to VirusTotal at the end of October and beginning of November respectively.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for the archive and link file involved in the attack:• LNK/Agent.AMY!tr.dldr• PossibleThreat.PALLAS.HC2 address is blocked by FortiGuard Webfiltering Client.

Read More