all InfoSec news
Emotet Downloader Document Uses Regsvr32 for Execution
July 28, 2022, 1 p.m. | EclecticIQ Threat Research Team
Security Boulevard securityboulevard.com
Executive Summary
This paper investigates a recent Emotet intrusion and details how the final Emotet payload is installed onto the system. The key observations are:
- Obfuscated Excel macros used to download and run the Emotet loader.
- Emotet loader executed using regsvr32.exe.
- Encrypted Emotet payload embedded in loader’s .rsrc section.
- Windows service used for Emotet payload persistence.
- Emotet continues to evolve delivery techniques and obfuscation to reduce detection.
Background
Emotet is a Windows-based malware loader operated by the cybercrime group TA542 …
cybercriminal document emotet intelligence research malware mitre attack regsvr32 technical threats and vulnerabilities threats & breaches trojan vulnerabilities
More from securityboulevard.com / Security Boulevard
Jobs in InfoSec / Cybersecurity
SOC 2 Manager, Audit and Certification
@ Deloitte | US and CA Multiple Locations
Cyber Systems Administration
@ Peraton | Washington, DC, United States
Android Security Engineer, Public Sector
@ Google | Reston, VA, USA
Lead Electronic Security Engineer, CPP - Federal Facilities - Hybrid
@ Black & Veatch | Denver, CO, US
Profissional Sênior de Compliance & Validação em TI - Montes Claros (MG)
@ Novo Nordisk | Montes Claros, Minas Gerais, BR
Principal Engineer, Product Security Engineering
@ Google | Sunnyvale, CA, USA