Cyber Security News

Warning: New Emansrepo Malware Uses HTML Files to Target Windows Users

Emansrepo, a Python infostealer, is distributed via phishing emails containing fake purchase orders and invoices, where the attacker initially sent a phishing email with an HTML file redirecting to the Emansrepo download link. 

In recent months, the attack flow has become more complex, involving multiple stages and mailboxes.

The stolen data is compressed into a zip file and sent to the attacker’s email, which poses a significant threat to Microsoft Windows users as the stolen information can be used for future attacks.

The download link for Emansrepo is embedded in RTGS Invoices.html.

The phishing emails in all three chains use archive files (7z) to deliver malicious payloads, where Chain 1 uses a dropper disguised as a download page that triggers a fake download and redirects the user and then downloads a preconfigured Python information stealer.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Chain 2 employs a nested HTA file with a JavaScript core that decrypts and downloads a PowerShell script, similar to the AutoIt script in Chain 1, which downloads the same Python stealer but executes it through a batch file. 

While Chain 3 leverages a BatchShield-obfuscated batch file that downloads and runs a PowerShell script, ultimately leading to the information-stealing Python program. 

The obfuscated batch file

The Emansrepo is a Python infostealer that targets user information, text files, PDFs, browser extensions, crypto wallets, game platform data, and cookies by stealing data in three parts:

Part 1 targets user information and text files (less than 0.2 MB) from the Desktop, Document, and Downloads folders.

It also steals login data, credit card information, web history, download history, and autofill data from various browsers.

Part 2 targets PDF files (less than 0.1 MB) from Desktop, Document, Downloads, and Recents folders and compresses folders of browser extensions, crypto wallets, and game platforms into zip files, while Part 3 targets cookies from browsers and zips them into {process_name}_cookies.zip. 

The content of Saved_Passwords.txt

The recent discovery of a new Remcos malware campaign using a phishing email with a malicious DBatLoader attachment highlights a similar attack pattern to the previously identified Python infostealer. 

Both campaigns share identical email content but employ distinct malware distribution methods.

While the Python infostealer involved a more complex attack flow, the Remcos campaign relies on a simpler approach, where the malicious attachment directly downloads and decrypts the Remcos payload, which is further protected by a packer.

Left: the email for the Python infostealer. Right: The email for Remcos.

Emansrepo, a persistent threat actor, has been actively targeting organizations since November.

Its attack methods are constantly evolving, utilizing a variety of techniques and malware. 

According to FortiGuard, given the dynamic nature of these attacks, it’s crucial for organizations to remain vigilant about cybersecurity.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

4 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

4 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

4 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

4 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

4 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

4 hours ago