Warning: New Emansrepo Malware Uses HTML Files to Target Windows Users

Emansrepo, a Python infostealer, is distributed via phishing emails containing fake purchase orders and invoices, where the attacker initially sent a phishing email with an HTML file redirecting to the Emansrepo download link. 

In recent months, the attack flow has become more complex, involving multiple stages and mailboxes.

The stolen data is compressed into a zip file and sent to the attacker’s email, which poses a significant threat to Microsoft Windows users as the stolen information can be used for future attacks.

The phishing emails in all three chains use archive files (7z) to deliver malicious payloads, where Chain 1 uses a dropper disguised as a download page that triggers a fake download and redirects the user and then downloads a preconfigured Python information stealer.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Chain 2 employs a nested HTA file with a JavaScript core that decrypts and downloads a PowerShell script, similar to the AutoIt script in Chain 1, which downloads the same Python stealer but executes it through a batch file. 

While Chain 3 leverages a BatchShield-obfuscated batch file that downloads and runs a PowerShell script, ultimately leading to the information-stealing Python program. 

The Emansrepo is a Python infostealer that targets user information, text files, PDFs, browser extensions, crypto wallets, game platform data, and cookies by stealing data in three parts:

Part 1 targets user information and text files (less than 0.2 MB) from the Desktop, Document, and Downloads folders.

It also steals login data, credit card information, web history, download history, and autofill data from various browsers.

Part 2 targets PDF files (less than 0.1 MB) from Desktop, Document, Downloads, and Recents folders and compresses folders of browser extensions, crypto wallets, and game platforms into zip files, while Part 3 targets cookies from browsers and zips them into {process_name}_cookies.zip. 

The recent discovery of a new Remcos malware campaign using a phishing email with a malicious DBatLoader attachment highlights a similar attack pattern to the previously identified Python infostealer. 

Both campaigns share identical email content but employ distinct malware distribution methods.

While the Python infostealer involved a more complex attack flow, the Remcos campaign relies on a simpler approach, where the malicious attachment directly downloads and decrypts the Remcos payload, which is further protected by a packer.

Emansrepo, a persistent threat actor, has been actively targeting organizations since November.

Its attack methods are constantly evolving, utilizing a variety of techniques and malware. 

According to FortiGuard, given the dynamic nature of these attacks, it’s crucial for organizations to remain vigilant about cybersecurity.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!