Saturday, September 7, 2024
HomeMalwareEmotet Malware Mass Attack Drops Nozelesn Ransomware on Enterprise Endpoint Systems...

Emotet Malware Mass Attack Drops Nozelesn Ransomware on Enterprise Endpoint Systems Via Word Documents

Published on

A new wave of Emotet malware campaign distribute the Nozelesn ransomware that targets hospitality industries based endpoint systems via malicious word documents.

Telemetry had over 14,000 detections via emotet spam emails that are distributed all over the world between January 9, 2019, and February 7, 2019.

These mass infections mainly targeting specific countries including
Great Britain, Cyprus, Germany, Argentina, Canada and several locations in a different time period.

- Advertisement - EHA

Initially, this new campaign uncovered via Trend Micro’s managed detection and response (MDR) monitoring system where researchers able to discover nearly 580 similar Emotet file attachment samples.

Attackers using most common social engineering techniques in email such as “latest invoice,” “shipping details,” “wire sent out today,” and “urgent delivery to compromise victims to click the link or open the attached malicious documents.

In this case, spam emails contain an attached word document once the attachment is opened, a macro executes then eventually calls PowerShell to download another malware from a remote server.

In this case, spam emails contain an attached word document Once the attachment is opened, a macro executes then eventually calls PowerShell to download another malware from a remote server.

Learn: Complete Malware Analysis Course – Advance Malware Analyst Bundle

Emotet Malware Infection Process

During the investigation process, researchers discovered a suspicious file called “How_Fix_Nozelesn_files.htm” in the endpoint (server) where they were also find an indication of a Nozelesn ransomware infection.

Further root cause chain analysis revealed that the malicious document file was opened in Microsoft Word and was downloaded via Google Chrome.

Once the victims open the file, PowerShell.exe executes to connect with several IP address and create another file 942.exe.

According to Trend Micro analysis, “Based on its behavior, the malware may have been connecting to multiple IP addresses to download another malware which it will execute in the system. In this case, we noticed that it was also continuously downloading an update of itself, contacting a new set of command-and-control (C&C) servers each time.”

Later it drops the secondary payload which is very similar to with Nymaim that is linked with Nozelesn ransomware.

Finally, Nymaim loaded the Nozelesn ransomware into the infected system then encrypted files in the endpoint system (server) via shared folders.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Hackers Launching Weaponized Word Document to Push Emotet & Qakbot Malware

Hackers Drops New Emotet Malware to Perform Mass Email Exfiltration From Victims Email Client

Beware !! Worlds Most Active Malware Emotet Launching New Campaign With Malicious Word and PDF Attachments

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack

The Fog Ransomware group, known for targeting education and recreation sectors, has expanded its...

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is...