Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Recordsdata to Drop Malware

Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Recordsdata to Drop Malware


The infamous Emotet botnet has been linked to a brand new wave of malspam campaigns that make the most of password-protected archive information to drop CoinMiner and Quasar RAT on compromised programs.

In an assault chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was discovered to include a nested self-extracting (SFX) archive, the primary archive appearing as a conduit to launch the second.

Whereas phishing assaults like these historically require persuading the goal into opening the attachment, the cybersecurity firm mentioned the marketing campaign sidesteps this hurdle by making use of a batch file to routinely provide the password to unlock the payload.


The primary SFX archive file additional makes use of both a PDF or Excel icon to make it seem legit, when, in actuality, it comprises three parts: the password-protected second SFX RAR file, the aforementioned batch script which launches the archive, and a decoy PDF or picture.

“The execution of the batch file results in the set up of the malware lurking throughout the password-protected RARsfx [self-extracting RAR archive],” researchers Bernard Bautista and Diana Lopera mentioned in a Thursday write-up.

The batch script achieves this by specifying the archive’s password and the vacation spot folder to which the payload can be extracted, along with launching a command to show the lure doc in an try to hide the malicious exercise.

Lastly, the an infection culminates within the execution of CoinMiner, a cryptocurrency miner that may additionally double up as a credential stealer, or Quasar RAT, an open supply .NET-based distant entry trojan, relying on the payload packed within the archive.


The one-click assault method can also be notable in that it successfully jumps previous the password hurdle, enabling malicious actors to hold out a variety of actions reminiscent of cryptojacking, information exfiltration, and ransomware.

Trustwave mentioned it has recognized a rise in threats packaged in password-protected ZIP information, with about 96% of those being distributed by the Emotet botnet.

“The self-extracting archive has been round for a very long time and eases file distribution amongst finish customers,” the researchers mentioned. “Nonetheless, it poses a safety threat for the reason that file contents will not be simply verifiable, and it will possibly run instructions and executables silently.”