The new technique is a bit interesting and not terribly complex. Instead of their usual pivot via macros, or even via XLL, they are using .LNK files that are just links to PowerShell commands. The commands are obfuscated in a couple of ways, the first I by adding null characters to the LNK so the command is not visible in the properties window (like adding spaces and a double extension to a malicious binary [.]pdf [.]exe). The group has also moved to 64bit modules to ensure they are spreading the love around properly.

The command referenced in the LNK file appears to create a second PS script which then uses the Regsvr32.exe command to not only run the new script, but also to register a dll completing the infection. As previously reported, TA542 took a bit of a break after law enforcement went after their infrastructure. However, it is clear that the group is not finished as they have been observed ramping up new activities with new TTPs. Emotet is known to be part of follow-on campaigns for groups like Conti. The recent leak of messages from the Conti group confirms cooperation between the two groups.

Threat groups really never stop developing, they might not expose new techniques and tactics while the old ones still work, but they also always have fun stuff in their back pocket for when current campaigns fail. This means that organizations need to be better prepared to detect and counter threats, especially when they rapidly evolve during renewed operations. As with the XLL file attack, the risk of infection/compromise can be reduced though the use of behavior based anti-malware, security culture training, anti-phishing techniques and good URL inspection and blocking.