New Emansrepo Malware Targets Windows via HTML Files

Home/BOTNET, Compromised, Evilproxy, malicious cyber actors, Malware, Security Advisory, Security Update, Tips/New Emansrepo Malware Targets Windows via HTML Files

New Emansrepo Malware Targets Windows via HTML Files

Emansrepo, a Python infostealer, is spread through phishing emails with fake purchase orders. The attack has evolved, now involving multiple stages. Stolen data is zipped and sent to the attacker, posing a significant threat to Windows users.

Emansrepo Malware

All three phishing chains use 7z archive files to deliver payloads. Chain 1 uses a dropper disguised as a download page, triggering a fake download that redirects the user and installs a preconfigured Python infostealer.

Chain 2 uses a nested HTA file with JavaScript to decrypt and download a PowerShell script, which, like Chain 1, installs the Python stealer via a batch file. Chain 3 uses a BatchShield-obfuscated batch file to download and run a PowerShell script, leading to the same Python infostealer.

The download link for Emansrepo is embedded in RTGS Invoices.html.

Emansrepo is a Python infostealer that targets user data in three stages:

  1. Part 1: Steals user info and text files (under 0.2 MB) from Desktop, Documents, and Downloads folders, as well as login data, credit card info, and browsing history from various browsers.
  2. Part 2: Targets PDF files (under 0.1 MB) and compresses browser extensions, crypto wallets, and game platform data into zip files.
  3. Part 3: Collects browser cookies, zipping them into {process_name}_cookies.zip.

A new Remcos malware campaign, using a phishing email with a malicious DBatLoader attachment, mirrors the attack pattern of the earlier Python infostealer.

Both share identical email content but differ in distribution methods. The Remcos campaign uses a simpler approach, directly downloading and decrypting the Remcos payload, protected by a packer.

Emansrepo, an active threat actor since November, continuously evolves its attack methods and malware. FortiGuard urges organizations to stay vigilant due to the dynamic nature of these threats.

IOCs

Address

hxxps://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta[.]ipfs[.]dweb[.]link/wetrankfr[.]zip
hxxps://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y[.]ipfs[.]w3s[.]link/myscr649612[.]js
https://estanciaferreira[.]com[.]br/wp-includes/TIANJIN-DOC-05082024-xls[.]7z
hxxps://dasmake[.]top/reader/timer[.]php
hxxps://hedam[.]shop/simple/Enquiry.7z
191[.]101[.]130[.]185
192[.]236[.]232[.]35

Email address

stealsmtp@dasmake[.]xyz
hanbox@dasmake[.]xyz
publicsmtp@dasmake[.]xyz
publicbox@dasmake[.]xyz
minesmtp8714@dasmake[.]xyz
minestealer8412@dasmake.xyz
minesmtp8714@maternamedical[.]top
minestealer8412@maternamedical[.]top
extensionsmtp@maternamedical[.]top
filelogs@maternamedical[.]top
cookiesmtp@maternamedical[.]top
cooklielogs@maternamedical[.]top

Phishing mail

a6c2df5df1253f50bd49e7083fef6cdac544d97db4a6c9c30d7852c4fd651921
9e5580d7c3c22e37b589ec8eea2dae423c8e63f8f666c83edabecf70a0948b99
9bd3b8d9ac6ad680b0d0e39b82a439feedd87b9af580f37fa3d80d2c252fef8c
915bad0e2dbe0a18423c046f84d0ff7232fff4e5ba255cc710783f6e4929ab32
64e5c9e7b8dfb8ca8ca73895aa51e585fa7e5414f0e1d10659d3a83b9f770333
b343cce5381b8633b3fd3da56698f60db70c75422e120235a00517d519e37d8d
32bcbce53bfee33112b447340e7114d6d46be4ccf1a5391ad685431afdc8fb86

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 308
By | 2024-09-10T02:36:34+05:30 September 4th, 2024|BOTNET, Compromised, Evilproxy, malicious cyber actors, Malware, Security Advisory, Security Update, Tips|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!