# Emotet malware now installs via PowerShell in Windows shortcut files **[bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/](https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) April 26, 2022 05:17 PM 1 The Emotet botnet is now using Windows shortcut files (.LNK) containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default. The use of .LNK files is not new, as the Emotet gang previously used them in a combination with Visual Basic Script (VBS) code to build a command that downloads the payload. However, this is the first time that they utilized Windows shortcuts to directly execute PowerShell commands. ## New technique after botched campaign Last Friday, Emotet operators [pulled the plug on a phishing campaign because they botched](https://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/) their installer after using a static file name to reference the malicious .LNK shortcut. ----- Launching the shortcut would trigger a command that extracted a string of VBS code and added it to a VBS file to execute. However, as the distributed shortcut files had a different name than the static one they were looking for, it would fail to create the VBS file correctly. The gang fixed the problem yesterday. Today, security researchers noticed that Emotet switched to a new technique that uses PowerShell commands attached to the LNK file to download and execute a script on the infected computer. The malicious string appended to the .LNK file is obfuscated and padded with nulls (blank space) so that it does not show in the target field (the file the shortcut points to) of the file’s properties dialog box. _source: BleepingComputer_ Emotet’s malicious .LNK file includes URLs for several compromised websites used for storing the PowerShell script payload. If the script is present at one of the defined locations, it is downloaded to the system’s temporary folder as a PowerShell script with a random name. Below is the deobfuscated version of the malicious string Emotet attached to the .LNK payload: ----- _source: BleepingComputer_ This script generates and launches another PowerShell script that downloads the Emotet malware from a list of compromised sites and save it to the %Temp% folder. The downloaded DLL is then executed using the regsvr32.exe command. Executing the PowerShell script is done using the Regsvr32.exe command-line utility and ends with downloading and launching Emotet malware. [Security researcher Max Malyutin says that along with using PowerShell in LNK files, this](https://twitter.com/Max_Mal_/status/1518730615352401921) execution flow is new to Emotet malware deployment. ## New technique on the rise The Cryptolaemus researcher group, which is closely monitoring Emotet activity, notes that the new technique is a clear attempt from the threat actor to bypass defenses and automated detection. Security researchers at cybersecurity company ESET also noticed that the use of the new Emotet technique has increased in the past 24 hours. ----- _source:_ _[ESET](https://twitter.com/ESETresearch/status/1518923380782739458)_ ESET’s telemetry data shows that the countries most affected by Emotet via the new technique are Mexico, Italy, Japan, Turkey, and Canada. Apart from switching to PowerShell in .LNK files, the Emotet botnet operators have made a few other changes since they resumed activity to steadier levels in November, such as [moving to 64-bit modules.](https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/) The malware is typically used as a gateway for other malware, particularly ransomware threats like Conti. ## Related Articles: [Automate Windows tasks with this PowerShell certification bundle deal](https://www.bleepingcomputer.com/offer/deals/automate-windows-tasks-with-this-powershell-certification-bundle-deal/) [Historic Hotel Stay, Complementary Emotet Exposure included](https://www.bleepingcomputer.com/news/security/historic-hotel-stay-complementary-emotet-exposure-included/) [Using PowerShell to manage password resets in Windows domains](https://www.bleepingcomputer.com/news/security/using-powershell-to-manage-password-resets-in-windows-domains/) [Microsoft PowerShell lets you track Windows Registry changes](https://www.bleepingcomputer.com/news/microsoft/microsoft-powershell-lets-you-track-windows-registry-changes/) [EmoCheck now detects new 64-bit versions of Emotet malware](https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as ----- research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. -----