Emergence of Emmenhtal Loader Malware Identified in 2024
/ 3 min read
Quick take - The Emmenhtal Loader, a sophisticated malware loader identified in early 2024, employs advanced evasion techniques and legitimate Windows tools to deliver various strains of malware while complicating detection efforts for traditional security systems.
Fast Facts
- The Emmenhtal Loader, a sophisticated malware loader, emerged in early 2024 and employs advanced evasion techniques to deliver various malware strains.
- Identified malware types associated with the loader include Arechclient2, Lumma, Hijackloader, and Amadey, utilizing LOLBAS techniques to leverage legitimate Windows tools.
- The infection process starts with a malicious LNK file that executes the HelpPane executable, triggering PowerShell to download an AES-encrypted payload from a remote server.
- The loader’s operations include data exfiltration and credential theft, complicating detection efforts due to its ability to modify legitimate binaries and use multiple stages.
- ANY.RUN provides an interactive sandbox environment for analyzing such advanced malware, offering a 14-day free trial for users to safely observe malware behavior.
The Emergence of the Emmenhtal Loader
The Emmenhtal Loader, a sophisticated malware loader, emerged in early 2024. It utilizes advanced techniques to evade detection and deliver various strains of malware. Analysts from ANY.RUN have identified multiple associated malware types, including Arechclient2, Lumma, Hijackloader, and Amadey.
Techniques and Infection Process
The malware loader employs LOLBAS (Living Off the Land Binaries and Scripts) techniques, allowing it to leverage legitimate Windows tools for its activities. Tools such as HelpPane and PowerShell are used to carry out malicious activities, which remain undetected by traditional security measures.
The infection process typically begins with a seemingly harmless malicious LNK file. This file utilizes the forfiles command to locate and execute the HelpPane executable, a legitimate Windows component. Its execution triggers PowerShell, continuing the infection chain. PowerShell runs a command that calls Mshta to download an encrypted payload from a remote server, which is encrypted with the AES encryption algorithm. Mshta decrypts and executes the payload, which contains further instructions for malicious actions.
Final Stages and Detection Challenges
Following this, PowerShell executes another AES-encrypted command that decrypts the Emmenhtal loader itself. The final stage involves launching a payload often referred to as Updater.exe, accompanied by a dynamically generated binary file name as an argument. Once successfully installed, the malware enables various harmful activities, including data exfiltration and credential theft.
The Emmenhtal Loader’s ability to conceal its operations complicates detection efforts. It modifies legitimate binaries and uses multiple stages involving HTA files and PowerShell scripts, making it challenging for traditional security systems to identify its activities effectively.
To facilitate the analysis of such advanced malware, ANY.RUN provides an interactive sandbox environment that allows users to safely observe and understand malware behavior. ANY.RUN also offers a 14-day free trial for users interested in researching malware activities in a controlled setting.
Original Source: Read the Full Article Here
