Emansrepo is a Python infostealer that was discovered by the FortiGuard Labs in August 2024 and has been disseminated through phishing emails containing fake purchase orders and invoices.
It started its operation in November 2023, where Emansrepo retrieves exfiltrated data consisting of victims’ browsers’ directories and certain file directories, bundles it in a zip file, and sends it to the attacker’s email.
Cybersecurity researchers at Fortinet recently identified that the new Emansrepo malware has been weaponizing the HTML files to attack Windows users.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Emansrepo Malware Weaponizing HTML Files
Besides this, targeting non-Python users was possible by distributing the malware built with PyInstaller and also via, attached redirection to HTML downloads.
However, by July – August 2024, the attack chain had changed, and the Emansrepo stage uses a set of attack steps involving pre-Emansrepo download and sideways email usage for different stolen data files.
For this particular campaign, it can be seen that there is a heightened evolution with regard to the flow of attacks as well as the means used in the data extraction.
The attachment contains a complex multi-stage dropper that relies on three chains of infection. Chain 1 tricks the user into a fake download page of the 7z archive containing an AutoIT-compiled executable (Purchase-Order.exe) as it is delivered.
Then this executable goes ahead and fetches and extracts preoffice.zip that includes some Python modules along with the information-stealing tester.py malicious script, Forinet said.
Chain 2 uses an HTA file with built-in Javascript that is used to obtain and run a PowerShell script which is script.ps1 that also extracts preoffice.zip and executes Emansrepo with run.bat.
Chain 3 starts with a BatchShield-obscured batch file obtained from the phishing email that contains script.ps1 in PowerShell for the purpose of downloading and executing the script.
The connecting aspect of all these chains is the use of malware written in Python for data exfiltration.
The Emansrepo infostealer operates in three phases:-
- Harvesting user data, login credentials, credit card info, web/download history, autofill data, and small text files (<0.2 MB) from key directories.
- Extracting PDFs (<0.1 MB), compressing browser extensions, crypto wallets, and game platform data.
- Exfiltrating browser cookies. It uses temporary folders for data storage, deleting them post-exfiltration.
The malware evolved from a Prysmax-based variant (hash: e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5) to a more sophisticated version (hash: ae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a) between November and December 2023.
A connected campaign makes use of Remcos, which gets distributed utilizing DBatLoader as a phishing.
Even this packed Remcos sample can be classified as an attack, and such transformation of the attack vectors emphasizes the critical need for robust cybersecurity measures.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!