From 1a033e0ee82eb438170b523417f297abe017f4e5 Mon Sep 17 00:00:00 2001 From: Mar-Pic Date: Fri, 14 Mar 2025 09:45:02 +0100 Subject: [PATCH] Update readme.md --- emmenhtal/readme.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/emmenhtal/readme.md b/emmenhtal/readme.md index 82ed259..eb90ec4 100644 --- a/emmenhtal/readme.md +++ b/emmenhtal/readme.md @@ -3,21 +3,20 @@ Emmenhtal is an obfuscated multistage payload that spawns an execution of the LO As of March 2025, our CERT has been tracking three versions of the loader, all actively distributed. -##Emmenhtal v1## +Emmenhtal v1 Emmenhtal v1 was (and still is) mainly distributed through executables padded with a malicious HTA script which characterizes Emmenhtal's first stage. As previously detailed, most of these executables masquerade as legitimate Windows binaries, such as  appidtel.exe, sethc.exe, rmactivate.exe, SearchProtocolHost.exe, dialer.exe etc... Over the months, Emmenhtal v1 was observed in multiple distribution clusters and delivering a large umbrella of commodity RATs and stealers (Lumma, CryptBot, Meduza RAT, Remcos RAT, XWorm, RedLine stealer), indicating the malware is likely used by several threat actors. -##Emmenhtal v2## +Emmenhtal v2 Emmenhtal v2 surfaced in early December 2024, with several new obfuscation features. Compared to its predecessor, the v2 was not well detected by AV solutions and this is still the case three months after the variant surfaced. The new variant is still multistage, but no longer relies on HTA data hidden in the padding of a PE executable. Instead, its first stage corresponds to a data file with HTA script tags splitted all over the file, and intertwined with junk script lines designed to complicate analysis. Stages 2 and 3 remained pretty similar to the original Emmenhtal version. Finally, the last Powershell stage was also modified with a monoalphabetic substitution obfuscation method. Our Reverse Engineering team also identified back in December new features designed to hide the execution of the malware (using windows hidden outside of the screen, or error message masking). Emmenhtalv2 has been mainly distributed through fake CAPTCHAs and “ClickFix” contents. In most cases, Emmenhtal either masquerades as a data file or a mp4 video. - -##Emmenhtal v3## +Emmenhtal v3 Emmenhtal v3 surfaced in early March 2025, with many changes added to the HTA, JS and last Powershell stages.