FortiGuard Labs discovered new developments in an ongoing phishing campaign targeting Microsoft Windows users via emails that appear to be legitimate business communications in August 2024.
The emails contain fake purchase orders and invoices, but they also contain a dangerous threat: Emansrepo, a Python-based infostealer.
Once downloaded, Emansrepo silently collects sensitive information from the victim's browsers, including login credentials, credit card information, and autofill data.
It also searches specific directories, such as Desktop and Documents, for files before compressing the data into a zip file and sending it to the attacker's email address.
This stolen information can be used to launch future attacks, increasing the campaign's severity.
According to FortiGuard Labs, this cyberattack has been ongoing for nearly a year, evolving to include more complex attack chains.
Early versions of the attack flow, discovered in November 2023, were relatively simple: a single download link for the malware embedded in an HTML file. However, as time passed, the attacks became increasingly sophisticated.
The campaign begins with a phishing email that includes an HTML file. This file directs the victim to a download link for Emansrepo, which is packaged with PyInstaller and can run without Python installed on the victim's computer.
By July and August 2024, the attack flow had become more complex, with multiple steps and layers of deception added to avoid detection.
In some cases, attackers used multiple email addresses to receive stolen data, making it harder to track down.
Phishing emails also evolved, frequently including fake download pages or links to files disguised as purchase orders or invoices.
When these links were clicked, malicious files were downloaded, triggering a chain of events that resulted in Emansrepo being installed on the victim's system.
One example of the attack flow is an AutoIt-compiled executable embedded in a 7z file.
This executable downloads a zip archive to the Temp folder that contains Python modules as well as the malicious Emansrepo script.
In another chain, a PowerShell script is used to run the infostealer, demonstrating how attackers are constantly changing their tactics to avoid detection.
What Emansrepo Steals
Emansrepo is capable of stealing a wide variety of data. Its behavior is divided into three major parts.
Part one focuses on stealing browser data. This includes saved passwords, credit card information, browsing and download histories, and autofill data from popular browsers such as Chrome, Microsoft Edge, Brave, and Vivaldi.
It also collects text files from the Desktop, Documents, and Downloads folders.
Part 2 broadens its scope by stealing PDF files, browser extensions, cryptocurrency wallet information, and data from gaming platforms such as Steam and Riot Games.
This information is compressed into zip files and transmitted to the attacker.
Part 3 focuses on collecting cookies from browsers, which are then zipped and sent to the attacker's email.
The data collected by Emansrepo is temporarily stored in folders on the victim's machine before being sent to various attacker-controlled email addresses.
Once the data is transmitted, these temporary folders are deleted to cover the malware's tracks.
In addition, FortiGuard Labs recently discovered another campaign, most likely linked to the same attackers, but this time using a different piece of malware called Remcos.
Like the Emansrepo campaign, this attack begins with phishing emails. Instead of deploying a Python infostealer, the attachments in these emails contain a DBatLoader that downloads and decrypts a secure version of the Remcos malware.
Remcos is then used to gain control of the victim's machine, which may lead to more serious attacks.
Emansrepo has been active since at least November 2023, and the attackers are constantly improving their tactics.