<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

The Emotet Grinch Is Back – with Triple PowerShell Gift Wrap

If you read our earlier post you are already familiar with Emotet. Recently Minerva prevented a new wave of Emotet attacks, a special Christmas-themed Emotet campaign - “Emotet Grinch”.

Cybercriminals are recently pushing this malware highly aggressively, finding ways to consistently evade baseline security controls to compromise systems. At the end of December Minerva prevented a new wave of Emotet attacks, a special Christmas-themed Emotet campaign. The “Emotet Grinch” infection starts with an email containing a link to a malicious document named “Your Holidays eCard.doc”. Like many other cases, the document lures the victim to enable the embedded malicious macro:

Emotet campaign |  Minerva Labs

Your Holidays eCard.doc, luring a victim to enable macro execution

The next stage of the attack is similar to an earlier Emotet campaign: the macro executes cmd.exe with the following string as its argument:

Emtet campaign | Minerva Labs

The script includes some dummy lines, hiding the string “powershell” in multiple variables, carefully assembling it and launching the next stage of the attack, which is a fileless PowerShell payload. In earlier campaigns the payload started with an obfuscated Invoke-Expression call followed by a string interpreted as yet another nested PowerShell script:

Emotet campaign | Minerva Labs

Older Emotet variant, before the nested PowerSHell payload – an obfuscated “iex”

The environment variable “comspec” is the path to cmd.exe; when carefully selecting the characters in the correct position the string “iex” is assembled, an alias of Invoke-Expression:

Emotet campaign | Minerva Labs

Unlike earlier attacks, this time the Emotet Grinch decided to wrap its “gift” to the victims with triple(!) Invoke-Expression layers. Each layer abuses a command that returns a pre-determined value to craft the golden “iex” string:

Emotet campaign | Minerva Labs

First layer, abuses “MaximumDriveCount”

Emotet campaign | Minerva Labs

Second layer, abuses the “$Shellid” variable

Emotet campaign | Minerva Labs

Third and last layer, abuses “$VerbosePreference”

This “iex matryoshka” obfuscation technique is combined with string replacements (e.g. replace “garBaGe” with the letter “c”), allowing it to bypass static scans and many security products which fail to “peel” enough layers before reaching its malicious functionality.

Once the deobfuscation is completed, the following script is executed on the victim’s system:

Emotet campaign | Minerva Labs

The final deobfuscated script

In its deobfuscated form, this is an elementary PowerShell script, downloading Emotet’s executable payload from a hardcoded list of 5 domains, executing it under a random numeric name.

It is worth noting that, just like earlier Emotet executable payload, it’s possible to vaccinate endpoints against this Emotet campaign using Minerva’s DIY Emotet vaccination:

Emotet campaign | Minerva Labs

Emotet terminates itself once files related to environment analysis are found

Multiple capabilities of Minerva’s Anti-Evasion Platform are able to prevent Emotet infections. The earliest one to kick in is our Malicious Document Prevention module, which breaks the infection chain before it even has a chance to launch it first stage from the infected document.

Want to hear more about Minerva’s Anti-Evasion Platform? Contact us for a demo! 



Analyzed Document SHA256


URLs serving the executable payload






Many other URLs are available on daily basis on this Pastebin page by @NelsonSecurity:


URLs serving the malicious document



Interested in Minerva? Request a Demo Below

Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.


see all