Emotet Malware Adapts with OneNote Attachments to Deliver Payloads
Emotet is a sophisticated banking malware that usually spreads via email attachments. Its primary aim is to extract confidential data from its targets, including passwords and banking details, and send it to the Command and Control (C&C) server.
Cyble Research and Intelligence Labs (CRIL) is closely monitoring the Emotet campaign, which recently reappeared on March 7th after three months of dormancy.
Emotet is once again spreading malicious emails and infecting devices globally by rebuilding its network. During the previous week’s campaign, Emotet used malicious ZIP attachments containing DOC files. In this campaign, Emotet utilized a technique named “ZIP bombing,” compressing a very large DOC file into a small archive file.
However, in the most recent campaign, Emotet has shifted its tactics and now employs OneNote attachments instead of a ZIP archive with malicious document files in spam emails. OneNote is a powerful digital notebook software provided by Microsoft that enables users to efficiently store their ideas, thoughts, and notes in a centralized location, promoting organization.
OneNote software is widely used by people all around the world. There has been an observation of various malware families, such as Qakbot, utilizing OneNote attachments in their spam campaigns. Threat actors (TAs) regularly alter their techniques for infecting users to evade detection by anti-virus programs and increase the probability of successfully infiltrating targets. It is a primary motivation behind their adaptation of methods.
The delivery mechanism of Emotet malware via a spam email’s OneNote attachment is illustrated in the figure below.
Technical Analysis
In a recent campaign, it has been observed that the Emotet is being distributed via a malicious OneNote attachment, as shown in the figure below.
When a user opens the spam email attachment that appears to be a OneNote document, a fake OneNote page is displayed, deceiving the user into double-clicking to view the document. This action triggers the Emotet infection process.
The below figure shows the fake OneNote document.
An obfuscated script file is inserted in the “view” button within the OneNote document. When clicking the “View” button on a OneNote page triggers a hidden action that involves dropping and executing a .wsf file (Windows Script File) called “click.wsf” using “wscript.exe” from the below location.
- C:Users [user-name]AppDataLocalTempOneNote16.0Exported{26E0D824-BE38-4186-AF90-9A9C389A36B0}NT�click.wsf
The below figure shows the content of the dropped obfuscated .wsf file.
After de-obfuscation, the contents of the .wsf file reveal a list of URLs and contains code that constructs strings such as file name and “regsvr32” which are later used to execute the Emotet payload as illustrated in the below figure.
The de-obfuscated content also includes the code to download an Emotet payload from a predetermined set of URLs. After downloading the payload, the malware verifies its size by comparing it to 150 KB.
If the file content size exceeds 150 KB, the script ends any additional download attempts from the remaining URLs, and the payload is saved to the directory where the .wsf file was initially dropped. The payload file is given a random name, such as “rad59f5c.tmp.dll” and subsequently executed using regsvr32.exe.
On the other hand, If the file size is less than or equal to 150 KB, the malware repeatedly attempts to download the Emotet from the remaining URLs. This verification ensures that the Emotet payload is retrieved from various URLs, even if any one of them is unavailable.
The figure below illustrates a code snippet demonstrating how the Emotet payload size is verified and executed.
The below figure shows the process chain of Emotet DLL launched using “regsvr32.exe” from the OneNote document.
Figure 7 – Emotet Process tree
Upon execution, the Emotet malware operates discreetly in the background and creates a connection with a Command and Control (C&C) server to receive additional instructions or install extra payloads.
The following image depicts the most frequently utilized OneNote filenames employed by the Emotet spam campaign.
Conclusion
Emotet is a complex and persistent banking malware that has had a global impact on users. Threat Actors continually modify their tactics to keep ahead of cybersecurity organizations, and Emotet is a prime example.
In previous campaigns, TAs employed the zip bombing technique to distribute Emotet, but they have now shifted to utilizing OneNote attachments using WSF to deliver the Emotet payload. Although the latest Emotet campaign utilizes a new approach to infecting victims through OneNote, the malware’s behavior has not changed significantly.
CRIL is closely monitoring the activity of the Emotet malware campaign and will continue to update readers as the campaign evolves. The campaign is anticipated to use new tactics, techniques, and procedures to distribute malware after a hiatus of quite a few months.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:
Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Don’t keep important files in common locations such as the Desktop, My Documents, etc.
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Spearphishing Attachment |
| Execution | T1204 T1059 T1218 |
User Execution Command and Scripting Interpreter Regsvr32 |
| Defense Evasion | T1140 T1564 T1112 |
Deobfuscate/Decode Files or Information Hidden Window Modify Registry |
| Persistence | T1547 | Registry Run Keys / Startup Folder |
| Discovery | T1082 T1083 T1007 |
System Information Discovery File and Directory Discovery System Service Discovery |
| Command and Control |
T1071 T1105 |
Application Layer Protocol Ingress Tool Transfer |
| Indicators | Indicator Type | Description |
| 9708680347a58e18f41c0e211032e563 81c8b1069382ea1dcd1afe7283c28e4de73b339d a1a3160e424b860659a73a579a5f01fe0caeb14517da015b3095a86231642b0f |
MD5 SHA1 SHA256 |
Spam Email |
| 9313a883ff85f0384ac4276bdab8937b 8638c0f0ed7905ab7e7ad5eada3d9d621bb5a7e0 5eeb3c3ae69941127e6c03581fc6274614e2d934631cca6c82cda688fb1ebadc |
MD5 SHA1 SHA256 |
OneNote Attachment |
| ae25f2104967b2708ac9dba80aac52fd 7ac0150b43cbb5eeba9a0f956e1291df6790f3bf 11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56 |
MD5 SHA1 SHA256 |
WSF file |
| bfc060937dc90b273eccb6825145f298 c156c00c7e918f0cb7363614fb1f177c90d8108a 2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253 |
MD5 SHA1 SHA256 |
Emotet Dll File |
| hxxp[:]//malli[.]su[:]80/img/PXN5J/ hxxps[:]//kts[.]group/35ccbf2003/jKgk8/ hxxps[:]//olgaperezporro[.]com/js/ExGBiCZdkkw0GBAuHNZ/ hxxps[:]//4fly[.]su[:]443/search/OfGA/ hxxp[:]//staging-demo[.]com/public_html/wTG/ hxxp[:]//semedacara[.]com[.]br/ava/ahhz/ hxxp[:]//hypernite[.]5v[.]pl/vendor/hvlVMsI9jGafBBTa/ hxxp[:]//www[.]polarkh-crewing[.]com/aboutus/EUzMzX7yXpP/ hxxp[:]//efirma[.]sglwebs[.]com/img/2mmLuv7SxhhYFRVn/ hxxp[:]//uk-eurodom[.]com/bitrix/9HrzPY66D1F/ hxxp[:]//1it[.]fit/site_vp/4PwK3s6Bf9K7TEA/ hxxps[:]//thailandcan[.]org/assets/ulRa/ |
URL | Emotet payload URLs |
Related
Source: https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/