Emotet Being Distributed via OneNote

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file).

Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. This ‘Next’ button is inserted with a malicious script named output1.js.

As shown below, the executed output1.js file is obfuscated via string substitution. The script file that is ultimately executed connects to the designated C2 and downloads Emotet.

The downloaded Emotet is executed through regsvr32.exe. As there have been frequent reports of malware distribution exploiting OneNote, users must be cautious when opening emails or OneNote files from unknown sources.

[Detection]

• Malware/Win.Generic.C5398625 (2023.03.22.02)
• Downloader/JS.Agent (2023.03.24.00)
• Dropper/MSOffice.Generic (2023.03.24.00)

[IOC]

MD5

• b1a10568aa1e4a47ad2aa35788edc0af
• ad0358aa96105ca02607a7605f3a1e80
• 08d40c504500c324b683773b1c6189d9
• 89457cb5c8b296b5fb9a39218b485e1a
• 6c442d3235f3e60f7a9ea3efca0289ab
• 32ec97bbc9826ee88697362023ba68ed
• c3d33ce14a48096e1cd5ce43fa4e307e
• 27f882a2b795abfae8f33440afcd3ad4
• 50150db8010ddc87150cb8445f45d270

C2

• hxxp://www.garrett[.]kz/faq/iSPVXBmuu3nUma5wkdy/
• hxxp://sdspush.beget[.]tech/connectors/GDSeP6kcWtck20hVy/
• hxxp://www.agropuno.gob[.]pe/wp-content/f9I32dWeuQcbpRt19mZ7/
• hxxp://sipo[.]ru/images/aCyHhlS8n0bXBg4BU/
• hxxp://meteo[.]camera/11/VkU/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.