Malware

Emotet Being Distributed via OneNote

Mar 27 2023

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file).

Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. This ‘Next’ button is inserted with a malicious script named output1.js.

As shown below, the executed output1.js file is obfuscated via string substitution. The script file that is ultimately executed connects to the designated C2 and downloads Emotet.

The downloaded Emotet is executed through regsvr32.exe. As there have been frequent reports of malware distribution exploiting OneNote, users must be cautious when opening emails or OneNote files from unknown sources.

[Detection]

Malware/Win.Generic.C5398625 (2023.03.22.02)
Downloader/JS.Agent (2023.03.24.00)
Dropper/MSOffice.Generic (2023.03.24.00)

MD5

08d40c504500c324b683773b1c6189d9

27f882a2b795abfae8f33440afcd3ad4

32ec97bbc9826ee88697362023ba68ed

50150db8010ddc87150cb8445f45d270

6c442d3235f3e60f7a9ea3efca0289ab

URL

http[:]//meteo[.]camera/11/VkU/

http[:]//sdspush[.]beget[.]tech/connectors/GDSeP6kcWtck20hVy/

http[:]//sipo[.]ru/images/aCyHhlS8n0bXBg4BU/

http[:]//www[.]agropuno[.]gob[.]pe/wp-content/f9I32dWeuQcbpRt19mZ7/

http[:]//www[.]garrett[.]kz/faq/iSPVXBmuu3nUma5wkdy/

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.

Emotet Being Distributed via OneNote

Kimsuky Group Uses ADS to Conceal Malware

ASEC Weekly Phishing Email Threat Trends (March 19th, 2023 – March 25th, 2023)

Tags:

Kimsuky Group Uses ADS to Conceal Malware

ASEC Weekly Phishing Email Threat Trends (March 19th, 2023 – March 25th, 2023)