Emotet Being Distributed via OneNote

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file).

Figure 1. Phishing email attached with a malicious OneNote file

Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. This ‘Next’ button is inserted with a malicious script named output1.js.

Figure 2. OneNote prompting users to execute the malicious script file

As shown below, the executed output1.js file is obfuscated via string substitution. The script file that is ultimately executed connects to the designated C2 and downloads Emotet.

Figure 3. A portion of the obfuscated script file

The downloaded Emotet is executed through regsvr32.exe. As there have been frequent reports of malware distribution exploiting OneNote, users must be cautious when opening emails or OneNote files from unknown sources.

[Detection]

  • Malware/Win.Generic.C5398625 (2023.03.22.02)
  • Downloader/JS.Agent (2023.03.24.00)
  • Dropper/MSOffice.Generic (2023.03.24.00)

[IOC]

MD5

  • b1a10568aa1e4a47ad2aa35788edc0af
  • ad0358aa96105ca02607a7605f3a1e80
  • 08d40c504500c324b683773b1c6189d9
  • 89457cb5c8b296b5fb9a39218b485e1a
  • 6c442d3235f3e60f7a9ea3efca0289ab
  • 32ec97bbc9826ee88697362023ba68ed
  • c3d33ce14a48096e1cd5ce43fa4e307e
  • 27f882a2b795abfae8f33440afcd3ad4
  • 50150db8010ddc87150cb8445f45d270

C2

  • hxxp://www.garrett[.]kz/faq/iSPVXBmuu3nUma5wkdy/
  • hxxp://sdspush.beget[.]tech/connectors/GDSeP6kcWtck20hVy/
  • hxxp://www.agropuno.gob[.]pe/wp-content/f9I32dWeuQcbpRt19mZ7/
  • hxxp://sipo[.]ru/images/aCyHhlS8n0bXBg4BU/
  • hxxp://meteo[.]camera/11/VkU/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
Subscribe
Notify of
guest

1 Comment
Inline Feedbacks
View all comments
trackback

[…] post Emotet Being Distributed via OneNote appeared first on ASEC […]