Pierluigi Paganini
March 20, 2023
The Emotet malware returns after a three-month hiatus and threat actors are distributing it via Microsoft OneNote email attachments to avoid detection.
The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.
The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.
In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.
In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.
Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.
The operators remained inactive between July and November 2022. In November, Proofpoint researchers warned of the return of the Emotet malware after having observed a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.
MalwareBytes researchers noticed that the new campaign was powered by the botnet Epoch 4.
“Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.” reads the post published by MalwareBytes. “One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet’s turn to follow along.”
The OneNote file attachment poses as a fake notification stating that the document is protected. The recipient is instructed to double-click on the View button in the content of the mail causing the victims inadvertently double-click on an embedded script file instead.
Then the Windows scripting engine (wscript.exe) executes the following command:
%Temp%\OneNote\16.0\NT\0\click.wsf"
to execute a heavily obfuscated script that retrieves the Emotet binary payload from a remote server.
The malicious DLL is then executed via regsvr32.exe to install the notorious malware on the target system.
Cofense researchers also reported that Emotet malicious activity resumed on March 7, 2023, the messages detected by the company contain attached .zip files that are not password protected.
The attached .zip files deliver weaponized Office documents that download and execute the Emotet .dll.
“It is unclear how long this round of email activity will last. While an earlier round of activity in 2022 extended across multiple weeks, the last round occurred over less than two weeks in November 2022, with more than three months of inactivity on either side.” states Cofense.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
