21 Mar 2023
Alert Advisory, Malware Protection, Managed SOC Services
March 21, 2023 HAWKEYE

Emotet Epoch 5

Malware Adapts to New Tactics, Using OneNote Files to Evade Security Measures

The notorious Emotet malware has returned with a new tactic to evade macro-based security restrictions and infect systems. This time, it’s using Microsoft OneNote email attachments, as well as its previous modus operandi of distributing booby-trapped documents containing macros.

Background

To bypass Microsoft’s macro-blocking measures, the Emotet malware now distributes malicious payloads via OneNote attachments. According to Malwarebytes, the OneNote file is convincing and effective, with a fake notification stating that the document is protected, and double-clicking the “View” button inadvertently executes an embedded script file that retrieves and executes the Emotet binary payload from a remote server.

However, Emotet continues to use booby-trapped documents containing macros to deliver the malicious payload, employing social engineering lures to encourage users to enable macros and activate the attack chain. To avoid detection, these documents leverage a technique called decompression bomb to conceal a large file within ZIP archive attachments.

Emotet’s flexibility and agility in switching attachment types for initial delivery is a cause for concern. Threat actors are increasingly using OneNote documents to distribute various malware, such as AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm. The U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia are the top targeted countries, with manufacturing, high-tech, telecom, finance, and energy sectors the most at risk.

Attack Scenario:

  1. Attacker hijacks an email thread and sends an attached OneNote file.
  2. The OneNote file contains an embedded .wsf script.
  3. The user double clicks on the OneNote image, which runs the embedded .wsf script.
  4. The .wsf script initiates the Emotet DLL.
  5. The Emotet DLL communicates with the attacker’s command and control (C2) server, sending information about the infected system and receiving commands from the attacker.
  6. The attacker can then use the infected system to carry out further attacks or steal sensitive information.

As always, it’s essential to remain vigilant and exercise caution when opening email attachments. The following are the indicators of compromise (IoCs) from the latest Emotet infections:

OneNote File Sizes from 6 Samples:

  • Details-3922941.one
  • ECLL 16032023.one
  • List_1603.one
  • Scan_247.one
  • details_481978819.one
  • report 1219844918.one

OneNote SHA256 Hashes:

  • f24259e65a935722c36ab36f6e4429a1d0f04c0ac3600e4286cc717acc5b03d7 Details-3922941.one
  • 823cb940b33f1d14576de6ab9bf747b3a1632accb0104ba1bdbbb62ae5054f3c ECLL 16032023.one
  • 2d2a9278a7ee9c29e8a09d31b217a3ae7e88f2ae48eb44e1a1a4a879653dd126 List_1603.one
  • ecba257a646789c31d971efc233267495ac532109e92b064bac0c8e231a27a38 Scan_247.one
  • 5d65ab3b6748ba7034dc0588f2d61fa43e7fce7ed5ee6ab533e2f08274bc5d22 details_481978819.one
  • 7c4591fd03b73ba6d0ec71a3cf89a04bfb4bd240d359117d96834a83727bdcc2 report 1219844918.one

.WSF in the above .ONE files:

  • SHA256 hash: af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e
  • File size: 63,088 bytes
  • File name: click.wsf
  • Example of saved file location: C:\Users\user1\AppData\Local\Temp\OneNote\16.0\Exported\{56D2BD78-EBDE-44C6-87B3-A47B99EFE0E4}\NT\0\click.wsf

12 URLs generated by the above .WSF:

  • hxxp://1it[.]fit/site_vp/4PwK3s6Bf9K7TEA/
  • hxxps://4fly[.]su/search/OfGA/
  • hxxp://efirma.sglwebs[.]com/img/2mmLuv7SxhhYFRVn/
  • hxxp://hypernite.5v[.]pl/vendor/hvlVMsI9jGafBBTa/
  • hxxps://kts[.]group/35ccbf2003/jKgk8/
  • hxxp://malli[.]su/img/PXN5J/
  • hxxps://olgaperezporro[.]com/js/ExGBiCZdkkw0GBAuHNZ/
  • hxxp://semedacara.com[.]br/ava/ahhz/
  • hxxp://staging-demo[.]com/public_html/wTG/
  • hxxps://thailandcan[.]org/assets/ulRa/
  • hxxp://uk-eurodom[.]com/bitrix/9HrzPY66D1F/
  • hxxp://www.polarkh-crewing[.]com/aboutus/EUzMzX7yXpP/

Example of an Emotet DLL:

[File size and hash were different when downloaded from same URL at a later time]
SHA256 hash: aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7
File size: 307,712 bytes
File location: hxxp://malli[.]su/img/PXN5J/
Saved file location: same temp directory as above click.wsf file
Saved file name: rad00A25.tmp.dll
File description: 64-bit DLL for Emotet
Run method: regsvr32.exe [filename]

Successful HTTPS Traffic for Emotet C2 Activity:

– 93.84.115.205 port 7080
– 94.23.45.86 port 4143 <– sent approx 4 MB of data to infected host immediately before spambot activity
– 103.224.241.74 port 8080
– 115.178.55.22 port 80
– 116.125.120.88 port 443
– 128.199.93.156 port 8080
– 139.196.72.155 port 8080
– 165.22.246.219 port 8080
– 165.227.153.100 port 8080
– 165.227.211.222 port 8080
– 174.138.33.49 port 7080
– 177.39.156.177 port 443
– 178.62.112.199 port 8080
– 186.250.48.5 port 443
– 198.199.70.22 port 8080

,


CONTACT US

We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.

VISIT HAWKEYE CYBER SECURITY CENTER

Address: Office 4, Oasis Center, Sheikh Zayed Road, Dubai, United Arab Emirates

Phone: +971 4 338 3365

Email: hawkeye@dts-solution.com

 

LET'S GET SOCIAL

CONTACT US