The script deploys the Emotet malware as a DLL and stores it in the same Temp folder. In our case, after the user presses the OK button, the embedded f VBScript file is run using WScript.exe from OneNote’s Temp folder. However, most users click „OK” in a hurry to get past the alert and carry on with their actions. The file contains an obfuscated script that downloads and executes a DLL from a probably compromised website.Įvery time a user attempts to launch an embedded file in OneNote, Microsoft OneNote displays a warning message. To reach their goals, threat actors hid a malicious VBScript file called ‘f’ underneath the “View” button. However, when you double-click on the location where the embedded file is located, even if there is a design element over it, the file will be launched. Microsoft OneNote allows you to create documents that contain design elements that overlay an embedded document. Hackers attach to the emails Microsoft OneNote docs that show a message which states the document is protected and asks the user to double-click the ‘View’ button to display the document properly. After Microsoft decided to block macros in downloaded Office files, OneNote attachments were the next best choice. Usually, the dropper malware uses spam emails to spread malicious attachments. Gold Crestwood, Mummy Spider, or TA542 is the malicious actor known to run Emotet. How the New Emotet Malware Campaign Works So, hackers switched to using Microsoft OneNote files now.
But since Microsoft currently blocks macros by default for that kind of file, only a few people risked infection. Threat actors initially tried to use Word and Excel docs for deploying the malware.
Emotet malware returns after three months break and uses Microsoft OneNote attachments to avoid macro-based security restrictions.
0 kommentar(er)
