Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Emotet pivots to alternative file type with the aim of bypassing Microsoft defences

Target Industry

Indiscriminate, opportunistic targeting.

Overview

The Emotet malware variant is now being distributed via Microsoft OneNote email attachments, an applied infection vector that has the objective of bypassing Microsoft security defences. The botnet malware variant has been notorious for its previous distribution methods via Microsoft Word and Microsoft Excel attachments containing malicious macros.

As noted earlier in the month of March 2023, the Emotet threat actor took an unexpected break from malicious activity for four months, between 13th July and 2nd November 2022. A second hiatus was then observed to have occurred throughout the three-month period leading up to March 2023. However, the most recent wave of attacks did not provide the desired outcome because Microsoft defence solutions now automatically block detected macros in Microsoft Word and Excel documents that have been downloaded. As such, the threat actor group has now switched tactics to deploying the malware via Microsoft OneNote files. The files are distributed in reply-chain emails that masquerade as generic guides, invoices and job references.

In the Emotet malware campaign, the threat actors have hidden a malicious VBScript file named ‘click.wsf’ underneath the “View” option that is displayed upon opening the OneNote file. This VBScript contains an obfuscated script that downloads a Dynamic-Link Library (DLL) from a remote website and subsequently executes it. Upon interaction, the embedded click.wsf VBScript file will be executed using WScript.exe from OneNote’s Temp folder and will download the Emotet malware as a DLL. The Emotet malware will then operate in stealth on the target device obtaining the desired data and awaiting commands from the associated command-and-control (C2) server.

Impact

Emotet employs a ‘spray and prey’ tactic, resulting in all organisation types becoming potential victims. The phishing emails associated with the malware are highly sophisticated and specifically designed to deceive the intended targets.

Upon successful exploitation, Emotet will almost certainly harvest all emails held on the target system. Additional compromise via malware, such as Cobalt Strike, is a realistic possibility. Immediate defensive action is therefore recommended to prevent data encryption and loss upon initial Emotet detection.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against malware threats such as Emotet. EDRs can alert system users of potential breaches and prevent further attack progress prior to the malware applying significant damage.

Upon infection, the Emotet malware DLL is downloaded as randomly named folders, located under the filepath: User\AppData\Local\ “Emotet”. Emotet macros then launch the installed DLL by a legitimate ‘regsvr32.exe’ command. The previously mentioned file path will be present in the regsvr32.exe command line section.

To maintain persistence on an infected system, Emotet will create a key under the following file path:

– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Similarly to the DLL, this key will have a random name made up of a sequence of muddled characters.

Affected Products

– Windows OS

Containment, Mitigations & Remediations

With respect to the current campaign, Microsoft confirmed in their Microsoft 365 Roadmap that improved detections in OneNote would be implemented. However, a specific timeline for a universal rollout has not been confirmed as of the time of writing.

In the interim, Windows administrators can configure group policies to protect against malicious Microsoft OneNote files. These group policies can be applied to either block embedded files in Microsoft OneNote completely or allow the blockage of specific file extensions from running. It is strongly recommended that Windows administrators apply one of these options until Microsoft implements further protections regarding OneNote.

From the perspective of general mitigation strategies against Emotet malware, it is recommended that employees receive training on how to detect markers of phishing emails. The attack vector of initial compromise is that of phishing and therefore in-house training will be a robust method of reducing the effectiveness of future campaigns.

Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recommend that network defenders apply the following best practices to strengthen the security posture of their organisation’s systems against Emotet exploitation:

– Block email attachments commonly associated with malware (e.g.,.dll and .exe)
– Block email attachments that cannot be scanned by antivirus software (e.g., .zip files)
– Implement Group Policy Object and firewall rules
– Implement an antivirus programme and a formalised patch management process
– Implement filters at the email gateway and block suspicious IP addresses at the firewall
– Adhere to the principle of least privilege
– Implement a Domain-Based Message Authentication, Reporting & Conformance validation system
– Segment and segregate networks and functions
– Limit unnecessary lateral communications
– Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication
– Enforce the multi-factor authentication requirement
– Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known
– Enable a firewall on agency workstations, configured to deny unsolicited connection requests
– Disable unnecessary services on agency workstations and servers
– Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header)
– Monitor users’ web browsing habits; restrict access to suspicious or risky sites
– Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs)
– Scan all software downloaded from the internet prior to executing
– Maintain situational awareness of the latest threats and implement appropriate access control lists.

Indicators of Compromise

Emotet associated file hashes (SHA-256):

– 35ac91edc35106c81fae5e6571f3247e03bd2e0cb62babae03bece5bd305bceb
– 0853f8b8bf0ba0f87fecb27e8e402e6c7b7fa56bbaf8810c7ff4607351e733ee
– 152870419a11ac79a6b864c7206f3170c4c9702b64fbfb88eca2a712aee973ed
– 16a30d27db5ff8f147cdf95ecdb0be21d6ee44ef4ccd609f3ac2fcf3ba71a287
– 17a8032270b9091dc93192760e6eb111045449ce0e81c7e35e13e3da8b1ed7aa
– 2cc3396b614c4c58537944cb51dcfc8b46def10dc3ba4b345db2e875ef433344
– 416de3ee367821b985b61d270d95b722acc223ef63bfd12362c853e64a82c888
– 452bd4d87d5380bfaa4f66fe3cab035548d5565b853c0e29733baa3a58cd330a
– 49b0eb1060327996e779198b4415fc5f5c1e4c82884cc7a98adf3c6807ecbf09
– 5345d5694dca1b75b2fc6b8e0a9691ea835273dfa1b1228509a153582a77ccfb
– 75e12e652b92ce0b03b30e21e306d754f04b436c861fe411c1c130fa034156d1
– baefa89c591aa88fd3be3f22b5a06ba75a526f37848832e19722462172af0577
– d266dec08da234320879f2d2d210ddc4cc626973130b3d9066a6c50c5f191f0f
– d2ca58c087c1cdb343cf2dd78467e2418a54813ccaefda71940a43915b051bc5
– d6e6f3b8415b46233ea02e97e2d7dcc27aa819340a68532d9b116bb036f0c376
– e3f144e6a914585fc86d96ddee6819e3b11f2103cda0f1cd7553c9034d5dcf16
– e9cef155457280e79bf9e7a04529bfeb7e9972b6c42eb2aab8eba56839546556
– f97b77abc8d3585e6b542011cec52154bb9177011729c74ac293d6eeb78c53f8
– fc43d2f333c8ba98e1da6a28187bdd3465989a8e306f8d3bd4ca03864aa61c0e
– fd50db3848da30ba0200c81d29a5beee64be5c4481127b17a50ffa2b47381822

Emotet associated IP addresses:

– 103.75.201[.]2
– 104.168.155[.]143
– 159.89.202[.]34
– 164.90.222[.]65
– 186.250.48[.]5
– 188.44.20[.]25
– 202.29.239[.]162
– 206.189.28[.]199
– 45.235.8[.]30
– 116.125.120[.]88
– 103.224.241[.]74
– 213.239.212[.]5
– 182.162.143[.]56

Threat Landscape

The spam distribution of Emotet phishing emails is particularly dangerous as it is difficult to provide early warning alerts of which organisations and industry sectors are likely to be targeted, as no specific targeting profiles exist.

As was predicted earlier this month, Emotet threat actors have pivoted to an alternative attachment type, in the form of OneNote, to bypass the most recent Microsoft defence upgrades.

Threat Group

The Emotet threat actor group (also tracked as Gold Crestwood, Mummy Spider, or TA542) took an unexpected break from malicious activity for four months, between 13th July and 2nd November 2022. A second hiatus was then observed to have occurred throughout the three-month period leading up to March 2023.

While there is currently no direct reporting on why these suspended operations have occurred, there is a realistic possibility that the absences have been due to the threat actor group meeting predetermined aims, and now outlining further objectives. It is likely that the Emotet group receives additional financial benefits from the distribution of third-party ransomware, a factor which may be linked to the group’s return. The fact that a second term of suspended operations has been documented means that this is a significant behavioural trend that could continue.

Mitre Methodologies

Initial Access:

T1566.001 – Phishing: Spearphishing Attachment
T1566.002– Phishing: Spearphishing Link
T1078.003 – Valid Accounts: Local Accounts

Execution:

T1059 – Command and Scripting Interpreter
T1053.005 – Scheduled Task/Job: Scheduled Task
T1204.001 – User Execution: Malicious Link
T1204.002– User Execution: Malicious File
T1047 – Windows Management Instrumentation

Persistence:

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1543.003 – Create or Modify System Process: Windows Service
T1053.005 – Scheduled Task/Job: Scheduled Task
T1078.003 – Valid Accounts: Local Accounts

Privilege Escalation:

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1543.003 – Create or Modify System Process: Windows Service
T1055.001 – Process Injection: Dynamic-link Library Injection
T1053.005 – Scheduled Task/Job: Scheduled Task
T1078.003 – Valid Accounts: Local Accounts

Defence Evasion:

T1055.001 – Process Injection: Dynamic-link Library Injection
T1078.003 – Valid Accounts: Local Accounts
T1027– Obfuscated Files or Information

Credential Access:

T1110.001 – Brute Force: Password Guessing
T1555.003– Credentials from Password Stores: Credentials from Web Browsers
T1040 – Network Sniffing
T1003.001 – OS Credential Dumping: LSASS Memory
T1552.001 – Unsecured Credentials: Credentials in Files

Discovery:

T1040 – Network Sniffing
T1087.003 – Account Discovery: Email Account
T1057 – Process Discovery

Lateral Movement:

T1210 – Exploitation of Remote Services
T1021.002 – Remote Services: SMB/Windows Admin Shares

Collection:

T1560 – Archived Collection Data
T1114.001 – Email Collection: Local Email Collection

Command and Control:

T1573.002 – Encrypted Channel: Asymmetric Cryptography
T1571– Non-Standard Port

Exfiltration:

T1041 – Exfiltration Over C2 Channel

Further Information

Microsoft 365 Roadmap
Malwarebytes Blog
TrendMicro Report

Intelligence Terminology Yardstick