430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Emotet is back after a three-month hiatus

The infamous Emotet malware is back after a short hiatus, threat actors are spreading it via Microsoft OneNote email attachments. The Emotet malware returns after a three-month hiatus and threat actors are distributing it via Microsoft OneNote email attachments to avoid detection. The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked […]

Emotet OneNote

The infamous Emotet malware is back after a short hiatus, threat actors are spreading it via Microsoft OneNote email attachments.

The Emotet malware returns after a three-month hiatus and threat actors are distributing it via Microsoft OneNote email attachments to avoid detection.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.

Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.

The operators remained inactive between July and November 2022. In November, Proofpoint researchers warned of the return of the Emotet malware after having observed a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.

MalwareBytes researchers noticed that the new campaign was powered by the botnet Epoch 4.

“Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.” reads the post published by MalwareBytes. “One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet’s turn to follow along.”

The OneNote file attachment poses as a fake notification stating that the document is protected. The recipient is instructed to double-click on the View button in the content of the mail causing the victims inadvertently double-click on an embedded script file instead.

Emotet OneNote

Then the Windows scripting engine (wscript.exe) executes the following command:

%Temp%\OneNote\16.0\NT\0\click.wsf"

to execute a heavily obfuscated script that retrieves the Emotet binary payload from a remote server.

The malicious DLL is then executed via regsvr32.exe to install the notorious malware on the target system.

Cofense researchers also reported that Emotet malicious activity resumed on March 7, 2023, the messages detected by the company contain attached .zip files that are not password protected.

The attached .zip files deliver weaponized Office documents that download and execute the Emotet .dll.

“It is unclear how long this round of email activity will last. While an earlier round of activity in 2022 extended across multiple weeks, the last round occurred over less than two weeks in November 2022, with more than three months of inactivity on either side.” states Cofense.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)