Threat Research

Cyble – Recent Emotet Spam Campaign Utilizing New Tactics

Securonix

Emotet now delivers payloads via OneNote attachments in spam emails, moving away from ZIP-based delivery and introducing a dropper that uses Windows Script File (WSF) with regsvr32 to execute the payload. The campaign downloads Emotet payloads from multiple URLs, verifies payload size, and maintains a C2 connection for additional instructions.

#Emotet #OneNote #WSF #Regsvr32

Keypoints

  • Emotet re-emerged on March 7 after a three-month pause, continuing its large-scale distribution.
  • Shift from ZIP bombing (large DOCs in ZIPs) to OneNote attachments in spam emails, a known tactic also seen with Qakbot.
  • User opens a Fake OneNote page, triggering the infection when they interact with the “View” action.
  • A de-obfuscated WSF dropper is used to download the Emotet payload from multiple URLs and execute it via regsvr32.
  • The payload download includes a size check (150 KB) to decide whether to continue fetching from other URLs or to execute immediately.
  • Once running, Emotet connects to a C2 server to receive instructions or install additional payloads.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – ‘now employs OneNote attachments instead of a ZIP archive with malicious document files in spam emails.’
  • [T1059] Command and Scripting Interpreter – used to execute commands via scripting environments during the drop process.
    Quote: ‘…executed using regsvr32.’
  • [T1218] Signed Binary Proxy Execution – Regsvr32 is used to run the payload.
    Quote: ‘subsequently executed using regsvr32.’
  • [T1140] Deobfuscate/Decode Files or Information – de-obfuscated .wsf content reveals payload download logic.
    Quote: ‘After de-obfuscation, the contents of the .wsf file reveal a list of URLs…’
  • [T1105] Ingress Tool Transfer – the de-obfuscated content includes the code to download an Emotet payload from URLs.
    Quote: ‘download an Emotet payload from a predetermined set of URLs.’
  • [T1547] Registry Run Keys / Startup Folder – persistence via Registry Run Keys.
    Quote: ‘Registry Run Keys / Startup Folder’
  • [T1082] System Information Discovery – listed in the tactic table as a discovery technique.
    Quote: ‘System Information Discovery’
  • [T1083] File and Directory Discovery – listed as a discovery technique.
    Quote: ‘File and Directory Discovery’
  • [T1071] Application Layer Protocol – C2 communications to receive instructions.
    Quote: ‘C&C server to receive additional instructions or install extra payloads.’

Indicators of Compromise

  • [URL] Delivery indicators – malli.su:80/img/PXN5J/, kts.group/35ccbf2003/jKgk8/ and other URLs (as listed in the article)
  • [MD5] Spam Email – 9708680347a58e18f41c0e211032e563
  • [SHA1] Spam Email – 81c8b1069382ea1dcd1afe7283c28e4de73b339d
  • [SHA256] Spam Email – a1a3160e424b860659a73a579a5f01fe0caeb14517da015b3095a86231642b0f
  • [MD5] OneNote Attachment – 9313a883ff85f0384ac4276bdab8937b
  • [MD5] WSF file – ae25f2104967b2708ac9dba80aac52fd
  • [MD5] Emotet DLL file – bfc060937dc90b273eccb6825145f298
  • [File name] Emotet dropper payload name – rad59f5c.tmp.dll

Read more: https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint