The Emotet malware is now distributed utilizing Microsoft OneNote e-mail attachments, aiming to bypass Microsoft safety restrictions and infect extra targets.
Emotet is a infamous malware botnet traditionally distributed by way of Microsoft Phrase and Excel attachments that include malicious macros. If a person opens the attachment and allows macros, a DLL will likely be downloaded and executed that installs the Emotet malware on the gadget.
As soon as loaded, the malware will steal e-mail contacts and e-mail content material to be used in future spam campaigns. It should additionally obtain different payloads that present preliminary entry to the company community.
This entry is used to conduct cyberattacks in opposition to the corporate, which may embrace ransomware assaults, information theft, cyber espionage, and extortion.
Whereas Emotet was probably the most distributed malware up to now, over the previous yr, it could cease and begin in spurts, in the end taking a break in direction of the tip of 2022.
After three months of inactivity, the Emotet botnet suddenly turned back on, spewing malicious emails worldwide earlier this month.
Nonetheless, this preliminary marketing campaign was flawed because it continued to make use of Phrase and Excel paperwork with macros. As Microsoft now routinely blocks macros in downloaded Phrase and Excel paperwork, together with these connected to emails, this marketing campaign would solely infect a number of individuals.
Supply: BleepingComputer
As a result of this, BleepingComputer predicted that Emotet would swap to Microsoft OneNote recordsdata, which have grow to be a well-liked technique for distributing malware after Microsoft started blocking macros.
Emotet switches to Microsoft OneNote
As predicted, in an Emotet spam marketing campaign first spotted by safety researcher abel, the menace actors have now begun distributing the Emotet malware utilizing malicious Microsoft OneNote attachments.
These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and extra.
Supply: BleepingComputer
Hooked up to the e-mail are Microsoft OneNote paperwork that show a message stating that the doc is protected. It then prompts you to double-click the ‘View’ button to show the doc correctly.
Supply: BleepingComputer
Microsoft OneNote lets you create paperwork that include design parts that overlay an embedded doc. Nonetheless, while you double-click on the situation the place the embedded file is positioned, even when there’s a design ingredient over it, the file will likely be launched.
On this Emotet malware marketing campaign, the menace actors have hidden a malicious VBScript file referred to as ‘click on.wsf’ beneath the “View” button, as proven under.
Supply: BleepingComputer
This VBScript incorporates a closely obfuscated script that downloads a DLL from a distant, doubtless compromised, web site after which executes it.
Supply: BleepingComputer
Whereas Microsoft OneNote will show a warning when a person makes an attempt to launch an embedded file in OneNote, historical past has proven us that many customers generally click on ‘OK’ buttons to eliminate the alert.
Supply: BleepingComputer
If the person clicks on the OK button, the embedded click on.wsf VBScript file will likely be executed utilizing WScript.exe from OneNote’s Temp folder, which is able to doubtless be totally different for every person:
"%TemppercentOneNote16.0Exported{E2124F1B-FFEA-4F6E-AD1C-F70780DF3667}NT�click on.wsf"
The script will then obtain the Emotet malware as a DLL [VirusTotal] and retailer it in the identical Temp folder. It should then launch the random named DLL utilizing regsvr32.exe.
Emotet will now quietly run on the gadget, stealing e-mail, contacts, and awaiting additional instructions from the command and management server.
Whereas it isn’t identified what payloads this marketing campaign in the end drops, it generally results in Cobalt Strike or different malware being put in.
These payloads enable menace actors working with Emotet to achieve entry to the gadget and use it as a springboard to unfold additional within the community.
Blocking malicious Microsoft OneNote paperwork
Microsoft OneNote has grow to be an enormous malware distribution drawback, with a number of malware campaigns utilizing these attachments.
As a result of this, Microsoft will likely be adding improved protections in OneNote in opposition to phishing paperwork, however there is no such thing as a particular timeline for when this will likely be out there to everybody.
Nonetheless, Home windows admins can configure group insurance policies to guard in opposition to malicious Microsoft OneNote recordsdata.
Admins can use these group insurance policies to both block embedded recordsdata in Microsoft OneNote altogether or mean you can specify particular file extensions that needs to be blocked from working.
Supply: BleepingComputer
You possibly can learn extra in regards to the out there group insurance policies in a dedicated article BleepingComputer wrote earlier this month.
It’s strongly urged that Home windows admins make the most of considered one of these choices till Microsoft provides additional protections to OneNote.