Emotet malware now distributed in Microsoft OneNote recordsdata to evade defenses

Phishing emails with malware

The Emotet malware is now distributed utilizing Microsoft OneNote e-mail attachments, aiming to bypass Microsoft safety restrictions and infect extra targets.

Emotet is a infamous malware botnet traditionally distributed by way of Microsoft Phrase and Excel attachments that include malicious macros. If a person opens the attachment and allows macros, a DLL will likely be downloaded and executed that installs the Emotet malware on the gadget.

As soon as loaded, the malware will steal e-mail contacts and e-mail content material to be used in future spam campaigns. It should additionally obtain different payloads that present preliminary entry to the company community.

This entry is used to conduct cyberattacks in opposition to the corporate, which may embrace ransomware assaults, information theft, cyber espionage, and extortion.

Whereas Emotet was probably the most distributed malware up to now, over the previous yr, it could cease and begin in spurts, in the end taking a break in direction of the tip of 2022.

After three months of inactivity, the Emotet botnet suddenly turned back on, spewing malicious emails worldwide earlier this month.

Nonetheless, this preliminary marketing campaign was flawed because it continued to make use of Phrase and Excel paperwork with macros. As Microsoft now routinely blocks macros in downloaded Phrase and Excel paperwork, together with these connected to emails, this marketing campaign would solely infect a number of individuals.

Malicious Emotet Word document used earlier this month
Malicious Emotet Phrase doc used earlier this month
Supply: BleepingComputer

As a result of this, BleepingComputer predicted that Emotet would swap to Microsoft OneNote recordsdata, which have grow to be a well-liked technique for distributing malware after Microsoft started blocking macros.

Emotet switches to Microsoft OneNote

As predicted, in an Emotet spam marketing campaign first spotted by safety researcher abel, the menace actors have now begun distributing the Emotet malware utilizing malicious Microsoft OneNote attachments.

These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and extra.


Emotet spam email
Emotet spam e-mail
Supply: BleepingComputer

Hooked up to the e-mail are Microsoft OneNote paperwork that show a message stating that the doc is protected. It then prompts you to double-click the ‘View’ button to show the doc correctly.

Malicious Microsoft OneNote attachment
Malicious Microsoft OneNote attachment
Supply: BleepingComputer

Microsoft OneNote lets you create paperwork that include design parts that overlay an embedded doc. Nonetheless, while you double-click on the situation the place the embedded file is positioned, even when there’s a design ingredient over it, the file will likely be launched.

On this Emotet malware marketing campaign, the menace actors have hidden a malicious VBScript file referred to as ‘click on.wsf’ beneath the “View” button, as proven under.

Hidden click.wsf file in the Microsoft OneNote document
Hidden click on.wsf file within the Microsoft OneNote doc
Supply: BleepingComputer

This VBScript incorporates a closely obfuscated script that downloads a DLL from a distant, doubtless compromised, web site after which executes it.

Malicious click.wsf​​​​​​​ VBScript file
Malicious click on.wsf VBScript file
Supply: BleepingComputer

Whereas Microsoft OneNote will show a warning when a person makes an attempt to launch an embedded file in OneNote, historical past has proven us that many customers generally click on ‘OK’ buttons to eliminate the alert.

Warning when opening a file embedded in Microsoft OneNote 
Warning when opening a file embedded in Microsoft OneNote 
Supply: BleepingComputer

If the person clicks on the OK button, the embedded click on.wsf VBScript file will likely be executed utilizing WScript.exe from OneNote’s Temp folder, which is able to doubtless be totally different for every person:

"%TemppercentOneNote16.0Exported{E2124F1B-FFEA-4F6E-AD1C-F70780DF3667}NTclick on.wsf" 

The script will then obtain the Emotet malware as a DLL [VirusTotal] and retailer it in the identical Temp folder. It should then launch the random named DLL utilizing regsvr32.exe.

Emotet will now quietly run on the gadget, stealing e-mail, contacts, and awaiting additional instructions from the command and management server.

Whereas it isn’t identified what payloads this marketing campaign in the end drops, it generally results in Cobalt Strike or different malware being put in.

These payloads enable menace actors working with Emotet to achieve entry to the gadget and use it as a springboard to unfold additional within the community.

Blocking malicious Microsoft OneNote paperwork

Microsoft OneNote has grow to be an enormous malware distribution drawback, with a number of malware campaigns utilizing these attachments.

As a result of this, Microsoft will likely be adding improved protections in OneNote in opposition to phishing paperwork, however there is no such thing as a particular timeline for when this will likely be out there to everybody.

Nonetheless, Home windows admins can configure group insurance policies to guard in opposition to malicious Microsoft OneNote recordsdata.

Admins can use these group insurance policies to both block embedded recordsdata in Microsoft OneNote altogether or mean you can specify particular file extensions that needs to be blocked from working.

All file attachments are blocked in Microsoft OneNote
All file attachments are blocked in Microsoft OneNote
Supply: BleepingComputer

You possibly can learn extra in regards to the out there group insurance policies in a dedicated article BleepingComputer wrote earlier this month.

It’s strongly urged that Home windows admins make the most of considered one of these choices till Microsoft provides additional protections to OneNote.

Leave a Reply

Your email address will not be published. Required fields are marked *