The Emotet malware is now distributed utilizing Microsoft OneNote e-mail attachments, aiming to bypass Microsoft safety restrictions and infect extra targets.

Emotet is a infamous malware botnet traditionally distributed via Microsoft Phrase and Excel attachments that comprise malicious macros. If a consumer opens the attachment and permits macros, a DLL shall be downloaded and executed that installs the Emotet malware on the system.

As soon as loaded, the malware will steal e-mail contacts and e-mail content material to be used in future spam campaigns. It is going to additionally obtain different payloads that present preliminary entry to the company community.

This entry is used to conduct cyberattacks towards the corporate, which may embody ransomware assaults, knowledge theft, cyber espionage, and extortion.

Whereas Emotet was one of the vital distributed malware previously, over the previous 12 months, it will cease and begin in spurts, in the end taking a break in direction of the tip of 2022.

After three months of inactivity, the Emotet botnet suddenly turned back on, spewing malicious emails worldwide earlier this month.

Nonetheless, this preliminary marketing campaign was flawed because it continued to make use of Phrase and Excel paperwork with macros. As Microsoft now routinely blocks macros in downloaded Phrase and Excel paperwork, together with these connected to emails, this marketing campaign would solely infect a number of individuals.

On account of this, BleepingComputer predicted that Emotet would swap to Microsoft OneNote information, which have turn into a preferred technique for distributing malware after Microsoft started blocking macros.

Emotet switches to Microsoft OneNote

As predicted, in an Emotet spam marketing campaign first spotted by safety researcher abel, the menace actors have now begun distributing the Emotet malware utilizing malicious Microsoft OneNote attachments.

These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and extra.

 

Connected to the e-mail are Microsoft OneNote paperwork that show a message stating that the doc is protected. It then prompts you to double-click the ‘View’ button to show the doc correctly.

Microsoft OneNote means that you can create paperwork that comprise design parts that overlay an embedded doc. Nonetheless, whenever you double-click on the situation the place the embedded file is positioned, even when there’s a design component over it, the file shall be launched.

On this Emotet malware marketing campaign, the menace actors have hidden a malicious VBScript file known as ‘click on.wsf’ beneath the “View” button, as proven beneath.

This VBScript comprises a closely obfuscated script that downloads a DLL from a distant, seemingly compromised, web site after which executes it.

Whereas Microsoft OneNote will show a warning when a consumer makes an attempt to launch an embedded file in OneNote, historical past has proven us that many customers generally click on ‘OK’ buttons to do away with the alert.

If the consumer clicks on the OK button, the embedded click on.wsf VBScript file shall be executed utilizing WScript.exe from OneNote’s Temp folder, which is able to seemingly be completely different for every consumer:

"%TemppercentOneNote16.0Exported{E2124F1B-FFEA-4F6E-AD1C-F70780DF3667}NTclick on.wsf" 

The script will then obtain the Emotet malware as a DLL [VirusTotal] and retailer it in the identical Temp folder. It is going to then launch the random named DLL utilizing regsvr32.exe.

Emotet will now quietly run on the system, stealing e-mail, contacts, and awaiting additional instructions from the command and management server.

Whereas it’s not recognized what payloads this marketing campaign in the end drops, it generally results in Cobalt Strike or different malware being put in.

These payloads permit menace actors working with Emotet to realize entry to the system and use it as a springboard to unfold additional within the community.

Blocking malicious Microsoft OneNote paperwork

Microsoft OneNote has turn into an enormous malware distribution drawback, with a number of malware campaigns utilizing these attachments.

On account of this, Microsoft shall be adding improved protections in OneNote towards phishing paperwork, however there isn’t a particular timeline for when this shall be obtainable to everybody.

Nonetheless, Home windows admins can configure group insurance policies to guard towards malicious Microsoft OneNote information.

Admins can use these group insurance policies to both block embedded information in Microsoft OneNote altogether or mean you can specify particular file extensions that must be blocked from operating.

You may learn extra concerning the obtainable group insurance policies in a dedicated article BleepingComputer wrote earlier this month.

It’s strongly prompt that Home windows admins make the most of certainly one of these choices till Microsoft provides additional protections to OneNote.