The Emotet malware is now spreading through Microsoft OneNote email attachments, with the aim of bypassing Microsoft’s security restrictions and infecting more targets.
Emotet is a notorious malicious botnet that has historically been spread through Microsoft Word and Excel applications that contain malicious macros. If the user opens the app and enables macros, a DLL will be downloaded and executed that will install the Emotet malware on the device.
Once downloaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also download other payloads that provide initial access to the corporate network.
This access is used to launch cyber attacks against the company, which may include ransomware attacks, data theft, cyber espionage, and extortion.
Although Emotet was one of the most prevalent malware in the past, it has been on a stop-and-start rampage over the past year, eventually taking a hiatus by the end of 2022.
After three months of inactivity, the Emotet botnet suddenly reactivated, sending malicious emails around the world earlier this month.
However, this initial campaign was flawed as it continued to use Word and Excel documents with macros. Since Microsoft now automatically blocks macros in downloaded Word and Excel documents, including email attachments, this campaign will only infect a few people.
Because of this, BleepingComputer predicted that Emotet would migrate to Microsoft OneNote files, which have become a popular method of spreading malware since Microsoft started blocking macros.
Emotet switches to Microsoft OneNote
As predicted, in the Emotet spam campaign first noticed by a security researcher Abelthreat actors have now started distributing the Emotet malware using malicious Microsoft OneNote attachments.
These attachments are distributed in reply chain emails that include guides, instructions, invoices, job references, and more.
Attached to the email are Microsoft OneNote documents that display a message that the document is protected. It then prompts you to double-click the View button to display the document properly.
Microsoft OneNote allows you to create documents that contain design elements that overlay the embedded document. However, when you double-click where the embedded file is located, even if there is a design element on it, the file will run.
In this Emotet malware campaign, threat actors have hidden a malicious VBScript file called “click.wsf” under the “View” button, as shown below.
This VBScript contains a highly convoluted script that downloads a DLL from a remote, possibly compromised, site and then executes it.
Although Microsoft OneNote will display a warning when a user tries to run an embedded file in OneNote, history has shown us that many users usually click OK to get rid of the warning.
If the user clicks the OK button, the embedded click.wsf VBScript file will be executed by WScript.exe from OneNote’s Temp folder, which will probably be different for each user.
The script will then download the Emotet malware as a DLL [VirusTotal] and save it in the same Temp folder. It will then run a random DLL name using regsvr32.exe.
Emotet will now run quietly on the device, stealing email, contacts, and waiting for further commands from the command and control server.
While it is not known what payloads this campaign ultimately drops, it usually results in the installation of Cobalt Strike or other malware.
These payloads allow threat actors working with Emotet to gain access to the device and use it as a springboard to spread further into the network.
Blocking malicious Microsoft OneNote documents
Microsoft OneNote has become a massive malware distribution problem as many malware campaigns use these applications.
With this, Microsoft will add improved protection against phishing documents to OneNote, but there is no specific timeline for when this will be available to everyone.
However, Windows administrators can configure Group Policy to protect against malicious Microsoft OneNote files.
Administrators can use this Group Policy to block embedded files in Microsoft OneNote altogether, or allow you to specify specific file extensions to block from running.
You can read more about available group policies in a special BleepingComputer article written earlier this month.
It is strongly recommended that Windows administrators use one of these options until Microsoft adds additional protection to OneNote.