Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

Emotet now utilizing Onenote for its spam campaigns

Kyle by Kyle
March 26, 2023
in Malware
0
Emotet onenote banking trojan
9
SHARES
478
VIEWS
Share on FacebookShare on Twitter

The infamous Emotet malware has adopted a new tactic to spread its infection. Cybercriminals are now distributing the malware via email attachments in Microsoft OneNote format. The move is a calculated attempt to circumvent the security measures put in place by Microsoft and to target a broader range of victims.

You might also like

Netwire RAT seized by FBI and other worldwide police agencies

The Emotet botnet returns and is sending a slew of malicious emails

Update-resistant malware infects SonicWall security appliances

Emotet is known for its advanced and sophisticated attack techniques. Historically, Emotet has been distributed via Microsoft Word and Excel attachments that contain malicious macros. If a user opens the attachment and enables macros, a DLL is downloaded and executed, which installs the Emotet malware on the device.

Once loaded, the malware steals email contacts and content for use in future spam campaigns. It also downloads other payloads, providing initial corporate network access. This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.

Emotet’s past activity has been sporadic, with the botnet taking breaks and starting again at irregular intervals. Towards the end of 2022, it went into inactivity for three months before resurfacing recently with a new spam campaign. However, this campaign was ineffective as Microsoft had begun automatically blocking macros in Word and Excel documents, including those attached to emails, making it difficult for Emotet to infect targets.

emotet word infection.
How Office macros have been used in the past to infect unsuspecting users

Emotet makes the switch to Microsoft OneNote

To bypass Microsoft security restrictions, Emotet has switched to a new attack method. Security researchers have spotted a recent Emotet spam campaign that uses malicious Microsoft OneNote attachments. These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more.

Emotet phishing email
Emotet phishing email example

The Microsoft OneNote documents in the emails display a message stating that the document is protected and prompts the user to double-click the “View” button to display the document correctly.

microsoft onenote attachment
How the threat actors lure users into executing the payload

When the user clicks the “View” button, it launches an embedded design element that overlays the OneNote document. This design element includes a VBScript file called “click.wsf,” which is heavily obfuscated and downloads a DLL from a remote, likely compromised, website and executes it.

showing embedded file

click wsf image
Obfuscated VBScript contained in the click.wsf script

Although Microsoft OneNote displays a warning message when a user tries to launch an embedded file, history has shown that many users commonly click on “OK” to get rid of the alert.

onenote warning
The warning that appears when executing the click.wsf script

If the user clicks on the “OK” button, the click.wsf VBScript file will execute, downloading the Emotet malware as a DLL and storing it in OneNote’s Temp folder:

"%Temp%\OneNote\16.0\Exported\{E2124F1B-FFEA-4F6E-AD1C-F70780DF3667}\NT\0\click.wsf"

It then launches the random-named DLL (Virustotal) using regsvr32.exe, quietly running on the device, stealing emails, contacts, and waiting for further commands from the command and control server.

Blocking Malicious Microsoft OneNote Documents

Due to multiple malware campaigns using malicious Microsoft OneNote attachments, Microsoft will be adding improved protections in OneNote against phishing documents, but there is no specific timeline for when this will be available to everyone.

However, Windows admins can configure group policies to protect against malicious Microsoft OneNote files. Admins can use these group policies to either block embedded files in OneNote, disable the ability to launch file attachments in OneNote or configure the application to warn users when they attempt to launch embedded files.

attachments blocked
Attachments being blocked in Microsoft OneNote

The recent Emotet malware campaign using Microsoft OneNote documents demonstrates the increasing sophistication of cybercriminals and the need for constant vigilance to keep systems secure. Companies must educate their employees on the dangers of opening unknown attachments and enable macro blockers in Office applications. IT administrators should also consider implementing group policies to protect against malicious Microsoft OneNote attachments.

It is essential to stay updated with the latest threat intelligence and take all possible measures to protect systems against the newest malware campaigns. This includes installing the latest security updates, using anti-malware software, and conducting regular backups. By staying proactive and vigilant, companies can protect their sensitive data and avoid

Tags: botnetEmotetmalware
Share13Tweet7
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Netwire RAT seized by FBI and other worldwide police agencies

by Christi Rogalski
March 16, 2023
0
Netwire RAT seized by FBI and other worldwide police agencies

The FBI, in partnership with several police agencies worldwide, has carried out an international law enforcement operation resulting in the arrest of a suspected administrator of the NetWire...

Read more

The Emotet botnet returns and is sending a slew of malicious emails

by Kyle
March 14, 2023
0
The Emotet botnet returns and is sending a slew of malicious emails

The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet's trademark strategy of...

Read more

Update-resistant malware infects SonicWall security appliances

by Paul Anderson
March 12, 2023
0
Update-resistant malware infects SonicWall security appliances

Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall's Secure Mobile Access 100, a popular security appliance, which remains active...

Read more

Fake ChatGPT websites are popping up and spreading malware

by Paul Anderson
March 1, 2023 - Updated on March 2, 2023
0
ChatGPT is found spreading malware created in Python

It was only a matter of time before hackers would start using the growing popularity of ChatGPT to spread malware and steal sensitive personal information. Recently, multiple security...

Read more

BlueSky Ransomware Infects KMSAuto Activator users

by Kyle
July 20, 2022 - Updated on July 22, 2022
0
BlueSky Ransomware backdoors KMSAuto activator

A financially motivated threat actor has been discovered spreading a new ransomware strain, dubbed BlueSky. The group is believed to be connected to the Conti ransomware group. CloudSEK's...

Read more
Next Post
Flipper zero no longer being sold on Amazon

Amazon bans Flipper Zero

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.