The infamous Emotet malware has adopted a new tactic to spread its infection. Cybercriminals are now distributing the malware via email attachments in Microsoft OneNote format. The move is a calculated attempt to circumvent the security measures put in place by Microsoft and to target a broader range of victims.
Emotet is known for its advanced and sophisticated attack techniques. Historically, Emotet has been distributed via Microsoft Word and Excel attachments that contain malicious macros. If a user opens the attachment and enables macros, a DLL is downloaded and executed, which installs the Emotet malware on the device.
Once loaded, the malware steals email contacts and content for use in future spam campaigns. It also downloads other payloads, providing initial corporate network access. This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.
Emotet’s past activity has been sporadic, with the botnet taking breaks and starting again at irregular intervals. Towards the end of 2022, it went into inactivity for three months before resurfacing recently with a new spam campaign. However, this campaign was ineffective as Microsoft had begun automatically blocking macros in Word and Excel documents, including those attached to emails, making it difficult for Emotet to infect targets.
Emotet makes the switch to Microsoft OneNote
To bypass Microsoft security restrictions, Emotet has switched to a new attack method. Security researchers have spotted a recent Emotet spam campaign that uses malicious Microsoft OneNote attachments. These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more.
The Microsoft OneNote documents in the emails display a message stating that the document is protected and prompts the user to double-click the “View” button to display the document correctly.
When the user clicks the “View” button, it launches an embedded design element that overlays the OneNote document. This design element includes a VBScript file called “click.wsf,” which is heavily obfuscated and downloads a DLL from a remote, likely compromised, website and executes it.
Although Microsoft OneNote displays a warning message when a user tries to launch an embedded file, history has shown that many users commonly click on “OK” to get rid of the alert.
If the user clicks on the “OK” button, the click.wsf VBScript file will execute, downloading the Emotet malware as a DLL and storing it in OneNote’s Temp folder:
"%Temp%\OneNote\16.0\Exported\{E2124F1B-FFEA-4F6E-AD1C-F70780DF3667}\NT\0\click.wsf"
It then launches the random-named DLL (Virustotal) using regsvr32.exe, quietly running on the device, stealing emails, contacts, and waiting for further commands from the command and control server.
Blocking Malicious Microsoft OneNote Documents
Due to multiple malware campaigns using malicious Microsoft OneNote attachments, Microsoft will be adding improved protections in OneNote against phishing documents, but there is no specific timeline for when this will be available to everyone.
However, Windows admins can configure group policies to protect against malicious Microsoft OneNote files. Admins can use these group policies to either block embedded files in OneNote, disable the ability to launch file attachments in OneNote or configure the application to warn users when they attempt to launch embedded files.
The recent Emotet malware campaign using Microsoft OneNote documents demonstrates the increasing sophistication of cybercriminals and the need for constant vigilance to keep systems secure. Companies must educate their employees on the dangers of opening unknown attachments and enable macro blockers in Office applications. IT administrators should also consider implementing group policies to protect against malicious Microsoft OneNote attachments.
It is essential to stay updated with the latest threat intelligence and take all possible measures to protect systems against the newest malware campaigns. This includes installing the latest security updates, using anti-malware software, and conducting regular backups. By staying proactive and vigilant, companies can protect their sensitive data and avoid