Cybercriminals using Microsoft OneNote attachments to distribute Emotet malware
Move is aimed at circumventing macro-based security restrictions. Windows admins are advised to configure a group policy to mitigate the risk
The infamous Emotet malware, which recently made a comeback after a brief period of dormancy, is now being disseminated through email attachments in Microsoft OneNote, a move aimed at circumventing macro-based security restrictions and infiltrating more systems.
Emotet is a highly advanced malware strain that has been crafted to exfiltrate sensitive information and user credentials from infected systems.
Initially discovered in 2014 as a banking trojan, it predominantly spread via malicious emails.
However, since then, Emotet has undergone a significant transformation and now exists as an entirely new form of malware, complete with its own botnet. As a result, it can remotely install malicious software on target devices.
Emotet infections usually rely on emails that contain fake invoices, payment reports, shipping data, job opportunities, or any other document that might be significant for the recipient.
These emails include Word or Excel files that harbour macros, which must be enabled by the user before they can access the document's contents.
Emotet operators employ an array of tactics to trick users into enabling these macros, including document templates that pretend to be created on various platforms.
If a user falls for the ploy and enables the macros, a DLL file is downloaded and executed, resulting in the installation of the Emotet malware on the device.
Last year, Microsoft implemented a measure to automatically block macros from downloaded documents, which compelled cybercriminals to reassess their strategies for disseminating malware.
As a consequence, various cybercrime groups switched to using Microsoft OneNote documents to deliver their malicious payloads. Emotet has now joined the bandwagon and adopted this approach.
Last week, security researcher "abel" reported a spam campaign that employs malicious Microsoft OneNote attachments to deliver the Emotet malware. In this campaign, the threat actors concealed a malicious VBScript file, dubbed 'click.wsf', beneath the "View" button.
The click.wsf file contains a heavily obfuscated script that initiates the download of a DLL from a remote website that is likely to have been compromised.
Once downloaded, the DLL is executed, allowing the Emotet malware to infiltrate the target system.
Although Microsoft OneNote presents a warning message when a user attempts to launch an embedded file within a OneNote document, many users often dismiss the alert by clicking the "OK" button.
"The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected," Malwarebytes said in an alert last week.
"When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead."
In the event that a user clicks on the "OK" button, the embedded click.wsf VBScript file is executed using WScript.exe from OneNote's Temp folder.
The script then proceeds to download the Emotet malware as a DLL and stores it in the same Temp folder.
Finally, it executes the randomly named DLL file using regsvr32.exe, allowing the malware to establish a foothold on the compromised system.
The malware then establishes communication with its command and control servers to obtain additional instructions.
The ultimate payloads delivered by this campaign are currently unknown, but it often results in the installation of the Cobalt Strike penetration testing tool, or additional malware.
Microsoft has acknowledged the threat posed by phishing documents and has pledged to enhance OneNote's security measures to mitigate such risks.
However, no specific timeline has been announced for when these improved protections will be made available to all users.
In the absence of additional protections from Microsoft, Windows administrators are encouraged to configure a group policy that allows them to disable embedded files in Microsoft OneNote entirely or specify particular file extensions that should be prevented from executing.
This can help mitigate the risks associated with Emotet and other types of malware distributed via OneNote attachments.