Emotet malware is delivered using Microsoft OneNote email attachments to circumvent Microsoft security constraints and infect additional people.
Emotet is a well-known malware botnet. It was previously delivered using Microsoft 365 Office apps including Word and Excel files with malicious macros. When a user opens the attachment and allows macros, a DLL is downloaded. It is then launched on the device, which installs the Emotet virus.
Once installed, the virus will capture email addresses and content for future spam attempts. It will also download other payloads that will allow it to get initial access to the corporate network.
This access is used to launch assaults on the businesses such as ransomware attacks, data theft, cyber espionage, and extortion.
Emotet was once one of the most widely circulated viruses. Moreover, it has been intermittently stopping and restarting over the last year, eventually stopping towards the end of 2022.
Furthermore, the Emotet botnet was reactivated after three months of dormancy earlier this month, sending malicious emails all around the world.
This original effort, however, was faulty since it continued to employ Microsoft Office 365 apps with macros. It affected a few individuals since Microsoft now automatically bans macros in downloaded Word and Excel documents, including those attached to emails to maintain email security.
As a result, the news website projected that Emotet would migrate to Microsoft OneNote files. It has been a popular method for malware distribution since Microsoft 365 parent company began restricting macros.
Emotet is now using Microsoft OneNote
As expected, threat actors have begun distributing the Emotet malware via malicious Microsoft OneNote files in an Emotet spam campaign.
These attachments are circulated using reply-chain emails that masquerade as instructions, how-tos, invoices, employment references, and other documents.
Microsoft OneNote documents attached to the email display a notice saying that the document is secured. It then asks you to double-click the ‘View’ button to correctly show the document.
You may use Microsoft OneNote to create documents with design components that overlay embedded content. Double-clicking on the embedded file will launch it, even if it is covered by a design element.
Cybercriminals in Emotet malware campaign has concealed a malicious VBScript file called ‘click.wsf’ behind the “View” button.
This VBScript comprises a severely obfuscated script that downloads and executes a DLL from a remote, most likely infected, website.
When the user presses the OK button, the embedded click.wsf VBScript file is run using WScript.exe from OneNote’s Temp folder, which is likely to be different for each user.
The script will then download and save the Emotet virus as a DLL [VirusTotal] in the same Temp folder. It will then use regsvr32.exe to run the randomly named DLL.
Emotet will now function in the background, collecting emails and contacts while waiting for orders from the command-and-control server.
Moreover, it is unknown what payloads this campaign finally delivers. However, it frequently results in the installation of Cobalt Strike or other malware.
Threat actors operating with Emotet can utilize these payloads to get access to the device. They then use it as a springboard to expand farther in the network.
Detecting and blocking harmful code Microsoft OneNote files
With various malware operations employing these files, Microsoft OneNote has become a big malware dissemination concern.
As a result, Microsoft will increase defenses against phishing documents in OneNote. Although there is no set schedule for when this will be available to everyone.
Windows administrators, on the other hand, may set up group rules to defend against malicious Microsoft OneNote files.
Admins can use these group policies to either completely disable embedded files in Microsoft OneNote or to designate certain file extensions that should be prevented from executing.
