The Emotet malware botnet, which historically used Microsoft Word and Excel attachments to distribute malicious macros, has switched to using Microsoft OneNote email attachments to evade Microsoft security restrictions and infect more targets.
Once the user opens the attachment and enables macros, a DLL is downloaded and executed that installs the Emotet malware on the device.
The malware steals email contacts and content for future spam campaigns, and downloads other payloads that provide initial access to the corporate network, allowing for cyberattacks such as ransomware, data theft, cyber espionage, and extortion.
Emotet has been one of the most widely distributed malware in the past, but took a break towards the end of 2022.
After three months of inactivity, it turned back on and began a new spam campaign, but it continued to use Word and Excel documents with macros.
However, as Microsoft now automatically blocks macros in downloaded documents, this campaign was only able to infect a few people. Therefore, BleepingComputer predicted that Emotet would switch to using Microsoft OneNote files, which have become a popular method for distributing malware after Microsoft began blocking macros.
In the latest Emotet spam campaign, the threat actors are distributing the Emotet malware using malicious Microsoft OneNote attachments, which are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more.
Attached to the email are Microsoft OneNote documents that display a message stating that the document is protected, prompting the user to double-click the “View” button to display it properly.
The threat actors have hidden a malicious VBScript file called “click.wsf” underneath the “View” button. This VBScript contains a heavily obfuscated script that downloads a DLL from a remote, likely compromised, website and then executes it.
Microsoft OneNote has become a significant malware distribution problem, with multiple malware campaigns using these attachments. Microsoft will be adding improved protections in OneNote against phishing documents, but there is no specific timeline for when this will be available to everyone.
However, Windows admins can configure group policies to protect against malicious Microsoft OneNote files by either blocking embedded files in OneNote altogether or allowing them to specify specific file extensions that should be blocked from running.
