Microsoft OneNote email attachments are now being used to spread the infamous Emotet malware, which is making a brief comeback. This malware aims to compromise systems by getting around macro-based security measures.
Despite attempts by law enforcement to neutralise it, Emotet, connected to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, remains a formidable and tenacious menace.
Emotet is a variant of the banking worm Cridex, which was later replaced by Dridex around the time GameOver Zeus was shut down in 2014. Since then, Emotet has developed into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion."
While Emotet infections served as a conduit for Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its reappearance in late 2021 was made possible by TrickBot.
"Emotet is renowned for extended periods of inactivity, which often occur numerous times per year, during which the botnet maintains a steady-state but does not send spam or malware," Secureworks writes in its profile of the actor.
Dropper malware is typically disseminated via spam emails with malicious attachments. Nevertheless, with Microsoft taking steps to prevent macros from being included in downloaded Word files, OneNote attachments have emerged as an intriguing alternative avenue.
"The OneNote file is basic but effective at social engineering users with a bogus message claiming that the document is protected," Malwarebytes explained in a new alert. "Victims will accidentally double-click on an embedded script file when told to double-click on the View button."
The Emotet binary payload can be retrieved and run from a remote server using the Windows Script File (WSF). Cyble, IBM X-Force, and Palo Alto Networks Unit 42 have all made results that are in line with ours.
Nonetheless, Emotet still makes use of booby-trapped documents with malicious macros to spread its payload, luring users using social engineering tricks to enable the macros that start the attack cycle.
According to several reports from Cyble, Deep Instinct, Hornetsecurity, and Trend Micro, such documents have been seen to use a method known as a "decompression bomb" to cloak an extremely large file (more than 550 MB) within ZIP archive attachments so that it would go unnoticed.
This is accomplished by padding the document with 00-bytes at the conclusion in order to artificially increase the file size and go beyond the restrictions set by anti-malware programmes.
The most recent advancement shows how adaptable and quick the operators are when adjusting attachment types for initial delivery to avoid detecting signatures. It also coincides with a rise in the number of OneNote documents being used by threat actors to disseminate a variety of malware, including AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm.
Manufacturing, high-tech, telecom, finance, and energy are emerging as the top targeted sectors, according to Trellix, which claims that the majority of malicious OneNote detections in 2023 have been reported in the U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia.