Emotet Rises Again: Evades Macro Security via OneNote Attachments
The
notorious
Emotet
malware,
in
its
return
after
a
short
hiatus,
is
now
being
distributed
via
Microsoft
OneNote
email
attachments
in
an
attempt
to
bypass
macro-based
security
restrictions
and
compromise
systems.
Emotet,
linked
to
a
threat
actor
tracked
as
Gold
Crestwood,
Mummy
Spider,
or
TA542,
continues
to
be
a
potent
and
resilient
threat
despite
attempts
by
law
enforcement
to
take
it
down.
A
derivative
of
the
Cridex
banking
worm
–
which
was
subsequently
replaced
by
Dridex
around
the
same
time
GameOver
Zeus
was
disrupted
in
2014
–
Emotet
has
evolved
into
a
“monetized
platform
for
other
threat
actors
to
run
malicious
campaigns
on
a
pay-per-install
(PPI)
model,
allowing
theft
of
sensitive
data
and
ransom
extortion.”
While
Emotet
infections
have
acted
as
a
conduit
to
deliver
Cobalt
Strike,
IcedID,
Qakbot,
Quantum
ransomware,
and
TrickBot,
its
return
in
late
2021
was
facilitated
by
means
of
TrickBot.
“Emotet
is
known
for
extended
periods
of
inactivity,
often
occurring
multiple
times
per
year,
where
the
botnet
maintains
a
steady-state
but
does
not
deliver
spam
or
malware,”
Secureworks
notes
in
its
profile
of
the
actor.
The
dropper
malware
is
commonly
distributed
through
spam
emails
containing
malicious
attachments.
But
with
Microsoft
taking
steps
to
block
macros
in
downloaded
Office
files,
OneNote
attachments
have
emerged
as
an
appealing
alternative
pathway.
“The
OneNote
file
is
simple
but
yet
effective
at
social
engineering
users
with
a
fake
notification
stating
that
the
document
is
protected,”
Malwarebytes
disclosed
in
a
new
alert.
“When
instructed
to
double-click
on
the
View
button,
victims
will
inadvertently
double-click
on
an
embedded
script
file
instead.”
The
Windows
Script
File
(WSF)
is
engineered
to
retrieve
and
execute
the
Emotet
binary
payload
from
a
remote
server.
Similar
findings
have
been
echoed
by
Cyble,
IBM
X-Force,
and
Palo
Alto
Networks
Unit
42.
That
said,
Emotet
still
continues
to
use
booby-trapped
documents
containing
macros
to
deliver
the
malicious
payload,
employing
social
engineering
lures
to
entice
users
into
enabling
macros
to
activate
the
attack
chain.
WEBINAR
Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps
Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.
Such
documents
have
been
observed
to
leverage
a
technique
called
decompression
bomb
to
conceal
a
very
large
file
(over
550
MB)
within
ZIP
archive
attachments
to
fly
under
the
radar,
according
to
multiple
reports
from
Cyble,
Deep
Instinct,
Hornetsecurity,
and
Trend
Micro.
This
is
achieved
by
padding
00-byte
at
the
end
of
the
document
to
artificially
inflate
the
file
size
so
as
to
exceed
the
limitations
imposed
by
anti-malware
solutions.
The
latest
development
is
a
sign
of
the
operators’
flexibility
and
agility
in
switching
attachment
types
for
initial
delivery
to
evade
detection
signatures.
It
also
comes
amid
a
spike
in
threat
actors
using
OneNote
documents
to
distribute
a
wide
range
of
malware
such
as
AsyncRAT,
Icedid,
RedLine
Stealer,
Qakbot,
and
XWorm.
According
to
Trellix,
a
majority
of
the
malicious
OneNote
detections
in
2023
have
been
reported
in
the
U.S.,
South
Korea,
Germany,
Saudi
Arabia,
Poland,
India,
the
U.K.,
Italy,
Japan,
and
Croatia,
with
manufacturing,
high-tech,
telecom,
finance,
and
energy
emerging
as
the
top
targeted
sectors.