Emotet Rises Again: Evades Macro Security via OneNote Attachments

Emotet malware 2023

The notorious Emotet malware, in its return after a short hiatus, is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems.

Emotet, linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down.

A derivative of the Cridex banking worm – which was subsequently replaced by Dridex around the same time GameOver Zeus was disrupted in 2014 – Emotet has evolved into a “monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion.”

While Emotet infections have acted as a conduit to deliver Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its return in late 2021 was facilitated by means of TrickBot.

“Emotet is known for extended periods of inactivity, often occurring multiple times per year, where the botnet maintains a steady-state but does not deliver spam or malware,” Secureworks notes in its profile of the actor.

The dropper malware is commonly distributed through spam emails containing malicious attachments. But with Microsoft taking steps to block macros in downloaded Office files, OneNote attachments have emerged as an appealing alternative pathway.

“The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected,” Malwarebytes disclosed in a new alert. “When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.”

The Windows Script File (WSF) is engineered to retrieve and execute the Emotet binary payload from a remote server. Similar findings have been echoed by Cyble, IBM X-Force, and Palo Alto Networks Unit 42.

That said, Emotet still continues to use booby-trapped documents containing macros to deliver the malicious payload, employing social engineering lures to entice users into enabling macros to activate the attack chain.

Read more: thehackernews.com