At the beginning of this year, Microsoft started rolling out updates to auto-block macros in downloaded Word and Excel documents. Several malicious threats, including QakBot, Formbook, and several other malware have started abusing OneNote documents. Recently, Emotet has been observed shifting its malicious spam campaigns to OneNote documents.

How Emotet abuses OneNote

Malwarebytes researchers recently noted that Emotet operators are now using Microsoft OneNote attachments to distribute the malware.
  • They are using their already-tested reply-chain email attack tactic, impersonating invoices, how-to guides, and job references.
  • When the OneNote file is opened, it displays a message stating that the document is protected and the user must click a View button to open the document. 
  • The View button in the message box overlays on top of a VBScript file click[.]wsf. Thus, double-clicking the button triggers the Windows Scripting engine (wscript[.]exe) to execute this VBScript.

Obfuscated VBScript fetching the payload

The VBScript file is an obfuscated script, designed to download the Emotet binary payload from a remote site to a temporary folder on the infected machine.
  • The Emotet payload is saved as a DLL file and executed via the regsvr32[.]exe.
  • Upon execution, the malware establishes a connection with the C2 server to receive further instructions. In the meantime, it steals emails and contacts from the infected device.
  • Although the final payloads delivered by Emotet are not known, experts suspect that it downloads Cobalt Strike or other malware payloads that help it gain complete access to the device and move across the network.

Preventive measures

Emotet, like several other threats, is actively exploiting OneNote to establish a foothold in enterprise networks. Microsoft is expected to further enhance the protection in OneNote soon and Windows administrators are expected to take immediate action to prevent any damage. Experts suggest admins configure group policies to either completely block the embedded files inside OneNote or allow only specific file extensions based on business needs.
Cyware Publisher

Publisher

Cyware