Microsoft OneNote files used to spread Emotet malware

The Emotet malware resurfaces

Microsoft OneNote files used to spread Emotet malwareEmotet malware distribution switched from Word and Excel to OneNote

After a three-month hiatus, the Emotet malware has reappeared with a new distribution method. Emotet is a malware botnet known for its rapid spread and ability to infect devices. Historically, this malware was distributed via Microsoft Word and Excel attachments containing malicious macros. When a user opens the attachment and enables macros, a DLL is downloaded and executed, resulting in the installation of the Emotet malware on the device.

Once installed, the malware will steal email addresses and content for future spam campaigns. The malware also downloads additional payloads that allow it to gain initial access to the corporate network. This access is used to carry out cyberattacks against the company, such as ransomware attacks, data theft, cyber espionage, and extortion.

The new distribution method

After being one of the most widely distributed malware in the past, Emotet took a break near the end of 2022. However, after three months of inactivity, the botnet was reactivated and began sending malicious emails all over the world earlier this month. This initial campaign, however, was flawed because it continued to use Word and Excel documents with macros.

This campaign would only infect a few people because Microsoft now automatically blocks macros in downloaded Word and Excel documents, including those attached to emails. As a result, it migrated to Microsoft OneNote files, which have become a popular method for malware distribution since Microsoft began blocking macros.

The Emotet campaign using OneNote files

The threat actors have now begun distributing the Emotet malware using malicious Microsoft OneNote attachments in an Emotet spam campaign first spotted by security researcher Abel.[1] These attachments are distributed through reply-chain emails that masquerade as guides, how-tos, invoices, job references, and other documents. Microsoft OneNote documents attached to the email display a message stating that the document is protected. It then asks users to double-click the 'View' button to properly display the document.

The aftermath

A malicious VBScript file called 'click.wsf' has been hidden beneath the “View” button by the threat actors. This VBScript contains a heavily obfuscated script that downloads and executes a DLL from a remote, most likely compromised, website. While Microsoft OneNote will display a warning when a user attempts to open an embedded file, many users simply click the 'OK' button to dismiss the alert.

When the user clicks the OK button, the embedded click.wsf VBScript file from OneNote's Temp folder is executed using WScript.exe from the Temp folder. After that, the script will download the Emotet malware as a DLL[2] and place it in the same Temp folder. It will then use regsvr32.exe to launch the randomly named DLL.

The malware will then run quietly on the device, stealing email addresses and waiting for further commands from the command and control server. While it is unknown what payloads this campaign ultimately drops, it frequently results in the installation of Cobalt Strike or other malware. Threat actors working with Emotet can use these payloads to gain access to the device and use it as a springboard to spread further in the network.

Protection measures

With multiple malware campaigns using these attachments, Microsoft OneNote has become a massive malware distribution problem. As a result, Microsoft will improve protections[3] against phishing documents in OneNote, but there is no set timeline for when this will be available to everyone.

Group policies can be configured by Windows administrators to protect against malicious Microsoft OneNote files by either blocking embedded files in OneNote entirely or specifying specific file extensions that should be prevented from running. It is strongly advised that Windows administrators use one of these options until Microsoft adds additional security to OneNote.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions