Emotet is back: Microsoft OneNote is not a safe place anymore

2023-03-22 By admin

Emotet is back and ready to strike via Microsoft OneNote email attachments. The Emotet threat, associated with the Gold Crestwood, Mummy Spider, or TA542 threat actor, remains active and resilient despite law enforcement’s best efforts to counter it.

It was originally a derivative of the Cridex banking worm but has since evolved into a monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion.

Emotet is back and spreading with Microsoft OneNote attachments

After a brief absence, the notorious Emotet malware has returned, this time spreading through Microsoft OneNote email attachments in an effort to bypass macro-based security restrictions and compromise systems. Especially if you work in manufacturing, high-tech, telecom, finance, and energy emerging sectors, you should be extra careful.

The dropper malware is commonly distributed through spam emails containing malicious attachments, but as Microsoft has taken steps to block macros in downloaded Office files, OneNote attachments have emerged as an appealing alternative. Malwarebytes disclosed that the OneNote file is simple yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the “View” button, victims inadvertently double-click on an embedded script file instead. The Windows Script File (WSF) is then engineered to retrieve and execute the Emotet binary payload from a remote server.

These documents have been observed to leverage a technique called decompression bomb to conceal a very large file (over 550 MB) within ZIP archive attachments to fly under the radar.

How to protect yourself from Emotet?

By understanding how Emotet operates, you’ve taken the first step toward protecting yourself and your users from it. Extra measures include:

Always use the most recent patches for Microsoft Windows on your computers and other endpoints. To prevent cybercriminals from taking advantage of the Windows EternalBlue vulnerability, which is used by TrickBot when it is delivered as a secondary Emotet payload, the vulnerability must be patched.
Never open an unknown attachment or visit an unfamiliar URL. If you don’t open suspicious emails, Emotet won’t be able to gain access to your computer or network.
Password security is important; learn how to make secure ones and switch to two-factor authentication.
With a comprehensive cybersecurity program that features multiple layers of protection, you can protect yourself against Emotet.

Do you want to check whether your PC is infected with the Emotet malware? Click here and learn how to check it.