Emotet breaks new ground again and infects Microsoft OneNote documents. The digital notebook, which is popular in companies, is therefore a danger for many users.
In fact, since last summer, Microsoft rolled out its initiative to automatically block macros from downloaded documents. This has forced criminals to reconsider how they want to spread malware via spam. One notable change has been the use of Microsoft OneNote documents by several other criminal gangs. Now it's Emotet's turn to follow this strategy.
Dangerous OneNote documents
🔎 Clicking View triggers the dangerous script (Image: Malwarebytes).
The OneNote file is simple yet effective at socially engineering users with a fake notification stating the document is protected. When instructing victims to click the "Show" button, victims inadvertently double-click an embedded script file instead.
- This triggers the Windows script engine (wscript.exe) and executes commands
- The heavily obfuscated script retrieves Emotet's binary payload from a remote site
- The file is saved as a DLL and executed via regsvr32.exe
- Once installed on the system, Emotet then communicates with its command and control servers for further instructions.
While Emotet ramps up its malware spam distribution, users should be extra careful with this threat. Malwarebytes customers are protected against this threat at multiple layers within their attack chain, including web protection and malware blocking.
Emotet keeps popping up
Although Emotet has been on vacation, retired, and even shut down by the authorities before, it continues to pose a serious threat and demonstrates the effectiveness of social engineering attacks. While macros may soon be a thing of the past, attackers can use a variety of popular business applications to achieve their end goal and gain a foothold on corporate networks. An English-language blog article shows all the individual steps in the attack chain and which commands are used.
More at Malwarebytes.com
Via Malwarebytes Malwarebytes protects home users and businesses from dangerous threats, ransomware and exploits that are undetected by antivirus programs. Malwarebytes completely replaces other antivirus solutions in order to avert modern cybersecurity threats for private users and companies. More than 60.000 companies and millions of users trust Malwarebyte's innovative machine learning solutions and its security researchers to avert emerging threats and eliminate malware that antiquated security solutions fail to detect. You can find more information at www.malwarebytes.com.