The infamous Emotet malware is back after a short hiatus and is being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems.
Associated with threat actors tracked as Gold Crestwood, Mummy Spider, or TA542, Emotet continues to be a powerful and resilient threat despite removal attempts by law enforcement.
An offshoot of the Cridex banking worm – which was later replaced by Dridex around the time GameOver Zeus was discontinued in 2014 – Emotet notes that “other threat actors run malicious campaigns with pay per install (PPI). has evolved into a monetized platform for ) model, enabling theft of sensitive data and extortion of ransoms. ”
Emotet infections have served as a conduit for delivering Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, but its resurgence in late 2021 was fueled by TrickBot.
“Emotet is known for long periods of inactivity during which the botnet maintains a steady state but does not deliver spam or malware, often occurring several times a year,” said Secureworks. stated in my profile.
Dropper malware is usually distributed through spam emails that contain malicious attachments. But with Microsoft taking steps to block macros in downloaded Office files, OneNote attachments are emerging as an attractive alternative.
In a new alert, Malwarebytes said, “OneNote files are simple but effective against social engineering users with fake notifications that the document is protected.”[表示]When instructed to double-click a button, the victim inadvertently double-clicks the embedded script file. ”
A Windows Script File (WSF) is designed to retrieve and execute an Emotet binary payload from a remote server. Cyble, IBM X-Force, and Palo Alto Networks report similar findings. unit 42.
That said, Emotet continues to deliver malicious payloads using booby-trap documents containing macros, lures users with social engineering lures, and enable macros to fuel its attack chain. Let
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
According to multiple reports from Cyble, Deep Instinct, Hornetsecurity, and Trend Micro, such documents utilize a technique called decompression bombing to create very large files (over 550MB) inside ZIP archive attachments. has been confirmed to hide and fly under radar.
This is achieved by padding the document with 00 bytes at the end to artificially inflate the file size and exceed the limits imposed by anti-malware solutions.
The latest development demonstrates operator flexibility and agility in switching attachment types on first delivery to evade detection signatures. Also, using the OneNote document, he came across a proliferation of threat actors distributing various malware such as AsyncRAT, Icedid, RedLine Stealer, Qakbot, XWorm, and others.
According to Trellix, the majority of malicious OneNote detections in 2023 were reported in the United States, South Korea, Germany, Saudi Arabia, Poland, India, United Kingdom, Italy, Japan, and Croatia, covering manufacturing, high-tech, telecom, Finance and energy have emerged as the top target sectors.
