Emotet once again. But this time the distribution is through OneNote attachments to evade macro security. The new wave of Emotet uses OneNote attachments to bypass Microsoft’s security restrictions, macro blocking, and infect as many targets as possible.

Again emotet

Emotet is a well-known botnet malware, historically distributed through Microsoft Word and Excel attachments containing malicious macros. When the user opens the attachment and enables macros, he downloads a DLL, the execution of which installs the Emotet malware on the device.

Once downloaded, the malware steals email contacts and content for use in future spam campaigns. It also downloads other payloads that provide initial access to corporate networks. Corporate access exploited to conduct cyber attacks against the company, including ransomware attacks, data theft, cyber espionage and extortion of money.

Because Microsoft now automatically blocks macros in downloaded Word and Excel documents, including email attachments, this new campaign has changed. It now exploits OneNote files to distribute malware and evade Microsoft’s blocking of macros.

How it works?

Microsoft OneNote documents attached to emails display a message warning that the file is protected. And it invites you to double-click on the View button.

In order for users to read the document, they are asked to enable the contents.
Once the macros are enabled, they download a zipper archive containing the 64-bit Emotet DLL, also over 500 megabytes in size. The Emotet DLL is then saved on the system in any folder in the %LocalAppData% directory and launched using the regsvr32.exe service

While waiting for security updates from Microsoft, the best weapon of defense is risk awareness. One must learn to recognize phishing and avoid falling victim to it.

EmoCheck is also a tool that can be used to check the system for an infection caused by Emotet, but there is no solution that offers 100 percent protection against Emotet or other perpetually evolving Trojans. Therefore, sandboxing isolation and cleaning activities of all devices connected to the network to reduce the spread of malware are good practices.