HQ/EMEAFind out how we can help your business
The notorious malicious threat group, Emotet, has shifted its malicious campaigns to OneNote documents. Based on reports, the group has joined QakBot, Formbook, and several other malware operations in abusing the OneNote documents for cybercriminal campaigns.
These attacks became prevalent after Microsoft deployed updates that auto-block macros in downloaded Word and Excel docs at the start of 2023.
Emotet operators exploit OneNote attachments to spread their payloads.
According to recent investigations, the Emotet threat operators have utilised the Microsoft OneNote attachments to deploy their malware strains to targets.
Moreover, the cybercriminal operation has used its already-tested reply-chain email attack strategy, job references, invoices impersonation, and how-to guides to execute their attacks.
Once a target opens the file, they will see a message stating that the document is secured, and they should click the ‘View’ button to access the file. Subsequently, the view button will trigger the wscript[.]exe scripting engine to run the VBScript. The hackers put the view button on the VBScript file to deceive its targets.
Experts explained that the Emotet’s VBScript file is an obfuscated script that could download the Emotet binary payload from a remote server to a temporary folder on the compromised device.
The malware then connects with the command-and-control server to retrieve additional commands upon initiation.
However, experts believe that the Emotet group downloads Cobalt Strike or other malware payloads that could help it obtain complete access to the targeted device since they still know the final payloads. Lastly, researchers suspect these final payloads could aid the Emotet operators in navigating the targeted network.
The Emotet cybercriminal operation, like numerous other campaigns, is actively leveraging the OneNote feature to establish a foothold in a targeted enterprise network. Therefore, cybersecurity experts claim that Microsoft will further enhance the protection soon, and Windows admins will immediately mitigate any damages.
Admins should set up group policies to allow only specific file extensions on business needs or completely block embedded files inside OneNote.
