Ransomware: Emotet returns – as a OneNote email attachment

Emotet is back – again. The cybergang behind the sophisticated malware is known for intermittent, lengthy pauses. Since the beginning of the month, however, cybercriminals have been looking for victims again. The IT security researchers from Cofense observed around two weeks ago that Emotet is becoming active again. Malicious emails with unencrypted ZIP files attached ended up in inboxes.

The e-mails appear to be replies to existing e-mail threads, as has been observed on several occasions with Emotet. They mostly revolve around finances and bills, explain the Cofense employees.

The previously used ZIP files did not require a password to unpack and contained Office documents with malicious macros; however, recipients would need to “Enable Content” prior to execution. After starting, they then download the Emotet malware as a .dll file. The IT researchers have not yet been able to estimate the duration of the campaign, they write in a blog entry.

To circumvent such hurdles and restrictions, the Emotet masterminds are now using OneNote file attachments in emails, reports the security company Malwarebytes. The OneNote file is simple yet effective at social engineering. It contains the false notification that the document is protected. Instead, when victims double-click the “View” button, it passes the clicks through and launches an embedded script.

This script is heavily obfuscated and downloads the Emotet malware from the web. In this case, too, the malware is in the form of a .dll file and is detected using regsvr32.exe started. If the malware is running, it contacts its command and control servers and waits for instructions from there.

Microsoft has already recognized the “OneNote gap” through which malware can be smuggled in more easily than, for example, with the Office macros. The company is now working on better protection against phishing using OneNote file attachments.

Emotet has been threatening users online since 2018. The Trojan runs numerous malicious functions. Once the malware has been started, it can load other Trojans, nest deep in the network and install backdoors. The masterminds behind it usually use well-crafted fraudulent emails to trick victims into running the malware. For example, spear phishing gives them access to internal information that makes the emails more credible.

In early 2021, prosecutors struck a major blow to the infrastructure behind Emotet. After that, the pest became quieter at first, but it keeps reappearing on the scene at irregular intervals.


To home page

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *