Evades Macro Security via OneNote Attachments

Mar 20, 2023Ravie LakshmananEndpoint Security / Email Security

The notorious Emotet malware, in its return after a short hiatus, is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems.

Emotet, linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down.

A derivative of the Cridex banking worm – which was subsequently replaced by Dridex around the same time GameOver Zeus was disrupted in 2014 – Emotet has evolved into a “monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion.”

While Emotet infections have acted as a conduit to deliver Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its return in late 2021 was facilitated by means of TrickBot.

“Emotet is known for extended periods of inactivity, often occurring multiple times per year, where the botnet maintains a steady-state but does not deliver spam or malware,” Secureworks notes in its profile of the actor.

The dropper malware is commonly distributed through spam emails containing malicious attachments. But with Microsoft taking steps to block macros in downloaded Office files, OneNote attachments have emerged as an appealing alternative pathway.

“The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected,” Malwarebytes disclosed in a new alert. “When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.”

The Windows Script File (WSF) is engineered to retrieve and execute the Emotet binary payload from a remote server. Similar findings have been echoed by Cyble, IBM X-Force, and Palo Alto Networks Unit 42.

That said, Emotet still continues to use booby-trapped documents containing macros to deliver the malicious payload, employing social engineering lures to entice users into enabling macros to activate the attack chain.

Such documents have been observed to leverage a technique called decompression bomb to conceal a very large file (over 550 MB) within ZIP archive attachments to fly under the radar, according to multiple reports from Cyble, Deep Instinct, Hornetsecurity, and Trend Micro.

This is achieved by padding 00-byte at the end of the document to artificially inflate the file size so as to exceed the limitations imposed by anti-malware solutions.

The latest development is a sign of the operators’ flexibility and agility in switching attachment types for initial delivery to evade detection signatures. It also comes amid a spike in threat actors using OneNote documents to distribute a wide range of malware such as AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm.

According to Trellix, a majority of the malicious OneNote detections in 2023 have been reported in the U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia, with manufacturing, high-tech, telecom, finance, and energy emerging as the top targeted sectors.