Emotet Malware Adapts to OneNote Attachments in Latest Campaign

The Emotet malware, a sophisticated banking trojan that is known for extracting confidential data from its targets, has resurfaced in a new campaign that employs OneNote attachments in spam emails. The campaign, which began on March 7th, highlights the cybercriminals' continuous adaptation of methods to evade detection and infiltrate targets successfully.

OneNote is a popular software offered by Microsoft, which enables users to store their notes, ideas, and thoughts in a centralized location. The use of OneNote attachments in spam campaigns is not new, with other malware families such as Qakbot having utilized this technique in the past. However, Emotet's new campaign marks its shift towards OneNote attachments instead of the traditional ZIP archives containing malicious document files.

Emotet Delivery Mechanism Source: https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/

In the latest campaign, the Emotet malware's delivery mechanism via a spam email's OneNote attachment involves the user opening the attachment, which prompts them to enable macros. Once the user does this, the malware is downloaded onto the system, and the hackers can start extracting confidential data, including passwords and banking details. To evade detection by anti-virus programs, Emotet has also been using a technique called "ZIP bombing," which involves compressing a large DOC file into a small archive file.

Cybersecurity experts from Cyble Research and Intelligence Labs (CRIL) advise individuals and organizations to remain vigilant and avoid opening attachments from unknown sources. Enabling two-factor authentication and keeping anti-virus software up to date is also recommended.

As Microsoft plans to add improved protections to OneNote against phishing documents, Windows admins can configure group policies to protect against malicious Microsoft OneNote files. They can use these group policies to block embedded files in Microsoft OneNote or specify specific file extensions that should be blocked from running.

In conclusion, the use of OneNote attachments in spam campaigns is another example of how cybercriminals continuously evolve their methods. It is essential to stay updated on the latest cybersecurity threats and take proactive measures to protect against becoming victims of cybercrime.