Emotet Returns with Campaign Using OneNote Email Attachments

After a hiatus of around 3 months, the Emotet botnet sprung back to life and is sending large volumes of malicious emails. Initially, the email campaigns had Word and Excel file attachments and used macros to deliver the Emotet Trojan. The problem with this approach is Microsoft now disables macros by default in Internet-delivered Office files, which means Office documents and spreadsheets are no longer effective for malware delivery. It is therefore no surprise that the operators of the Emotet botnet (Mummy Spider/TA542/Gold Crestwood) changed tactics and, like many other threat actors, have switched to malicious Microsoft OneNote files for delivering malware.

Emotet started out as a banking Trojan but has since evolved into a malware botnet that is used to deliver additional malware payloads for other threat actors on a pay-per-install basis. Emotet malware has been used to deliver a wide range of malicious payloads such as banking trojans, information stealers, and ransomware. The botnet is not continually active and has multiple periods each year when it is not being used to send spam emails or deliver malware, and during this downtime is maintained in a steady state ready for action.

Emotet is capable of self-distribution and hijacks email accounts and uses them to send copies of itself to contacts. Message threads are hijacked to make it appear that the emails are responses to past conversations, which increases the likelihood of the messages and malicious attachments being opened or hyperlinks in the emails being clicked.

This campaign is no different. Reply-chain emails are used that have a OneNote attachment and impersonate invoices, shipping notices, guides, and many other social engineering lures. If the OneNote document is opened, the user will be presented with a warning that the document is protected and are told that they must double-click on the view button to open the document and view the content. Underneath the view button is a VBScript file (click.wsf). When the user double clicks on view, they inadvertently execute the script.

Before that occurs, the user is presented with a warning alerting them about the risk of opening embedded files in OneNote, but these warnings are often ignored by users. Clicking OK on the warning will allow the embedded VBScript file to execute, which will trigger the download and execution of a DLL file from a remote site, which will deliver and execute the Emotet Trojan.

Emotet will steal information from the device, await instructions from its command-and-control server, and will likely steal emails, and contact lists, and use email accounts to send copies of itself to contacts. It is unclear what malicious payloads are being delivered by Emotet in this campaign, although Cobalt Strike is likely as are IcedID, AsyncRAT, Qakbot (Qbot), RedLine Stealer, and ransomware payloads.

To protect against the use of OneNote files for malware delivery, Windows admins should consider using a group policy to prevent users from being able to execute embedded files in OneNote, or if this is not practical, specify which file extensions can be executed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news