Emotet, a notorious and dangerous malware strain, has re-emerged after a period of dormancy. Its new iteration exhibits enhanced capabilities, notably evading macro security features and employing a method of delivery made popular by the malware QakBot, as previously reported by Nuspire. Here’s what you need to know.
After Microsoft disabled VBA macros by default, threat actors have shifted toward the use of OneNote (.one) email attachments to bypass restrictions and filtering.
Multiple malware families such as AsyncRAT, IcedID, RedLine Stealer and XWorm have now also piggy-backed on this tactic, shifting their phishing attacks to OneNote files.
The phishing email will provide an assortment of lures from invoices, tax, legal documents and more. Ultimately, they encourage the potential victim to open the .one file, where they will be presented with a banner that says, “This document is protected. Double click to view.” Under that banner, where the user is instructed to double-click, is an embedded malicious script file that will execute when interacted with.
Attackers are using this tactic to compromise computer systems targeting businesses and individuals worldwide.
Nuspire has detections in place and actively threat hunts client environments for indications of compromise regarding suspicious OneNote executions.
Organizations should still be wary of malicious Microsoft Word and Excel files, but the tactics are shifting heavily toward OneNote in the current threat landscape. The Cybersecurity and Infrastructure Security Agency (CISA) states that 90% of all cyberattacks begin with phishing, making this one of the top threats to consider.