![[Catch up with the trend]Emotet’s comeback keeps pace with the times, OneNote deposits malicious files as a shortcut to customs clearance- wepro180](https://www.wepro180.com/wp-content/uploads/2023/03/FB_230322_Emotet.jpg "[Catch up with the trend]Emotet’s comeback keeps pace with the times, OneNote deposits malicious files as a shortcut to customs clearance- wepro180")
Another hacker group is using Microsoft OneNote attachments to spread malware. The new group is not new to the group, but Emotet, who has a long criminal record. Experts pointed out that after three months of hibernation, the group returned to a less than ideal start, with only a very small number of corporate accounts infected. However, after adjusting the strategy and following the general trend of using OneNote attachments, the infection rate increased significantly. When will Microsoft wait to plug the security hole first?
The Emotet hacking group mainly started with Trojan horse software. When the company employees are successfully lured to open the file, the embedded Trojan horse software will be implanted into the computer. In addition to stealing confidential corporate information, it will also introduce other malware including ransomware, botnets, etc. .
In 2021, Emotet was used by Europol to use the group’s own server to secretly send eradication commands to infected devices automatically, uprooting the entire group. In the past month, it has gained control over more than 100,000 computer devices, most of which are from Asia.
Since the problem is considered serious, all major network protection software vendors have strengthened the detection of Emotet. However, Microsoft’s enterprise version of the security platform Microsoft Defender for Endpoint may have taken too much action. Due to setting problems, it has frequently sent errors to enterprise users. Capture Emotet’s alerts, causing IT admins to cry.
After a short break of about three months, Emotet resumed its attack plan in March this year. Abel, a network security researcher who captured the activity, pointed out that since the group still used the infection method of injecting malicious macro functions into Microsoft Word and Excel files at the beginning, However, this method has been blocked by Microsoft, so it is not as infectious as before.
However, Emotet has changed its strategy very quickly and turned to the popular method of mounting malicious attachments through Microsoft OneNote, successfully bypassing security monitoring again and achieving a good infection effect.
The reason why OneNote is popular with hackers is that it is a common collaboration tool for corporate employees. Just like Microsoft Word and Excel, although there were security warnings for the marco function before, most employees would ignore the authorization to enable it; secondly, OneNote has high flexibility. Allow users to embed codes containing JavaScript, VBScript, PowerShell and other instructions into files, making it easier for hackers to inject malicious codes; finally, because OneNote is a legitimate application service of Microsoft, the network security system is less likely to open attachments for users Feel suspicious, combined with the above advantages, naturally become the preferred form of attack for hackers.
As a senior in the industry, Emotet certainly does not use ordinary methods. The researcher said that the group also took advantage of OneNote’s feature of allowing users to add page design elements. First, a button to open the VBScript attachment was placed on the phishing email page sent out, and then covered with a layer An opaque pop-up window, and a View button placed directly above the attachment button, misleading employees to click to read, download and execute the sideloaded DLL file containing encrypted malicious functions, thereby infecting computer equipment. Researchers at this stage are unable to pinpoint what malware Emotet will eventually introduce, but believe hackers will use infected computers as a springboard to break into corporate networks.
Although OneNote has become the hardest-hit area for crimes, and Microsoft has also announced that it will strengthen security protection, but there is no promise when it will be updated. Enterprise IT administrators can manually set up clauses to prevent opening “.one” attachments on secure mail gateways or mail servers, or Restricting the launch of the Microsoft OneNote attachment policy, however, is bound to have a troublesome impact on employees’ work.
Source: https://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/
Related article:[Rushing Crowd]Microsoft OneNote is not protected by MOTW, you can attach malicious files at will