Emotet Malware Expands to Microsoft Onenote Files

Malicious botnet Emotet has been spreading once again, this time using Microsoft Onenote postal investments to bypass the latest Microsoft security restrictions and infect more computers. Emotet has historically spread through Microsoft Word and Excel postal investments containing malicious macros, which, if activated by the user, lead to loading and performing a malicious DLL biblioteum that sets victims malicious on Emotet. The resulting malicious program can then steal contacts and e-mail letters for future spam campaigns, and can also be used to install other beneficial loads for cyber attacks.

However, with Microsoft automatically blocking macros in downloaded documents of Word and Excel, including files attached to emails, Emotet’s campaign had been significantly weakened. Attackers have since responded by spreading it through Onenote instead, as shown in the example of an attack provided above in which a harmful Onenote investment is sent via email containing a fake message with a malicious file labeled “Click.wsf”.

While Onenote displays a warning when built-in file contents are launched, many users often press the “OK” button anyway without considering consequences. Microsoft is aware of the problem and will soon be providing improved protection against phishing documents for Onenote; however, a specific release date has yet to be announced. As a temporary solution, Windows system administrators can use group policies to block built-in scripts in Microsoft Onenote either fully or partially.

/Reports, release notes, official announcements.