Emotet malware now distributed in Microsoft OneNote files to evade defenses

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/

The Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security restrictions and infect more targets.

Emotet is a notorious malware botnet historically distributed through Microsoft Word and Excel attachments that contain malicious macros. If a user opens the attachment and enables macros, a DLL will be downloaded and executed that installs the Emotet malware on the device.

Once loaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also download other payloads that provide initial access to the corporate network.

This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.

While Emotet was one of the most distributed malware in the past, over the past year, it would stop and start in spurts, ultimately taking a break towards the end of 2022.

After three months of inactivity, the Emotet botnet suddenly turned back on, spewing malicious emails worldwide earlier this month.

However, this initial campaign was flawed as it continued to use Word and Excel documents with macros. As Microsoft now automatically blocks macros in downloaded Word and Excel documents, including those attached to emails, this campaign would only infect a few people.

Due to this, BleepingComputer predicted that Emotet would switch to Microsoft OneNote files, which have become a popular method for distributing malware after Microsoft began blocking macros.

As predicted, in an Emotet spam campaign first spotted by security researcher abel, the threat actors have now begun distributing the Emotet malware using malicious Microsoft OneNote attachments.

These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more.

Emotet malware now distributed in Microsoft OneNote files to evade defenses

The Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security restrictions and infect more targets.

www.bleepingcomputer.com

 

[MuzzMelbourne]

Surely the US government HAS to ban Microsoft software as a potential National Security threat at some point...

 

[ForgottenSeer 98186]

Surely the US government HAS to ban Microsoft software as a potential National Security threat at some point...

Blocking .one files is on the implemented US govt block list.

How easy was that?

 

[Andy Ful]

Emotet malware now distributed in Microsoft OneNote files to evade defenses

The Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security restrictions and infect more targets.

www.bleepingcomputer.com

This is a never-ending story. Microsoft constantly adds convenient features, which are next exploited to infect the users. After some time (months, years) Microsoft blocks some features, adds ASR rules, and improves Windows security. In the case of One Note, the infection can be prevented by one of the Defender ASR rules or by applying some Office policies. The percentage of victims does not decrease over time.
I wonder how will be the ratio of victims to happy people after integrating AI with Microsoft Office.

 

[ForgottenSeer 98186]

This is a never-ending story. Microsoft adds new features, which are next exploited to infect the users. After some time (months, years) Microsoft blocks some features, adds ASR rules, and improves Windows security.

People and organizations that understand this cycle expect Microsoft implementations and features to be abused and exploited. So they are proactive at creating policies that block those vectors.

 

[Andy Ful]

There is an interesting question. Could people be safer if there were no active elements in documents? I am not sure because cyber criminals can quickly adapt to the situation.
Anyway, more convenience seems to be closely related to less security. It is probably true, that more security can be realized by wisely decreasing convenience. The security problem can be similar to the obesity problem (in wealthy countries).

 

[ForgottenSeer 98186]

There is an interesting question. Could people be safer if there were no active elements in documents? I am not sure.

I think very much the answer is "Yes."

Microsoft keeps piling on features. This creates more attack surface and complexity. These are treasures for threat actors.

If Microsoft would just disable interpreters and some other LOLBins on Windows Home by default, a majority of attack vectors would be mitigated. Microsoft discovered this with S Mode. It proclaimed it to be its most secure version of Windows ever. However, public outcry from "users that want to use" stuff made S Mode non-viable for the most vulnerable and insecure user group of all - the unmanaqed home user.

Microsoft did try to force everybody to upgrade to the much more secure Windows 10, but much of the world refused. Microsoft had to give users the option because of obsolete beliefs and thinking. Public opinion mattered more. So Microsoft gave people what they demanded and then those very same people lament about how insecure Windows is.

You know, discussions leave out a lot of important details such as the fact that the vast majority of weaponized documents are successful on pirated, obsolete versions of Office. And there is no comparison between a western user and a user from some village or town located in a 2nd or 3rd world country. The knowledge is completely different. This can be greatly expended to cover a lot of pertinent areas, but at the end of the day half of the world's population, at least, has no idea what they're doing on a PC or laptop. Should they be given the same version of Windows as a knowledgeable user who is proficient in security? I don't think so. It defies any and all common sense.

 

[Trident]

Could people be safer if there were no active elements in documents?

No, because there are tens of other vectors. If malware stopped working, they would all re-orient towards Phishing and SCAM. But active elements should be blocked regardless.

 

[ForgottenSeer 98186]

No, because there are tens of other vectors. If malware stopped working, they would all re-orient towards Phishing and SCAM. But active elements should be blocked regardless.

I think it would solve a significant portion of the insecurity problem.

Users, even unknowledgeable ones, are better at handling phishing than malware.

But you are absolutely right. Threat actors will adapt and change tactics. However, locking them out of the victim OS will make things infinitely more difficult for them.

 

[Andy Ful]

I think very much the answer is "Yes."

Microsoft keeps piling on features. This creates more attack surface and complexity. These are treasures for threat actors.

It is not as simple as it seems. The Windows S mode cannot be a good example, because most people still use vulnerable Windows. It is true that Windows in S mode has got sufficiently smaller attack surface, but this probably could not stop the criminals (they can adapt quickly) if most people would use S mode. The "lower fruit" is relative and the giraffe is a good example of adaptation.

 

[Trident]

It is not as simple as it seems. The Windows S mode cannot be a good example, because most people still use vulnerable Windows. It is true that Windows in S mode has got sufficiently smaller attack surface, but this probably could not stop the criminals (they can adapt quickly) if most people would use S mode. The "lower fruit" is relative and the giraffe is a good example of adaptation.

Yes, looking back they have adapted to all mitigations implemented with very few exceptions. They will adapt to all recent implementations as well.

 

[ForgottenSeer 98186]

It is not as simple as it seems.

There is no simple answer. The solutions are painful because the problems are multi-part involving government, society, OEMs, software publishers, businesses, users, etc. Each one plays their part and must be a part of the solution.

The Windows S mode cannot be a good example, because most people still use vulnerable Windows.

I just used S Mode as an example. Microsoft claims that it has been its most secure OS, but it is only for business now because home users complained that it was too restrictive. Microsoft makes strong attempts to improve security, but public opinions and arguments are made as to why their efforts are no good. At least Microsoft tries. The solutions are not perfect, but as long as they are not implemented it will only get much, much worse at an exponential rate.

 

[Trident]

Microsoft claims that it has been its most secure OS, but it is only for business now because home users complained that it was too restrictive. Microsoft makes strong attempts to improve security,

Where are the fruits of these strong attempts Microsoft keeps making day and night? I don’t see them. I see a bunch of problems, some of which have been around since the early 2000s, hindering unsolved.

Windows S would’ve been OK if Microsoft had invested a little bit more to attract vendors to publish high-quality apps on their store. Microsoft failed to get this right with their mobile platform and they failed to get it right with Windows. An average and merely OK laptop is around £600-£700. What’s the point to purchase this if you will not be able to use any apps? You will be better off buying a tablet or a Chromebook. Windows S would have significantly hurt the PC sales and that’s why the plug was pulled.

 

[ForgottenSeer 98186]

Where are the fruits of these strong attempts Microsoft keeps making day and night? I don’t see them. I see a bunch of problems, some of which have been around since the early 2000s, hindering unsolved.

Windows S would’ve been OK if Microsoft had invested a little bit more to attract vendors to publish high-quality apps on their store. Microsoft failed to get this right with their mobile platform and they failed to get it right with Windows. An average and merely OK laptop is around £600-£700. What’s the point to purchase this if you will not be able to use any apps? You will be better off buying a tablet or a Chromebook. Windows S would have significantly hurt the PC sales and that’s why the plug was pulled.

You just answered the question itself. "Users want to use stuff" and that is exactly what Microsoft provides - a platform upon which users can do virtually anything they want. Microsoft takes a "hands-off" approach amongst a group of users who prioritize their own whims over security. Nobody can blame Microsoft.

Microsoft did try hard with the Microsoft Store, but developers did not want to adhere to Microsoft's rules. Here, again, people wanted the wild-wild west where they could do whatever they wanted in the Microsoft Store ecosystem. Microsoft would not allow them to do this. Plus there was no financial incentive for publishers to participate in the Windows Store ecosystem - and that was the real killer.

You mentioned Chromebooks and that is the platform that is suitable to a significant portion of digital citizens.

 

[Trident]

You mentioned Chromebooks and that is the platform that is suitable to a significant portion of digital citizens.

I’m using Chrome OS Flex out of curiosity on one device and I am loving it. It can’t run apps and I am fine with that.

How can other platforms have rules enforced? Is it really developers and users that want “the wild west” or is it just that Microsoft abilities, with their minimum re-investment, end there? With either “you can’t do anything just to be safe” approach or the contrary, “you can do everything”. Where is the middle and the balance at Microsoft?

Users have never needed a platform that resembles a house with a ploughed backyard, they just want to be able to use applications. These apps can be creative software, games, programmes needed for work or uni. These programs are not and will never be on Microsoft’s store but they can be checked and signed by Microsoft. Why has the execution of unsigned code been allowed for few decades?

 

[ForgottenSeer 98186]

These programs are not and will never be on Microsoft’s store but they can be checked and signed by Microsoft.

This is certainly a reasonable system, but I'm sure there are reasons why Microsoft does not enforce it strictly. I bet you the Microsoft attorneys would rattle off a laundry list of reasons why Microsoft does not do it.

Looking at how Microsoft handles security for home users, it is apparent to me at least that Microsoft has a more or less ambivalent stance towards unmanaged home users. It does offer Microsoft Defender and other protections, but mostly as a hand-me-down afterthought. Everybody seems to think that Microsoft developed Microsoft Defender for the masses. That's not true at all. It was developed specifically to create new revenue opportunities in the enterprise and SMB security market. Microsoft Defender was never the "next generation" of Microsoft Security Essentials.

The exception is SAC, which is developed directly from Microsoft's experiences with S Mode and intended specifically for home users. Will SAC be an effective solution? If I had to bet I'd say "probably not" because it does not go far enough. It does not address many other code execution areas.

Microsoft is certainly aware of all the issues that you have brought up. Even if an unmanaged home user is willing to pay for managed security, things such as different security profiles of AppLocker, WDAC, Group Policy, Microsoft Defender ATP, etc - Microsoft provides no purchase options for such users.

You and I can immediately see the real issue. How many home users are willing to pay even 20 euros per month for managed security? So the concept is a non-starter.