Jump to content
  • Emotet is back: Microsoft OneNote is not a safe place anymore

    alf9872000

    • 381 views
    • 3 minutes
     Share


    • 381 views
    • 3 minutes

    Emotet is back and ready to strike via Microsoft OneNote email attachments. The Emotet threat, associated with the Gold Crestwood, Mummy Spider, or TA542 threat actor, remains active and resilient despite law enforcement's best efforts to counter it.

     

    It was originally a derivative of the Cridex banking worm but has since evolved into a monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion.

    Emotet is back and spreading with Microsoft OneNote attachments

    After a brief absence, the notorious Emotet malware has returned, this time spreading through Microsoft OneNote email attachments in an effort to bypass macro-based security restrictions and compromise systems. Especially if you work in manufacturing, high-tech, telecom, finance, and energy emerging sectors, you should be extra careful.

     

    awmleer-I-YyrXUphc-unsplash.jpg

     

    The dropper malware is commonly distributed through spam emails containing malicious attachments, but as Microsoft has taken steps to block macros in downloaded Office files, OneNote attachments have emerged as an appealing alternative. Malwarebytes disclosed that the OneNote file is simple yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the "View" button, victims inadvertently double-click on an embedded script file instead. The Windows Script File (WSF) is then engineered to retrieve and execute the Emotet binary payload from a remote server.

     

    These documents have been observed to leverage a technique called decompression bomb to conceal a very large file (over 550 MB) within ZIP archive attachments to fly under the radar.

    How to protect yourself from Emotet?

    By understanding how Emotet operates, you've taken the first step toward protecting yourself and your users from it. Extra measures include:

     

    • Always use the most recent patches for Microsoft Windows on your computers and other endpoints. To prevent cybercriminals from taking advantage of the Windows EternalBlue vulnerability, which is used by TrickBot when it is delivered as a secondary Emotet payload, the vulnerability must be patched.

     

    • Never open an unknown attachment or visit an unfamiliar URL. If you don't open suspicious emails, Emotet won't be able to gain access to your computer or network.

     

    • Password security is important; learn how to make secure ones and switch to two-factor authentication.

     

    • With a comprehensive cybersecurity program that features multiple layers of protection, you can protect yourself against Emotet.

     

    Do you want to check whether your PC is infected with the Emotet malware? Click here and learn how to check it.

     

    Source

    Edited by Karlston


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...