Emotet is back: OneNote targeted: Ransomware disguises itself as OneNote email attachmentxxx

June 7, 2023

Hardly any other malware is as sophisticated as Emotet. After the authorities initially succeeded in dismantling the Emotet infrastructure in 2021, activity with the malware soon increased again.

Now the creators behind Emotet have pulled off the next trick: The ransomware is back as a OneNote email attachment, warn the IT security experts at PSW GROUP (www.psw-group.de): “Since the beginning of 2023, Emotet has been back disguised as a OneNote email attachment. The new variant makes it even more difficult for users to recognise and avoid the danger. This is because the new variant is very clever in its camouflage. Victims are led to believe that the document is protected and that they have to click on the “View” button to view it. In reality, however, an embedded script is hidden behind it, which triggers the attack on the computer,” informs Patrycja Schrenk, Managing Director of PSW GROUP.

If the victim clicks on the OneNote email attachment of a seemingly known sender, the malware is downloaded and the entire hard drive of the computer is encrypted. Attackers now have an easy game and can demand a ransom in order to restore access to the files – or not. “This means that the ransomware not only poses a threat to companies and private users, but is also an example of how cleverly social engineering can be used to entice people to download malware. It is therefore all the more important that OneNote users exercise a high degree of caution and beware of potentially suspicious emails and attachments,” warns the IT security expert.

Microsoft itself has already recognised and identified the “OneNote” vulnerability, through which the malware can be infiltrated more easily than with the Office macro, for example. A solution is already being worked on to remedy the problem and generally ensure better protection against phishing attacks.

Protective measures

“It is not surprising that cybercriminals are devising new ways to re-establish their presence and cause as much damage as possible. Just as security aspects improve over time, threats and cybercrime continue to evolve. Unfortunately, there is no such thing as one hundred percent security, but companies can do a lot to increase the security of their data and system and thus be less vulnerable to an emotet attack,” Patrycja Schrenk explains.

The security expert and her team have compiled preventive security measures:

Create knowledge
Knowledge is the best defence against cyber threats, also at Emotet. “In awareness training, employees learn what threats exist on the World Wide Web, so that they can prevent them, but also react if the worst happens,” says Patrycja Schrenk.

Activate and implement security updates
Patches should be implemented as soon as possible after they are released in order to close any security gaps. “There are now even utilities that help keep up-to-date, whether on the server and online shop or on the computer,” Schrenk gives a tip.

Use anti-virus software regularly
Antivirus software that is kept up to date is worth its weight in gold – especially if it includes additional functions such as ransomware protection or a firewall.

Set up regular backups
If corporate data is encrypted by a ransomware attack, victims are likely to be grateful for any available backups that they have set up at regular intervals. This is because the backup can be easily restored after the systems have been cleaned. “But be careful: in addition to the regularity of backups, it is just as important to keep them separate from the rest of the company’s IT infrastructure. Because otherwise the ransomware could also encrypt the backups,” warns Schrenk. Ideally, the restarting and restoring of data should be planned so that, if the worst comes to the worst, everyone knows what to do, when and how.

Monitoring & reporting
Permanent monitoring helps to keep an overview of one’s own IT infrastructure and what is happening in it. “In the meantime, even artificial intelligence supports monitoring: so-called XDR solutions do not only start at end points, but are able to detect and ward off security threats in the entire infrastructure,” informs Patrycja Schrenk.

Setting up network segmentation
Client, server, domain controller networks, as well as production networks should definitely be separated from each other and administered in isolated segments. This can be segmented by application areas, trust zones or regions. “Segmentation means that there is not just one corporate network, but several independent ones that create a level of additional security through controlled interfaces,” explains the expert.

Management of authorisations
A detailed and finely granular authorisation concept prevents unauthorised access very efficiently. The golden rule is to only grant authorisations that are necessary.

Secure access
External access to the company network – for example by home office employees – should be secured by a VPN. “The accesses themselves should also be secured, for example through multi-factor authentication. Because even if criminals get hold of access data, they lack other factors that are necessary to log in,” advises Patrycja Schrenk.

Further information at: https://www.psw-group.de/blog/emotet-ist-zurueck/8926

Related Articles

Rohde & Schwarz at International Security Expo 2024

Rohde & Schwarz at International Security Expo 2024

Loss Prevention and a safe Critical Infrastructure with Advanced Scanning Technology Rohde & Schwarz participates in the annual International Security Expo, taking place in London, from September 24-25, 2024. At booth D30 in the Olympia main hall Rohde &...

Share This