BIPI
BIPI

Emotet Is Back: Epoch 4 and the OneNote Pivot

Threat Intelligence

Emotet survived a 2021 global takedown and returned stronger, adopting OneNote attachments after Microsoft killed macros. A deep look at Epoch 4 and 5 infrastructure and what defenders must do now.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 3, 2024 · 10 min read

#emotet#malware#phishing#onenote#botnet

On January 27, 2021, Europol, Eurojust, and eight national law-enforcement agencies announced the coordinated takedown of Emotet, a malware operation that had been running since 2014. Servers were seized, infrastructure was poisoned with a self-destruct timer, and the security community briefly celebrated. That celebration lasted about ten months. By November 2021, Emotet traffic reappeared on sensors worldwide, and by early 2022 the botnet was running at near-historic volume.

How Emotet Survived

The original Emotet operators, tracked as TA542 or Mummy Spider, were never arrested. European authorities charged and arrested several individuals involved in infrastructure management, but the core development team remained at large. They rebuilt from a subset of uncompromised infrastructure and reseeded infections through their existing relationship with TrickBot operators, who had maintained a parallel loader operation throughout the takedown period.

  • Epoch 4: Rebuilt botnet, active from November 2021, used 256-bit elliptic curve keys replacing older RSA keys
  • Epoch 5: Launched mid-2022, separated geographically from Epoch 4 to prevent single-point takedown
  • Epoch 4 and 5 share a common codebase but use different C2 lists, making parallel disruption harder
  • New loader: 64-bit PE instead of 32-bit, more resistant to older YARA signatures

The Macro Ban and the OneNote Pivot

Microsoft's July 2022 decision to block VBA macros in Office documents downloaded from the internet was a significant friction point for Emotet's traditional delivery mechanism. The group's immediate response was to experiment with LNK files, XLL add-ins, and then, in late 2022 and into 2023, to adopt Microsoft OneNote (.one) attachments as the primary delivery vehicle.

OneNote files can embed arbitrary files, including executables and scripts, behind clickable button objects. The social engineering prompt is simple: the embedded object is disguised as a blurred document, and a large button overlay says 'Double-click to view.' Clicking executes the embedded payload, which in Emotet's case was a .wsf (Windows Script File) or .cmd script that fetched the Emotet DLL from a compromised WordPress site.

OneNote's ability to embed arbitrary files and display them as clickable UI elements made it a near-perfect phishing container for the first six months after Microsoft's macro ban. Microsoft has since added warnings, but the window of exploitation was substantial.

Infection Chain: OneNote Variant

  1. Thread-hijacked phishing email arrives with .one attachment or a link to a .one file on OneDrive
  2. Victim opens OneNote file; no macro warning appears (OneNote is not an Office application under MOTW policy)
  3. Victim double-clicks the overlaid button element, triggering embedded .wsf or HTA file execution
  4. Script reaches out over HTTP to a list of compromised WordPress sites acting as first-stage C2
  5. Emotet DLL downloaded and executed via regsvr32.exe
  6. Emotet harvests Outlook contacts and email threads to seed further thread-hijacking campaigns
  7. Secondary payload (Cobalt Strike, IcedID, or Bumblebee) deployed depending on affiliate agreement

C2 Infrastructure Patterns

Emotet's C2 list is baked into an encrypted configuration block inside the DLL. Each bot checks in using a hardcoded list of IP:port pairs, cycling through them until it gets a valid response. The C2 list is updated during each check-in, making IP-based blocking a losing strategy. Historically, Emotet has favored hosts on TCP port 443 and 8080, with a significant fraction of C2 nodes being compromised legitimate websites rather than attacker-owned infrastructure.

130,000+
C2 IPs observed across Epoch 4/5 lifetime
~45%
C2 nodes hosted on compromised legitimate sites
10 months
Time from takedown to full rebuild
3x
Volume increase after OneNote pivot vs. macro era

Detection Opportunities

  • Block .one file attachments at the mail gateway or require explicit allowlist for internal senders
  • Alert on onenote.exe spawning wscript.exe, cmd.exe, or powershell.exe as child processes
  • Hunt for regsvr32.exe with a DLL path in %TEMP% or %APPDATA%
  • Monitor for Outlook reading profiles being accessed by non-Outlook processes (Emotet credential theft)
  • Network: Emotet C2 beaconing uses a 5-10 minute jitter interval; look for regular small POST requests to the same IP
  • YARA: Emotet config decryption uses a fixed XOR routine; community rules from abuse.ch Emotet tracker are regularly updated

Remediation

  1. Block .one, .onepkg attachments at email gateway and web proxy for all external sources
  2. Apply Microsoft's OneNote update (KB5019474 and later) that adds MOTW propagation to embedded objects
  3. Deploy Attack Surface Reduction rule: Block Office applications from creating child processes (GUID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
  4. Rotate all credentials on any host with confirmed Emotet DLL execution
  5. Review and prune email forwarding rules, which Emotet sometimes creates for persistence

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.