Jump to content
  • Beware: Hackers now use OneNote attachments to spread malware

    alf9872000

    • 523 views
    • 5 minutes
     Share


    • 523 views
    • 5 minutes

    Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.

     

    This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years.

     

    However, in July, Microsoft finally disabled macros by default in Office documents, making this method unreliable for distributing malware.

     

    Soon after, threat actors began utilizing new file formats, such as ISO images and password-protected ZIP files. These file formats soon became extremely common, aided by a Windows bug allowing ISOs to bypass security warnings and the popular 7-Zip archive utility not propagating mark-of-the-web flags to files extracted from ZIP archives.

     

    However, both 7-Zip and Windows recently fixed these bugs causing Windows to display scary security warnings when a user attempts to open files in downloaded ISO and ZIP files.

     

    motw-flag-fixed.jpg

    Mark of the Web propagated to files inside an ISO
    Source: BleepingComputer

     

    Not to be deterred, threat actors quickly switched to using a new file format in their malicious spam (malspam) attachments: Microsoft OneNote attachments.

    Abusing OneNote attachments

    Microsoft OneNote is a desktop digital notebook application that can be downloaded for free and is included in Microsoft Office 2019 and Microsoft 365.

     

    As Microsoft OneNote is installed by default in all Microsoft Office/365 installations, even if a Windows user does not use the application, it is still available to open the file format.

     

    Since mid-December, cybersecurity researchers warned that threat actors had started distributing malicious spam emails containing OneNote attachments.

     

    From samples found by BleepingComputer, these malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents.

     

    dhl-onenote-phishing.jpg

    Fake DHL email with a OneNote attachment
    Source: BleepingComputer

     

    Unlike Word and Excel, OneNote does not support macros, which is how threat actors previously launched scripts to install malware.

     

    Instead, OneNote allows users to insert attachments into a NoteBook that, when double-clicked, will launch the attachment.

     

    Threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it.

     

    However, the attachments look like a file's icon in OneNote, so the threat actors overlay a big 'Double click to view file' bar over the inserted VBS attachments to hide them.

     

    malicious-onenote-attachment.jpg

    Malicious OneNote email attachment
    Source: BleepingComputer

     

    When you move the Click to View Document bar out of the way, you can see that the malicious attachment includes multiple attachments. This row of attachments makes it so that if a user double-clicks anywhere on the bar, it will double-click on the attachment to launch it.

     

    hidden-attachments.jpg

    Hidden OneNote attachments
    Source: BleepingComputer

     

    Thankfully, when launching OneNote attachments, the program warns you that doing so can harm your computer and data.

     

    But unfortunately, history has shown us that these types of prompts are commonly ignored, and users just click the OK button.

     

    onenote-security-warning.jpg

    OneNote attachment security warning
    Source: BleepingComputer

     

    Clicking the OK button will launch the VBS script to download and install malware. As you can see from one of the malicious OneNote VBS files found by BleepingComputer, the script will download and execute two files from a remote server.

     

    The first one shown below is a decoy OneNote document that opens and looks like the document you expected. However, the VBS file will also execute a malicious batch file in the background to install malware on the device.

     

    vbs-file.jpg

    Malicious VB script attached to a OneNote attachment
    Source: BleepingComputer

     

    In malspam emails seen by BleepingComputer, the OneNote files install remote access trojans that include information-stealing functionality.

     

    Cybersecurity researcher James confirmed this, telling BleepingComputer that the OneNote attachments he analyzed installed the AsyncRAT and XWorm remote access trojans.

     

    A OneNote attachment seen by BleepingComputer installs what is detected as the Quasar Remote Access trojan.

    Protecting against these threats

    Once installed, this type of malware allows threat actors to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.

     

    Threat actors also commonly use remote access trojans to steal cryptocurrency wallets from victims' devices, making this a costly infection.

     

    The best way to protect yourself from malicious attachments is to simply not open files from people you do not know. However, if you mistakenly open a file, do not disregard warnings displayed by the operating system or application.

     

    If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.

     

    If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...