OneNote Attachments: The Next Frontier in Malware Distribution
Reading Time: 3 Minutes
Cybercriminals are using OneNote attachments in phishing emails to infect victims with remote access malware.
Threat actors have been using malicious Word and Excel attachments to distribute malware for years, but in July, Microsoft disabled macros by default in Office documents, making this method unreliable.
As a result, threat actors began using new file formats such as ISO images and password-protected ZIP files. However, recent fixes in 7-Zip and Windows have made these file formats less viable.
The bugs that allowed ISO images to bypass security warnings and the 7-Zip archive utility not propagating mark-of-the-web flags to files extracted from ZIP archives have been fixed.
Mark of the Web propagated to files inside an ISO
Source: BleepingComputer
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
This has led threat actors to switch to using OneNote attachments.
Since mid-December, cybersecurity researchers have warned that threat actors have started distributing malicious spam emails containing OneNote attachments.
The malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents.
Fake DHL email with a OneNote attachment
Source: BleepingComputer
Unlike Word and Excel, OneNote does not support macros, so threat actors are abusing the feature that allows users to insert attachments into a NoteBook, which when double-clicked, will launch the attachment. These attachments are malicious VBS scripts that automatically launch to download malware from a remote site and install it.
The attachments look like a file’s icon in OneNote, so the threat actors overlay a big ‘Double click to view file’ bar over the inserted VBS attachments to hide them.
Malicious OneNote email attachment
Source: BleepingComputer
Trending: A primer on OS Command Injection Attacks
Trending: Recon Tool: Shotlooter
When you move the Click to View Document bar out of the way, you can see that the malicious attachment includes multiple attachments. This row of attachments makes it so that if a user double-clicks anywhere on the bar, it will double-click on the attachment to launch it.
Hidden OneNote attachments
Source: BleepingComputer
Thankfully, when launching OneNote attachments, the program warns you that doing so can harm your computer and data. But unfortunately, history has shown us that these types of prompts are commonly ignored, and users just click the OK button.
In malspam emails seen by researchers, the OneNote files install remote access trojans that include information-stealing functionality. Cybersecurity researcher James confirmed this, telling researchers that the OneNote attachments he analyzed installed the AsyncRAT and XWorm remote access trojans.
Protection
To protect against these threats, it is recommended not to open files from unknown sources. If a file is mistakenly opened, it is important to pay attention to warnings displayed by the operating system or application and not to press OK or ignore them.
If there is a doubt about the legitimacy of an email, it is suggested to share it with a security or Windows admin to verify the safety of the file.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
