OneNote attachments are now used by threat actors in phishing email scams to infect victims with remote malware. This malware can then be used to steal passwords or install additional malware.
After years of malware distribution via email using malware Word and Excel attachments, attackers now have the ability to launch macros and download malware.
In July however, from Office documents. This makes this method less reliable for spreading malware.
Threat actors soon began using new file formats such as ISO images or password-protected zip files. This file format quickly became very common thanks to a Windows bug that allowed ISOs bypass security warnings. Also, 7-Zip archives utility did not propagate mark-of the-web flags to ZIP files.
However, as well this bug. Windows now displays scary security warnings whenever a user tries to open downloaded ISO or ZIP files.
Threat actors were not deterred and quickly changed to a different file format for their malign spam (malspam), attachments. It was Microsoft OneNote.
Missing OneNote attachments
Microsoft can be downloaded free of charge and comes with Microsoft Office 2019 or Microsoft 365.
Microsoft OneNote comes standard in every Microsoft Office/365 installation. This means that even a Windows user doesn’t use it, the program can still be opened.
since mid-December that threat actors malicious spam .
BleepingComputer has found samples of malspam email that pretend to be DHL shipping notification, invoices and ACH remittance form forms.
OneNote doesn’t support macros like Excel and Word. This is why threat actors used scripts to infected computers with malware.
OneNote instead allows you to add attachments in your NoteBook. Double-clicking will open the attachment.
This feature is being misused by threat actors who attach malicious VBS attachments to launch the script automatically when double-clicked. The script will download and install malware from remote sites.
The attachments appear like OneNote’s file icon, so threat actors place a large ‘Double Click to View File’ bar above the VBS attachments in order to conceal them.
You can clearly see multiple attachments when you remove the Click to View Doc bar. The row of attachments means that users can double-click anywhere on the bar to open the attached file.
OneNote warns you when you launch OneNote attachments that it can cause damage to your computer or data.
Unfortunately, the history of user interaction has demonstrated that prompts like these are often ignored and clicked on OK.
The VBS script will download and install malicious software by clicking the OK button. BleepingComputer’s OneNote VBS file shows that the script can download and run two files remotely.
Below is the first OneNote decoy document. It opens exactly as you expect and appears to be what you were expecting. The VBS file can also run a malicious batch file to inflict malware onto the device.
BleepingComputer has found that OneNote files are used to install remote access trojans, which include information-stealing capabilities.
James, a cybersecurity researcher, confirmed that this was true. He told BleepingComputer the OneNote attachments he analyzed contained the AsyncRAT remote access trojans and the XWorm malware.
Protip: It’s high time to block.one files from your email gateway/perimeter.
BleepingComputer has seen a OneNote attachment that installs the .
These threats can be prevented
This malware can be remotely installed to access victim’s devices to steal data, save browser passwords and take screenshots. In some cases it even records video with webcams.
Remote access trojans are also used by threat actors to steal cryptocurrency wallets. This is a very costly way of infecting victims.
Protect yourself against malicious attachments by not opening files that are not your own. If you do open the wrong file, don’t ignore warnings from your operating system.
Do not open an attachment, link or file if you are prompted to do so. Close the program and press OK.
You can share the email with an administrator or security representative if you believe it is a genuine email.