In a continuing sign that attackers are well adapted to the post-macro world, we’ve seen an increase in the use of Microsoft OneNote documents to deliver malware via phishing attacks.
Notable malware families distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.
Enterprise company Proofpoint says it has detected more than 50 campaigns leveraging OneNote attachments in January 2023 alone.
In some cases, email phishing lures include OneNote files with embedded HTA files that call PowerShell scripts to retrieve malicious binaries from remote servers.
Other scenarios involve the execution of malicious VBScript hidden behind an image embedded within a OneNote document and displayed as a seemingly harmless button. VBScript is designed to drop a PowerShell script and do a DOUBLEBACK.
“It’s important to note that the attack will only succeed if the recipient engages the attachment, especially if they click on the embedded file and ignore the warning message displayed by OneNote,” Proofpoint said. I’m here.
The infection chain is made possible by OneNote’s ability to run selected file types directly from within the note-taking application in the event of a “payload smuggling” attack.
“Most file types that MSHTA, WSCRIPT, and CSCRIPT can handle can be done from within OneNote,” said TrustedSec researcher Scott Nusbaum. “These file types include CHM, HTA, JS, WSF, and VBS.”
As a remedial action, Finnish cybersecurity company WithSecure recommends that users block OneNote email attachments (.one and .onepkg files) and closely monitor the behavior of the OneNote.exe process.
The move to OneNote is seen as a response to Microsoft’s decision last year to disallow macros by default in Microsoft Office applications downloaded from the internet, with threat actors including ISO, VHD, SVG, CHM, RAR, HTML, etc. to try uncommon file types. , and LNK.
Blocking macros serves two purposes. It’s about not only reducing the attack surface, but also increasing the effort required to carry out the attack. This is true even though email remains the number one delivery vector for malware.
But these are not the only methods that have become popular for hiding malicious code. Microsoft Excel add-in (XLL) files and Publisher macros have also been used as attack vectors to bypass Microsoft protections and spread remote access Trojans known as Ekipa RAT and other backdoors.
Exploitation of XLL files has not gone unnoticed by Windows makers. The Windows maker plans an update to “block his XLL add-ins from the internet”, citing “an increase in the number of malware attacks in recent months.” This option is planned to be available in March 2023.
When asked for comment, Microsoft told The Hacker News it had nothing more to share at this time.
Bitdefender’s Adrian Miron said: “These campaigns are likely to surge in the coming months, with cybercrooks testing better or improved angles to compromise victims.”
