Published January 24, 2023
Author: Ash Khan

Threat actors are increasingly using OneNote attachments in phishing emails to infect users with remote access malware. They are using it to install more software, steal passwords, or even cryptocurrency wallets.

For years, attackers have distributed malware in emails through malicious Microsoft 365 Office products like Word and Excel attachments. They trigger macros to download and install malware.

However, Microsoft eventually disabled macros by default in Office documents, rendering this approach untrustworthy for virus distribution.

Soon after, hackers started using new file formats including ISO images and password-protected ZIP files. These file formats quickly gained popularity. By exploiting a Windows issue that allows ISOs to bypass security warnings and 7-Zip’s failure to propagate mark-of-the-web flags to extracted files.

However, both 7-Zip and Windows have resolved these flaws. It caused Windows to display frightening security warnings when users tried to access files within downloaded ISOs and ZIPs.

Threat actors, undeterred, soon adopted a new file type in their malicious email (malspam) attachments: Microsoft OneNote attachments.

 

Taking use of OneNote attachments

 

 

Microsoft OneNote is a free desktop digital notebook app that comes with Microsoft Office 2019 and Office Microsoft 365.

Even if a user does not use the application, the OneNote file format is still accessible if they have Microsoft Office 365 installed.

Cybersecurity website researchers have warned that hackers are circulating dangerous spam emails with OneNote attachments.

According to BleepingComputer, these emails masquerade as DHL delivery alerts, invoices, ACH remittance forms, mechanical drawings, and shipping documentation.

OneNote, unlike Word and Excel, does not allow macros. As hackers previously used them to execute installation malware scripts.

Instead, OneNote users enter attachments into a NoteBook. When double-clicked it launches the attachment.

Cybercriminals are exploiting this functionality by adding malicious VBS attachments. So, when double-clicked, it activates the script, and download and installs malware from a remote site.

Furthermore, the attachments resemble the symbol of a file in OneNote. So, hackers placed a large ‘Double click to see file’ bar over the injected VBS attachments to disguise them.

Moving the Click to View Document bar out of the way reveals that the malicious file contains numerous attachments. When a user double-clicks anywhere on the attachment row, the attachment will be launched.

Fortunately, when you start OneNote attachments, it cautions you that doing so may cause damage to your machine and data.

Unfortunately, experience has shown that these sorts of notifications are frequently ignored, with users just clicking the OK button.

When you click OK, the VBS script will download and install malware. The script will download and execute both files from a remote site.

The first is a bogus OneNote document that opens and looks just like the one you anticipated. A malicious batch file is also executed by VBS code in the background so that the device is infected with malware.

 

Defending against these dangers

 

The OneNote files in malspam emails received by BleepingComputer install remote access trojans with information-stealing capability.

According to an online website security researcher, the OneNote attachments he examined installed the AsyncRAT and XWorm remote access trojans.

Pro tip: If you haven’t previously blocked.one files at your perimeter/email gateway, now is the moment.

BleepingComputer discovered a OneNote attachment that installs the Quasar Remote Access trojan.

Once installed, this sort of malware gives hackers remote access to the victim’s computer. They can steal; data, stored browser passwords, and screenshots, and, in some circumstances, capture video via webcams.

Thread actors use remote access trojans to steal cryptocurrency wallets from victims’ devices, making this a pricey infection.

The easiest approach to thwart harmful attachments is to avoid opening files from persons you do not know. However, if you open a file by accident, do not ignore any warnings presented by the operating system or app.

When you receive a warning that clicking a link or opening an attachment might corrupt your data, don’t hit OK and exit the app.

If you believe it is a valid email, forward it to a security or Windows administrator who can assist you determine whether the file is secure. Ensure the file is secure by forwarding it to an administrator or security expert who can assist you.