Posted on January 21, 2023 at 5:49 AM
It seems the latest innovation of threat actors is to utilize attachments on Microsoft OneNote. These attachments are used in the standard phishing email, allowing malicious actors to inject systems with remote access malware. From there, it’s a simple matter of stealing passwords, crypto wallets, or just installing even more malware.
A New Threat Looms Ahead
Through a report made by Bleeping Computer, it’s revealed that threat actors have turned to Microsoft OneNote, a free software added to Microsoft Office and Micrisoft365. It installs on default. Even if users don’t utilize the software, it typically stays installed on the systems, allowing for the file format to be used should you need it.
The threat of OneNote attachments delivering malware had already been documented back in December of 2022. BleepingComputer’s investigations had come upon various samples. They discovered malicious phishing emails under the guise of shipping documents, DHL shipping notifications, mechanical drawings, as well as ACH remittance forms.
Evolving After Previous Patches
In the past, malicious actors made use of Microsoft Word or Excel attachments in order to install malware, utilizing the macros features of these programs in order to force systems to download malware. That, however, changed in July. Microsoft made a change that disabled macros on default within their various suites. Since it was by default disabled, threat actors needed to adapt away from the now-unreliable method of spreading malware.
The next step in their innovations was the use of password-protected ZIP and ISO files. For a time, this was the “industry standard” for threat actors, as a bug in Windows systems allowed for ISOs, in particular, to bypass security warnings. Both of these holes have now been plugged, however, thanks to a simple inclusion of a prominent scary-looking warning notification if a user tries to open a file on downloaded ZIPs and ISOs.
The Standard Strategies With New Paint
When compared to the previous strategies, OneNote doesn’t support macros. The go-to method of spreading malware with OneNote seems to be inserting NoteBook attachments. When these attachments are double-clicked, threat actors can run malicious VBS attachments behind the scenes that allow for the download and installation of malware remotely.
To further increase their odds, BleepingComputer highlighted that they add an array of malicious attachments to the emails, hoping to catch you with a double click, much like someone throwing a net in a pond to catch a fish.
Fortunately, before opening the OneNote, the application warns its users that the launch of a file could potentially cause harm to their system. Unless taught by the school of hard knocks, most people will typically ignore these messages when prompted, however.
OneNote Malware Primarily Trojans
BleepingComputer reported that in the malware spam emails their team encountered, the malicious OneNote attachments installed remote access trojans (RAT). These trojans typically include functionality to steal information, as well.
James, a cybersecurity researcher, made a tweet about the matter as well, advocating that his listeners should block .one files at their respective email/perimeter gateways.
RATs allow malicious actors to remotely access a victim’s system, allowing them to steal saved passwords and files, and even take screenshots. In some cases, it even allows the malicious actors the ability to record video feeds through cameras. These kinds of software are typically used to steal cryptocurrency wallets in this day and age. As one would imagine, this could lead to massive losses for the victim.
One More Evolution In Threat Actors
The standard practice of how to avoid this is pretty simple: Don’t open any files sent to you from sources you do not completely trust. It’s as simple as that. While mistakes do happen, most programs issue out warnings before opening files from unknown sources. It’s recommended to listen to those warnings. If all else fails, it’s recommended to run the file in question past an administrator, preferably a cybersecurity one. A sturdy antivirus is always a good call, as well.
This latest innovation is simply the next evolution in the constant war between threat actors and security experts. As long as the Internet exists, there will be those that wish to exploit people through it, and those whose interest is against that. When the OneNote hole gets plugged, threat actors will evolve and discover another means to infect victim systems with malware.
Time will tell how long this new trend will go until the eventual fix, seeing as it took a long time for Microsoft to fix the other gaps in its own protection already.