Cybercriminals have long used Microsoft documents to distribute malware and they are always experimenting with new ways to deliver malicious packages. Late last year, threat actors were found using a OneNote document to distribute Formbook malware. Recently, they were found actively using OneNote attachments in malspam emails that infect victims with RATs.
Tricking the victims
BleepingComputer researchers found malspam emails pretending to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents with a OneNote attachment.
As OneNote does not support macros, threat actors insert malicious VBS attachments into a NoteBook that, when double-clicked, will launch the malware.
Threat actors are hiding the attachments’ file icons in OneNote under a big 'Double click to view file' bar. If a user double-clicks anywhere on the bar, the attachment will be double-clicked to download malware from a remote site and install it.
When launching OneNote attachments, the program displays a warning that doing so can harm the computer and data. Unfortunately, these types of prompts are commonly ignored, and users just click the OK button.
Clicking the OK button will launch the malicious VBS script to download and install malware.
Malware distribution
Experts observed that in some malspam emails, the OneNote files install RATs such as AsyncRAT, XWorm, and Quasar with information-stealing functionality.
These malware can be used to remotely access a victim’s device to steal files and saved browser passwords, take screenshots, cryptocurrency wallets, and in some cases, even install further malware.
Why OneNote?
Notably, in July 2022, Microsoft disabled macros by default in Office documents such as Word and Excel, which threat actors previously used to launch scripts to install malware.
Later on, threat actors started using new file formats such as ISO images and password-protected ZIP files.
These file formats quickly gained popularity aided by a Windows bug that allowed ISOs to bypass security warnings and the popular 7-Zip utility's failure to propagate Mark of the Web (MotW) flags to files extracted from ZIP archives. Both these bugs were also fixed recently.
Attackers are now using Microsoft OneNote as it is by default installed in all Microsoft Office/365 installations. Even if a Windows user does not use it, it is still available to open the file format.
Security tips
The best way to protect from malicious attachments is to simply not open files from suspicious people or unknown mail addresses. Users should not disregard warnings displayed by the operating system or application and download a file only after verifying that it is safe.