Microsoft OneNote attachments are being used to spread malware
Hackers have discovered a new way to bypass macro blocks in Microsoft Office files and still deliver malware (opens in a new tab) to unsuspecting victims through corporate litigation online transactions application.
Security experts at BleepingComputer found newly distributed phishing emails equipped with OneNote attachments.
OneNote is a digital note-taking app that anyone can use to create libraries of shareable content. It is part of a broader Microsoft Office suite, which means that if people have it installed, they can also open OneNote files. While OneNote’s files, called NoteBooks, don’t support macros, they do support attachments, and that’s what crooks are currently taking advantage of.
Malicious VBS file
The phishing emails themselves are nothing out of the ordinary – they include fake DHL parcel notifications, fake invoices, fake shipping notices, ACH remittance forms, etc. Instead of carrying an attached Word or Excel file, they carry a OneNote file that, if opened, appears to be greyed out, with a large button in the middle that says “Double click to view file”.
However, double-clicking will run the attachment, which in this case is a malicious VBS file.
This file will then start communicating with the command & control (C2) server and download the malware.
BleepingComputer obtained several of these emails and determined that multiple remote access trojans and information stealers are in circulation, including the AsyncRAT and XWorm remote access trojans, as well as the Quasar Remote Access trojan.
The best way to protect against these attacks remains the same as always – instruct your employees not to download attachments and click on email links from people they don’t know, don’t trust, or can’t identity confirmation. Additionally, they should be educated not to ignore the warning messages prompted in programs like Word, Excel, or OneNote. Also, having a strong anti-virus solution and a firewall is welcome.
Finally, enabling multi-factor authentication (MFA) whenever possible can greatly reduce the chance of a more serious compromise.
Via: BleepingComputer (opens in a new tab)