OneNote documents are increasingly being used by threat actors to send malware to unsuspecting end users via email, according to Proofpoint researchers. It infects victims with remote access malware that can be used to install additional malware, steal passwords, or even access cryptocurrency wallets.
Microsoft developed the digital notebook OneNote, which is available via the Microsoft 365 product suite.
“Threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs”, Proofpoint researchers
After years of employing malicious Word and Excel attachments that start macros to download and install malware, attackers are now utilizing this method to spread malware through emails.
Microsoft, however, finally banned macros as the default setting in Office documents in July, rendering this technique ineffective for spreading malware.
Reports say Messages typically contain OneNote file attachments with themes such as invoice, remittance, shipping, and seasonal themes such as Christmas bonus, among other subjects.
“The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. When the user double-clicks the embedded file, they will be prompted with a warning. If the user clicks continue, the file will execute”, explain the researchers
Various executables, shortcut (LNK) files, and script files, such as HTML applications (HTA) or Windows script files (WSF), could be present in the file.
In the December campaign, a OneNote attachment in messages contained an HTA file that launches a PowerShell script to download an executable (like Excel.exe) from a URL. These communications were directed at companies in the industrial and manufacturing sectors.
Research says thousands of communications were sent out as part of other efforts that made use of invoice and shipment themes, as well as “Christmas bonus” or “Christmas gift” lures that primarily targeted businesses in the education sector and other industries.
“The campaigns continued to use the same TTPs, with hidden embedded files in the OneNote attachment that ultimately lead to the download of a malware payload”, researchers.
“In multiple campaigns, the actors used the legitimate services “OneNote Gem” and Transfer.sh to host payloads”.
Further, one campaign employing invoice themes and distributing XWorm and AsyncRAT was discovered by researchers. The lure used both English and French. An OneNote attachment in messages had a PowerShell script that could be used to download a batch file (system32.bat) from a URL.
“On 19 January 2023, observed a low-volume campaign distributing the DOUBLEBACK backdoor. DOUBLEBACK is an in-memory backdoor that can enable host and network reconnaissance, data theft, and follow-on payloads”, researchers
Messages contained URLs on several domains with a URI ending with /download/[guid]. The actor purported to previously have contacted the victim and that the related files had been uploaded to cloud storage.
The victim was instructed to “Double Click To View File” by the template. OneNote would try to run a VBS file hidden behind the button. The victim would be warned about the security concerns before being allowed to open attachments. If the victim kept going, the VBS would be carried out to the end.
On January 31, 2023, the initial access broker TA577 resumed operation after a one-month absence and delivered Qbot with an attack chain that includes OneNote. Emails with a distinct URL in the email body seemed to reply to earlier conversations.
Researchers suspect that several threat actors are attempting to get around threat detections by employing OneNote attachments.
An attack can only be successful if the target interacts with the attachment—more precisely if they click on the embedded file and ignore the OneNote warning. End users should be informed about this tactic by organisations, and users should be urged to report suspicious emails and attachments.
Network Security Checklist – Download Free E-Book