Malicious threat actors have now used another Microsoft feature, OneNote, to spread malware as part of their new delivery methods. Researchers initially discovered this campaign last year, where attackers use OneNote documents as attachments to disseminate the Formbook malware.
Earlier this year, another set of actors used OneNote attachments in a malspam email campaign that infected targets with remote access trojans (RATs).
Threat actors used a shipping notification and other standard transaction tools as lures to spread compromised OneNote attachments.
Based on reports, a new malspam email campaign masquerades as a DHL shipping notification, ACG, ACH remittance forms, invoices, shipping documents, and mechanical drawings to push the malicious OneNote attachments.
The actors insert compromised VBS attachments into a NoteBook since the note-taking tool does not support macros. This tactic allows the actors to bait users into accessing the attachment to launch their malware.
The program portrays a warning that executing the file could harm the device and data to launch malicious attachments. However, most users disregard these warnings and immediately click the OK button.
When a user presses the OK button, it will launch the infected VBS script to download and install malware.
Cybersecurity experts noticed that in multiple cases of malspam emails, the OneNote files install well-known RATs such as Quasar, XWorm, and AsyncRAT. Additionally, these RATs have included infostealing capabilities in their toolsets.
Its operators could use these malware strains to access a targeted device to steal information remotely and save browser credentials such as passwords. The malware could also enable the actors to take screenshots, add more payloads, and steal crypto wallets.
These strategies attracted many threat actors since it was aided by a Windows flaw that allows ISOs to avoid security prompts and the 7-Zip utility’s failure to spread MotW flags to files extracted from ZIP files.
Fortunately, Windows released a fix for both vulnerabilities.
Threat actors have now exploited Microsoft OneNote since it is installed in all MS Office installations by default. Even if a user does not use or ignores it, it is still accessible to open the file format of malicious entities.
Users should always be wary of malicious attachments sent by unwanted email addresses, especially unwanted entities that appear out of nowhere.
