Malware delivery through Microsoft OneNote files is growing in a post-macro world

A scorching potato: Menace actors are together with OneNote attachments of their phishing emails to contaminate victims with distant entry malware that can be utilized to steal passwords and even entry cryptocurrency wallets. Malicious Phrase and Excel attachments that launch macros to obtain and set up malware have been utilized by attackers to distribute malware by way of emails for years. Nevertheless, Microsoft lastly disabled macros by default in Workplace paperwork in 2022, rendering this system of virus distribution ineffective.

The usage of Microsoft OneNote pages to disseminate malware to unwary customers is rising in accordance with safety consultants. The researchers at Proofpoint declare they discovered six campaigns in December 2022 that used OneNote to distribute the AsyncRAT malware in a radical examine. Lower than a month later, they detected over 50 campaigns in January 2023. The identical month, a risk actor referred to as TA577 began distributing Qbot by way of OneNote

XWorm, Qakbot, BATLOADER, Agent Tesla, DOUBLEBACK, Quasar RAT, AsyncRAT, RedLine Stealer, and FormBook are a couple of well-known malware households that use this methodology of dissemination.

OneNote recordsdata enable customers to insert attachments, which have the potential to obtain malware from distant places. The report says that hackers had been passing out Notebooks with messages comparable to “bill, remittance, cargo, and seasonal themes like Christmas bonus,” deceiving their targets into considering the content material was safe.

Sometimes, the e-mail phishing enticements comprise a OneNote file, which embeds an HTA file that launches a PowerShell script to retrieve a malicious payload from a distant server. In different situations, a malicious VBScript embedded within the OneNote web page and hid by a picture that seems to be a helpful button is executed. The VBScript, then again, is designed to execute the Doubleback PowerShell script.

Despite the fact that electronic mail stays the commonest methodology for spreading malware, proscribing macros has the twin impact of lowering the assault floor and elevating the overhead related to conducting an assault. However different methods have additionally gained recognition hiding a malicious code. The Ekipa RAT (distant entry trojan) and different backdoors have additionally been distributed by way of Microsoft Writer macros and Excel add-in (XLL) recordsdata as assault vectors.

Researchers at Proofpoint assume that OneNote’s recognition amongst hackers is the result of an in-depth investigation. OneNote, which is a part of the Microsoft Workplace suite but additionally now supplied free of charge as a standalone program, was chosen after some trial and error with a number of attachment varieties as a result of the detection charges have been low to this point.