Microsoft OneNote Is Latest Malware VectorCapture Your Thoughts, Discoveries and Ideas While Getting Pwned
At least somebody uses Microsoft OneNote: Security researchers say they've detected an increase in the number of hackers delivering malware via the note-taking app bundled into the computing giant's Office suite of programs.
A spike over the last two months in malicious
.one files is likely due to hackers adapting to Microsoft's crackdown on macros, leading them to look for other ways to smuggle malware past threat detection, say researchers at Proofpoint.
Attachments initially observed by the company didn't register as malicious with antivirus engines, making it likely that emails appearing in inboxes had a high success rate of infection, the researchers say.
OneNote-delivered malware still requires users to click through the warning messages Microsoft throws at them when they open attachment files. Multiple threat actors are resorting to OneNote as a threat vector, but Proofpoint says adoption of the tactic by the threat actor it tracks as TA577 is particularly worrying.
"TA577's adoption of OneNote suggests other more sophisticated actors will begin using this technique soon. This is concerning: TA577 is an initial access broker that facilitates follow-on infections for additional malware including ransomware," Proofpoint says.
The firm characterizes TA577 as a "prolific cybercrime threat actor" associated with incidents of REvil and Black Basta ransomware. Just days ago, it delivered Qbot with an attack chain that included OneNote.
Observed OneNote campaigns share similar characteristics. Phishing messages typically contain OneNote file attachments with themes such as "invoice, remittance, shipping" or seasonal themes. Hackers have also sent links to download OneNote files.
The documents contain embedded files "often hidden behind a graphic that looks like a button." When the user double-clicks the embedded file - and blows through Microsoft's security warnings - the file executes. Payloads delivered through the campaigns include AsyncRAT, QuasarRAT, XWorm, Redline, AgentTesla and NetWire.
Proofpoint isn’t the only cybersecurity firm to recently observe a shift to OneNote among hackers. Trustwave in December spotted a campaign using OneNote to move Formbook malware.