Warning: Hackers are installing malware via Microsoft OneNote attachments

Hackers are using a new file format in the form of Microsoft OneNote attachments to spread malware to targets. Double-clicking the malicious spam attachments automatically launches the script, resulting in the malware from a remote site being downloaded and installed. (Trustwave via Bleeping Computer)

OneNote remains one of the relevant parts of Microsoft 365. The software giant is continuously introducing and testing new features to the app, making it a decent route for hackers to perform their crimes. And in a new discovery, security professionals said that bad actors are now relying on OneNote attachments to install malicious software into victims’ machines.

?
?? Malspam mail being delivered with attached onenote document
?? Onenote attachment contains a button that once clicked, it executes exported file located in: "C:UsersuserAppDataLocalTempOneNote16.0Exported{UUID}NT" [1/3] pic.twitter.com/s6S7m18Fqo

— Perception Point Attack Trends (@AttackTrends) January 10, 2023

The warning from security experts started as soon as December last year. Trustwave, a cybersecurity company, published a report last month sharing the discovery of the new strategy.

“…Through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service,” Trustwave shares in its blog. “One file type that caught our eye on December 6, 2022, was the aforementioned OneNote attachment, with a .one extension attached to a spam email in our telemetry system.”

A separate report from Bleeping Computer shared that the attachments disguise themselves as reliable documents for businesses, including invoices, mechanical drawings, DHL shipping notifications, ACH remittance forms, and shipping documents. The files, however, are said to be malicious VBS attachments that can launch scripts automatically with the users simply double-clicking them.

To fool users, the threat actors use an image lure through the “Double click to view file” or “View Document” bar overlay over the attachments. Moving or clicking this overlay will show the multiple attachments, and double-clicking anywhere the bar will result in double-clicking the attachment, causing the launch of the script.

On a positive note, Microsoft always has a way of warning users of this danger. As such, the app will show a warning indicating that “opening attachments could harm your computer and data.” This is where users could make the biggest mistake by affirming the attachment through the simple click of the “OK” button, which is commonly ignored by many.

Once clicked, the VBS script will download two files from a remote server and install them. According to the screenshots shared by Bleeping Computer, the first file is meant to fool users by opening a legit-looking OneNote document. However, alongside this is a malicious batch file background execution, which will install the malware on the device. This includes the remote access trojans (e.g., AsyncRAT, XWorm remote access, and Quasar Remote Access trojans) with information-stealing capabilities, from taking screenshots and acquiring saved browser passwords to recording videos via user’s webcams and stealing cryptocurrency wallets.

Unfortunately, the ultimate protection users can apply to save themselves from the said problems is by being cautious in opening files from unknown senders and following the system and app’s standard security alert. Trustwave, meanwhile, has a suggestion for organizations.

“In sum, a WSF file embedded in a OneNote document is likely to fly under the radar,” Trustwave says. “It also means that OneNote can now join the list of other Office Documents that need to be inspected for malicious components. As mentioned earlier, it’s not typical to see .one files attached to emails. As a mitigation step, organizations should consider blocking or flagging inbound email attachments with a .one extension.”