In a unbroken signal that menace actors are adapting nicely to a post-macro world, it has emerged that the usage of Microsoft OneNote paperwork to ship malware through phishing assaults is on the rise.
Some of the notable malware households which are being distributed utilizing this methodology embody AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.
Enterprise agency Proofpoint mentioned it detected over 50 campaigns leveraging OneNote attachments within the month of January 2023 alone.
In some situations, the e-mail phishing lures include a OneNote file, which, in flip, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a distant server.
Other situations entail the execution of a rogue VBScript that is embedded inside the OneNote doc and hid behind a picture that seems as a seemingly innocent button. The VBScript, for its half, is designed to drop a PowerShell script to run DOUBLEBACK.
“It is necessary to notice, an assault is just profitable if the recipient engages with the attachment, particularly by clicking on the embedded file and ignoring the warning message displayed by OneNote,” Proofpoint mentioned.
The an infection chains are made doable owing to a OneNote characteristic that enables for the execution of choose file sorts immediately from inside the note-taking utility in what’s a case of a “payload smuggling” assault.
“Most file sorts that may be processed by MSHTA, WSCRIPT, and CSCRIPT might be executed from inside OneNote,” TrustedSec researcher Scott Nusbaum mentioned. “These file sorts embody CHM, HTA, JS, WSF, and VBS.”
As remedial actions, Finnish cybersecurity agency WithSecure is recommending customers block OneNote mail attachments (.one and .onepkg information) and preserve shut tabs on the operations of the OneNote.exe course of.
The shift to OneNote is seen as a response to Microsoft’s choice to disallow macros by default in Microsoft Office functions downloaded from the web final 12 months, prompting menace actors to experiment with unusual file sorts akin to ISO, VHD, SVG, CHM, RAR, HTML, and LNK.
The purpose behind blocking macros is two-fold: To not solely cut back the assault floor but additionally improve the trouble required to drag off an assault, at the same time as e-mail continues to be the prime supply vector for malware.
But these will not be the one choices which have change into a preferred method to conceal malicious code. Microsoft Excel add-in (XLL) information and Publisher macros have additionally been put to make use of as an assault pathway to skirt Microsoft’s protections and propagate a distant entry trojan known as Ekipa RAT and different backdoors.
The abuse of XLL information hasn’t gone unnoticed by the Windows maker, which is planning an replace to “block XLL add-ins coming from the web,” citing an “growing variety of malware assaults in current months.” The choice is predicted to be obtainable someday in March 2023.
When reached for remark, Microsoft advised The Hacker News that it had nothing additional to share at the moment.
“It’s clear to see how cybercriminals leverage new assault vectors or less-detected means to compromise person units,” Bitdefender’s Adrian Miron mentioned. “These campaigns are more likely to proliferate in coming months, with cybercrooks testing out higher or improved angles to compromise victims.”