Malware is spread using Microsoft OneNote attachments

Hackers have discovered a new way to circumvent the macro block in Microsoft Office files while still delivering malware to unsuspecting victims via the company’s suite of online collaboration apps.

BleepingComputer security experts discovered newly distributed phishing emails with OneNote attachments.

OneNote is a digital notetaking app that allows users to build a sharable content library. It is included as part of the larger Microsoft Office suite, so users who have this installed can also open OneNote files. While OneNote’s files, known as NoteBooks, do not support macros, they do support attachments, which is what the thieves are now exploiting.

The phishing emails themselves are nothing out of the ordinary; they include fake DHL parcel notifications, invoices, shipping notifications, ACH remittance forms, and other similar items. Instead of carrying a Word or Excel file attached, they carry a OneNote file which, if opened, seems to be blurred out, with a huge button in the middle saying “Double Click to View File”.

However, double-clicking launches the attachment, which in this case is a malicious VBS file.

This file then connects to the command and control (C2) server and downloads the malware.

BleepingComputer obtained a few of these emails and discovered that multiple remote access trojans and infostealers, including the AsyncRAT and XWorm remote access trojans, as well as the Quasar Remote Access trojan, are being distributed.

The best way to protect against these attacks is to educate your employees not to download attachments or click on email links from people they don’t know, trust, or whose identity cannot be confirmed. They should also be taught not to ignore warning messages that appear in programmes like Word, Excel, or OneNote. Aside from that, having a strong antivirus solution and a firewall is advantageous.

Finally, enabling multi-factor authentication (MFA) whenever possible reduces the likelihood of more serious compromise.


Disclaimer: If you need to edit or update this news from compsmag then kindly contact us Learn more
Compsmag - Tech News & Business