OneNote files are now used to spread malware

OneNote files are now used to spread malware

OneNote files are now used to spread malware

Security researchers have been monitoring the emergence of a new technique for spreading malware, using Microsoft’s OneNote to deliver malicious payloads to unsuspecting victims.

Hackers have used Microsoft files to spread malware for years, especially through malicious macros shared in Excel files, but in 2022, Microsoft finally blocked macros from running by default. Undeterred, hackers have discovered that OneNote is an ideal platform for their needs.

On the one hand, OneNote, Microsoft’s popular note-taking application. It is installed by default on most Windows PCs, so most users can easily open OneNote files. And if a user doesn’t have it, they can download it for free.

Researchers at Trustwave’s SpiderLabs first noticed the OneNote strategy being employed in December 2022, when their systems flagged a spam email with a .one file attached.

“It’s not typical to send .one files via email, so we took a closer look at email,” the researchers said. said in a blog post.

In this case, the email claimed to be from another company’s “procurement team,” with a request for a quote for some unidentified service. The clever part is what happens when someone clicks on the OneNote attachment.

The file first displays an attractive image, which appears asking users to “view the document.” When clicked, it not only downloads the file but also a malicious payload, in this case a data mining trojan called Formbook. Windows displays the usual warning about opening unknown attachments, but many users are quite used to ignoring it.

Once this warning is dismissed, a Windows script file embedded within OneNote is executed, which in turn launches a PowerShell command that then downloads two files from the command and control server with a .ru domain. The first file is a legitimate OneNote which, when opened, hides the second file, which is the Formbook malware itself.

Formbook is capable of keylogging, taking screenshots, and logging data from websites and other applications.

“In short, a WSF file embedded in a OneNote document is likely to go unnoticed,” the researchers said.

“It also means that OneNote can now join the list of other Office documents that need to be inspected for malicious components.”

Leave a Reply

Your email address will not be published. Required fields are marked *