Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.
This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years.
However, in July, Microsoft finally disabled macros by default in Office documents, making this method unreliable for distributing malware.
Soon after, threat actors began utilizing new file formats, such as ISO images and password-protected ZIP files. These file formats soon became extremely common, aided by a Windows bug allowing ISOs to bypass security warnings and the popular 7-Zip archive utility not propagating mark-of-the-web flags to files extracted from ZIP archives.
However, both 7-Zip and Windows recently fixed these bugs causing Windows to display scary security warnings when a user attempts to open files in downloaded ISO and ZIP files.
Not to be deterred, threat actors quickly switched to using a new file format in their malicious spam (malspam) attachments: Microsoft OneNote attachments.
Abusing OneNote attachments
Microsoft OneNote is a desktop digital notebook application that can be downloaded for free and is included in Microsoft Office 2019 and Microsoft 365.
As Microsoft OneNote is installed by default in all Microsoft Office/365 installations, even if a Windows user does not use the application, it is still available to open the file format.
Since mid-December, cybersecurity researchers warned that threat actors had started distributing malicious spam emails containing OneNote attachments.
From samples found by BleepingComputer, these malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents.
Unlike Word and Excel, OneNote does not support macros, which is how threat actors previously launched scripts to install malware.
Instead, OneNote allows users to insert attachments into a NoteBook that, when double-clicked, will launch the attachment.
Threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it.
However, the attachments look like a file’s icon in OneNote, so the threat actors overlay a big ‘Double click to view file’ bar over the inserted VBS attachments to hide them.
When you move the Click to View Document bar out of the way, you can see that the malicious attachment includes multiple attachments. This row of attachments makes it so that if a user double-clicks anywhere on the bar, it will double-click on the attachment to launch it.
Thankfully, when launching OneNote attachments, the program warns you that doing so can harm your computer and data.
But unfortunately, history has shown us that these types of prompts are commonly ignored, and users just click the OK button.
Clicking the OK button will launch the VBS script to download and install malware. As you can see from one of the malicious OneNote VBS files found by BleepingComputer, the script will download and execute two files from a remote server.
The first one shown below is a decoy OneNote document that opens and looks like the document you expected. However, the VBS file will also execute a malicious batch file in the background to install malware on the device.
In malspam emails seen by BleepingComputer, the OneNote files install remote access trojans that include information-stealing functionality.
Cybersecurity researcher James confirmed this, telling BleepingComputer that the OneNote attachments he analyzed installed the AsyncRAT and XWorm remote access trojans.
Protip: If you’re not already blocking .one files at your perimeter/email gateway…it’s time.
— James (@James_inthe_box) January 17, 2023
A OneNote attachment seen by BleepingComputer installs what is detected as the Quasar Remote Access trojan.
Protecting against these threats
Once installed, this type of malware allows threat actors to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.
Threat actors also commonly use remote access trojans to steal cryptocurrency wallets from victims’ devices, making this a costly infection.
The best way to protect yourself from malicious attachments is to simply not open files from people you do not know. However, if you mistakenly open a file, do not disregard warnings displayed by the operating system or application.
If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.
If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.