Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

Feb 03, 2023Ravie LakshmananAttack Vector / Endpoint Security

In a continuing sign that threat actors are adapting well to a
post-macro world^[1], it has emerged that the
use of Microsoft OneNote documents to deliver malware via phishing
attacks is on the rise.

Some of the notable malware families that are being distributed
using this method include AsyncRAT, RedLine Stealer^[2], Agent Tesla, DOUBLEBACK^[3], Quasar RAT, XWorm,
Qakbot^[4], BATLOADER^[5], and FormBook^[6].

Enterprise firm Proofpoint said it detected over 50 campaigns
leveraging OneNote attachments in the month of January 2023
alone.

In some instances, the email phishing lures contain a OneNote
file, which, in turn, embeds an HTA file that invokes a PowerShell
script to retrieve a malicious binary from a remote server.

Other scenarios entail the execution of a rogue VBScript that’s
embedded within the OneNote document and concealed behind an image
that appears as a seemingly harmless button. The VBScript, for its
part, is designed to drop a PowerShell script to run
DOUBLEBACK.

“It is important to note, an attack is only successful if the
recipient engages with the attachment, specifically by clicking on
the embedded file and ignoring the warning message displayed by
OneNote,” Proofpoint said^[7].

The infection chains are made possible owing to a OneNote
feature that allows for the execution of select file types directly
from within the note-taking application in what’s a case of a
“payload smuggling” attack.

“Most file types that can be processed by MSHTA, WSCRIPT, and
CSCRIPT can be executed from within OneNote,” TrustedSec researcher
Scott Nusbaum said^[8]. “These file types
include CHM, HTA, JS, WSF, and VBS.”

As remedial actions, Finnish cybersecurity firm WithSecure is
recommending^[9]
users block OneNote mail attachments (.one and .onepkg files) and
keep close tabs on the operations of the OneNote.exe process.

The shift to OneNote is seen as a response to Microsoft’s
decision to disallow macros^[10] by default in Microsoft
Office applications downloaded from the internet last year,
prompting threat actors to experiment with uncommon^[11] file types^[12] such as ISO, VHD, SVG,
CHM, RAR, HTML, and LNK.

The aim behind blocking macros is two-fold: To not only reduce
the attack surface but also increase the effort required to pull
off an attack, even as email continues to be the top delivery vector^[13] for malware.

But these are not the only options that have become a popular
way to conceal malicious code. Microsoft Excel add-in (XLL) files
and Publisher macros have also been put to use as an attack pathway
to skirt Microsoft’s protections and propagate a remote access
trojan called Ekipa RAT^[14] and other
backdoors.

The abuse of XLL files hasn’t gone unnoticed by the Windows
maker, which is planning^[15] an update to “block XLL
add-ins coming from the internet,” citing an “increasing number of
malware attacks in recent months.” The option is expected to be
available sometime in March 2023.

When reached for comment, Microsoft told The Hacker News that it
had nothing further to share at this time.

“It’s clear to see how cybercriminals leverage new attack
vectors or less-detected means to compromise user devices,”
Bitdefender’s Adrian Miron said^[16]. “These campaigns are
likely to proliferate in coming months, with cybercrooks testing
out better or improved angles to compromise victims.”