For years, threat actors have been hiding macros in emailed Microsoft Office documents as a way to distribute malware. When an unsuspecting employee clicks on the attachment to view the document, the macro runs silently in the background and leads to the infection.
but as microsoft tightens security around macros, and email gateways look for and flag documents with macros, threat actors have found a new way to evade detection: taking advantage of Microsoft OneNote’s ability to embed files to distribute malware. Unlike text .docx and spreadsheet .xlsx files, OneNote does not support VBA macros. But malicious OneNote files can deliver dangerous packages.
in two blogs this weekIn this article, Trustwave researchers detail how dangerous actors are abusing OneNote. This is a reminder to infosec leaders that they must ensure their defensive solutions can detect this attack vector, and train employees not to be fooled.
One big problem: OneNote documents don’t include ‘Protected View’ and Mark-of-the-Web (MOTW) protection, TrustWave notes, which potentially increases the risk of exposure to malicious files and makes it attractive to cybercriminals. makes.
“We have recently observed a significant increase in emails using malicious OneNote attachments, with notorious malware strains also being transferred to this delivery mechanism,” the report said.
OneNote is a note-taking application that is bundled with all versions of Microsoft Office. It is also a standalone app. It allows users to take notes, organize information, and include files such as images, documents, and executables in those notes.
From an end user’s perspective, a malicious OneNote document looks like an attachment.
In one instance of a campaign, Trustwave observed a threat actor sending employees an email claiming to be an attached PDF product inquiry. [One hint it’s suspicious: It’s addressed to ‘Dear Sir/Madam] If the employee clicks on the ‘view document’ button, it loads a hidden embedded executable in the OneNote notebook with a fake Adobe PDF reader icon.
[As an aside, the embedded file hides its true name from the victim by using a right-to-left override trick so the file appears to be ‘Orderinvpif.pdf’ . With a .pdf extension it wouldn’t appear suspicious. But the real name of the file is ‘Orderinvpdf.pif’]
In this particular instance, the malware leads to the installation of an information stealer, which does a number of things, including capturing the computer’s public IP address, network adapter, browsing history, browser cookies, and stored Wi-Fi passwords.
Another email campaign uses an old scam, a claim that the company owes money on an unpaid invoice attached. OneNote document contains a ‘Click to view document’ button image. If clicked, a batch script is obviously clicked and executed. Note that in order to increase the click rate, threat actors intentionally space the copies of the script across the width of the button image. Thus the script, which would be suspicious, is hidden.
Script copies a PowerShell executable to the current working directory and then renames it skyy.bat.exe, It runs a PowerShell instance with a hidden window and bypasses the execution policy, using the original batch script as input to run more commands.
The ultimate goal is to load AsyncRAT, a .NET-based open-source remote access trojan (RAT) used to gain control of computers and access data remotely. It offers a variety of capabilities, such as keylogging and defense evasion features. Trustwave notes that this is a popular tool of cyber criminals.
Recently, Trustwave has seen threat actors using OneNote to distribute cockboat Malware. OneNote attachments—which may contain the OneNote icon—disguise themselves as documents from the cloud. Right behind the ‘Open’ button hides an embedded batch file that will invoke PowerShell to download an additional payload that further leads to the Cockbot DLL. One of Kakabot’s tools is email thread hijacking, which allows malicious content to be inserted into an existing conversation between two or more people.
A third email campaign described by Trustwave pretends to be a property information notice from a construction company that contains a OneNote document. Again, the embedded executable in OneNote hides behind a ‘click to view document’ button. This time the target is to install Ramcos RAT.
“The demonstrated range of defense evasion techniques demonstrates how aggressively threat actors are attempting to enhance the effectiveness of their attacks and make them more difficult to detect and analyze,” the report said.
