Malicious Microsoft OneNote Attachments Distributing RATs and Malware

Tricking the victims

• As OneNote does not support macros, threat actors insert malicious VBS attachments into a NoteBook that, when double-clicked, will launch the malware.
• Threat actors are hiding the attachments’ file icons in OneNote under a big 'Double click to view file' bar. If a user double-clicks anywhere on the bar, the attachment will be double-clicked to download malware from a remote site and install it.
• When launching OneNote attachments, the program displays a warning that doing so can harm the computer and data. Unfortunately, these types of prompts are commonly ignored, and users just click the OK button.

Malware distribution

• Experts observed that in some malspam emails, the OneNote files install RATs such as AsyncRAT, XWorm, and Quasar with information-stealing functionality.
• These malware can be used to remotely access a victim’s device to steal files and saved browser passwords, take screenshots, cryptocurrency wallets, and in some cases, even install further malware.

Why OneNote?

• Later on, threat actors started using new file formats such as ISO images and password-protected ZIP files.
• These file formats quickly gained popularity aided by a Windows bug that allowed ISOs to bypass security warnings and the popular 7-Zip utility's failure to propagate Mark of the Web (MotW) flags to files extracted from ZIP archives. Both these bugs were also fixed recently.
• Attackers are now using Microsoft OneNote as it is by default installed in all Microsoft Office/365 installations. Even if a Windows user does not use it, it is still available to open the file format.

Security tips