Cyber criminals are using specially crafted phishing emails to infect victims with malware, and they are doing so by trying out a new way of delivering the malicious payload. According to Proofpoint, there has been an increase in cyber attackers attempting to deliver malware using OneNote documents, which are part of the Microsoft 365 office applications suite. It is uncommon for OneNote documents to be used in this way, and the reason why attackers are experimenting with them is because they can more easily bypass threat detection than other attachments. Data from open-source malware repositories shows that the initial attachments were not detected as malicious by multiple anti-virus engines, so it is likely that the initial campaigns had a high success rate if the email was not blocked. Since Microsoft began blocking macros by default in 2022, threat actors have been trying out different tactics, techniques, and procedures, including the use of filetypes such as virtual hard disk, compiled HTML, and now OneNote. The phishing emails, which were first sent in December 2022 and increased significantly in January 2023, are attempting to deliver one of several different malware payloads, such as AsyncRAT, Redline, AgentTesla, and Doubleback, all of which are designed to steal sensitive information from victims, including usernames and passwords. Proofpoint researchers also noted that a cyber-criminal group they track as TA577 has also started to use OneNote in campaigns to deliver Qbot. This group does not use the stolen information themselves, but instead sells it to other cyber criminals, including ransomware gangs. Over 60 of these campaigns have been detected so far, and they all have similar characteristics, with emails and file attachments related to topics such as invoices, remittances, shipping, and seasonal themes, such as information on a Christmas bonus. One of the phishing messages sent to targets in the manufacturing and industrial sectors included attachment names related to machine parts and specifications, showing that a lot of research was put into crafting the lure. Other OneNote campaigns are more generic and sent out to thousands of potential victims at once. One of these campaigns targeted the education sector with false invoices, while another was more widely spread, claiming to offer a Christmas gift or bonus to thousands of potential victims. In each case, the phishing attack relies on the victim opening the email, opening the OneNote attachment, and clicking on malicious links. Although OneNote does give a warning message about suspicious links, users who have been sent a specifically crafted email to appeal to them - or think they might be getting a bonus - could try to bypass this warning. Researchers warn that these campaigns have a high rate of success if the emails are not blocked, and that more cyber-threat groups are likely to adopt this technique to successfully deliver phishing and malware campaigns. To protect against phishing attacks, organizations should use a robust spam filter to prevent these messages from arriving in people's inboxes, and should educate end users about this technique, and encourage them to report suspicious emails and attachments.
This Cyber News was published on www.zdnet.com. Publication date: Fri, 03 Feb 2023 23:10:03 +0000