Hackers Increasingly Use Microsoft OneNote to Deliver Malware

OneNote documents are increasingly being used by threat actors to send malware to unsuspecting end users via email, according to Proofpoint researchers. It infects victims with remote access malware that can be used to install additional malware, steal passwords, or even access cryptocurrency wallets. Microsoft developed the digital notebook OneNote, which is available via the Microsoft 365 product suite. "Threat actors deliver malware via OneNote documents, which are.one extensions, via email attachments and URLs", Proofpoint researchers. After years of employing malicious Word and Excel attachments that start macros to download and install malware, attackers are now utilizing this method to spread malware through emails. Microsoft finally banned macros as the default setting in Office documents in July, rendering this technique ineffective for spreading malware. Reports say Messages typically contain OneNote file attachments with themes such as invoice, remittance, shipping, and seasonal themes such as Christmas bonus, among other subjects. "The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. When the user double-clicks the embedded file, they will be prompted with a warning. If the user clicks continue, the file will execute", explain the researchers. Various executables, shortcut files, and script files, such as HTML applications or Windows script files, could be present in the file. In the December campaign, a OneNote attachment in messages contained an HTA file that launches a PowerShell script to download an executable from a URL. These communications were directed at companies in the industrial and manufacturing sectors. Research says thousands of communications were sent out as part of other efforts that made use of invoice and shipment themes, as well as "Christmas bonus" or "Christmas gift" lures that primarily targeted businesses in the education sector and other industries. "The campaigns continued to use the same TTPs, with hidden embedded files in the OneNote attachment that ultimately lead to the download of a malware payload", researchers. "In multiple campaigns, the actors used the legitimate services"OneNote Gem" and Transfer. Further, one campaign employing invoice themes and distributing XWorm and AsyncRAT was discovered by researchers. An OneNote attachment in messages had a PowerShell script that could be used to download a batch file from a URL. "On 19 January 2023, observed a low-volume campaign distributing the DOUBLEBACK backdoor. DOUBLEBACK is an in-memory backdoor that can enable host and network reconnaissance, data theft, and follow-on payloads", researchers. Messages contained URLs on several domains with a URI ending with /download/[guid]. The actor purported to previously have contacted the victim and that the related files had been uploaded to cloud storage. The victim was instructed to "Double Click To View File" by the template. OneNote would try to run a VBS file hidden behind the button. The victim would be warned about the security concerns before being allowed to open attachments. If the victim kept going, the VBS would be carried out to the end. On January 31, 2023, the initial access broker TA577 resumed operation after a one-month absence and delivered Qbot with an attack chain that includes OneNote. Emails with a distinct URL in the email body seemed to reply to earlier conversations. If the victim double-clicked the file and confirmed the security prompt, researchers say JavaScript code was executed that downloads a file from a remote URL and displayed a fake error message. Researchers suspect that several threat actors are attempting to get around threat detections by employing OneNote attachments. An attack can only be successful if the target interacts with the attachment-more precisely if they click on the embedded file and ignore the OneNote warning. End users should be informed about this tactic by organisations, and users should be urged to report suspicious emails and attachments.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 09 Feb 2023 14:23:02 +0000


Cyber News related to Hackers Increasingly Use Microsoft OneNote to Deliver Malware

Hackers Increasingly Use Microsoft OneNote to Deliver Malware - OneNote documents are increasingly being used by threat actors to send malware to unsuspecting end users via email, according to Proofpoint researchers. It infects victims with remote access malware that can be used to install additional malware, ...
1 year ago Cybersecuritynews.com
Microsoft OneNote Attachments are Now being Used by Hackers to Spread Malware - According to researchers, hackers are now using Microsoft OneNote attachments as a way to spread malicious software. This is the latest tactic in a long line of malicious actors attempting to infiltrate computers and networks with malicious code. ...
1 year ago Bleepingcomputer.com
Malicious QakNote Software Utilizing Microsoft OneNote to Spread QBot Virus - Recently, a new type of malware called QakNote has been discovered in the wild. It uses malicious Microsoft OneNote attachments to infect systems with a banking trojan. Qbot is a former banking trojan that has evolved into a type of malware that ...
1 year ago Bleepingcomputer.com
Microsoft OneNote Documents Increasingly Used to Spread Malware in PostMacro World - Malicious actors are continuing to find new ways to deliver malware, and the latest method is through Microsoft OneNote documents. In January 2023, over 50 campaigns were detected using this method, with notable malware families such as AsyncRAT, ...
1 year ago Thehackernews.com
Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
4 months ago Pandasecurity.com
How to Remove Malware + Viruses - Malware removal can seem daunting after your device is infected with a virus, but with a careful and rapid response, removing a virus or malware program can be easier than you think. We created a guide that explains exactly how to rid your Mac or PC ...
6 months ago Pandasecurity.com
PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
9 months ago Securityintelligence.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)