Malicious actors are continuing to find new ways to deliver malware, and the latest method is through Microsoft OneNote documents. In January 2023, over 50 campaigns were detected using this method, with notable malware families such as AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook being distributed. The attack is successful if the recipient clicks on the embedded file and ignores the warning message displayed by OneNote. The infection chain is made possible by a OneNote feature that allows for the execution of select file types directly from within the note-taking application. Microsoft has blocked macros by default in Microsoft Office applications downloaded from the internet, so threat actors have been experimenting with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK. Microsoft Excel add-in files and Publisher macros have also been used to spread Ekipa RAT and other backdoors. Microsoft is planning an update to block XLL add-ins coming from the internet due to the increasing number of malware attacks in recent months. It is important to block OneNote mail attachments and keep close tabs on the operations of the OneNote to protect against these attacks.
This Cyber News was published on thehackernews.com. Publication date: Fri, 03 Feb 2023 15:41:03 +0000