In
a
continuing
sign
that
threat
actors
are
adapting
well
to
a
post-macro
world,
it
has
emerged
that
the
use
of
Microsoft
OneNote
documents
to
deliver
malware
via
phishing
attacks
is
on
the
rise.
Some
of
the
notable
malware
families
that
are
being
distributed
using
this
method
include
AsyncRAT,
RedLine
Stealer,
Agent
Tesla,
DOUBLEBACK,
Quasar
RAT,
XWorm,
Qakbot,
BATLOADER,
and
FormBook.
Enterprise
firm
Proofpoint
said
it
detected
over
50
campaigns
leveraging
OneNote
attachments
in
the
month
of
January
2023
alone.
In
some
instances,
the
email
phishing
lures
contain
a
OneNote
file,
which,
in
turn,
embeds
an
HTA
file
that
invokes
a
PowerShell
script
to
retrieve
a
malicious
binary
from
a
remote
server.
Other
scenarios
entail
the
execution
of
a
rogue
VBScript
that’s
embedded
within
the
OneNote
document
and
concealed
behind
an
image
that
appears
as
a
seemingly
harmless
button.
The
VBScript,
for
its
part,
is
designed
to
drop
a
PowerShell
script
to
run
DOUBLEBACK.
“It
is
important
to
note,
an
attack
is
only
successful
if
the
recipient
engages
with
the
attachment,
specifically
by
clicking
on
the
embedded
file
and
ignoring
the
warning
message
displayed
by
OneNote,”
Proofpoint
said.
The
infection
chains
are
made
possible
owing
to
a
OneNote
feature
that
allows
for
the
execution
of
select
file
types
directly
from
within
the
note-taking
application
in
what’s
a
case
of
a
“payload
smuggling”
attack.
“Most
file
types
that
can
be
processed
by
MSHTA,
WSCRIPT,
and
CSCRIPT
can
be
executed
from
within
OneNote,”
TrustedSec
researcher
Scott
Nusbaum
said.
“These
file
types
include
CHM,
HTA,
JS,
WSF,
and
VBS.”
As
remedial
actions,
Finnish
cybersecurity
firm
WithSecure
is
recommending
users
block
OneNote
mail
attachments
(.one
and
.onepkg
files)
and
keep
close
tabs
on
the
operations
of
the
OneNote.exe
process.
The
shift
to
OneNote
is
seen
as
a
response
to
Microsoft’s
decision
to
disallow
macros
by
default
in
Microsoft
Office
applications
downloaded
from
the
internet
last
year,
prompting
threat
actors
to
experiment
with
uncommon
file
types
such
as
ISO,
VHD,
SVG,
CHM,
RAR,
HTML,
and
LNK.
The
aim
behind
blocking
macros
is
two-fold:
To
not
only
reduce
the
attack
surface
but
also
increase
the
effort
required
to
pull
off
an
attack,
even
as
email
continues
to
be
the
top
delivery
vector
for
malware.
But
these
are
not
the
only
options
that
have
become
a
popular
way
to
conceal
malicious
code.
Microsoft
Excel
add-in
(XLL)
files
and
Publisher
macros
have
also
been
put
to
use
as
an
attack
pathway
to
skirt
Microsoft’s
protections
and
propagate
a
remote
access
trojan
called
Ekipa
RAT
and
other
backdoors.
The
abuse
of
XLL
files
hasn’t
gone
unnoticed
by
the
Windows
maker,
which
is
planning
an
update
to
“block
XLL
add-ins
coming
from
the
internet,”
citing
an
“increasing
number
of
malware
attacks
in
recent
months.”
The
option
is
expected
to
be
available
sometime
in
March
2023.
When
reached
for
comment,
Microsoft
told
The
Hacker
News
that
it
had
nothing
further
to
share
at
this
time.
“It’s
clear
to
see
how
cybercriminals
leverage
new
attack
vectors
or
less-detected
means
to
compromise
user
devices,”
Bitdefender’s
Adrian
Miron
said.
“These
campaigns
are
likely
to
proliferate
in
coming
months,
with
cybercrooks
testing
out
better
or
improved
angles
to
compromise
victims.”
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.
About Author
