Home Security Publish-Macro World Sees Rise in Microsoft OneNote Paperwork Delivering Malware

Publish-Macro World Sees Rise in Microsoft OneNote Paperwork Delivering Malware

by crpt os


Feb 03, 2023Ravie LakshmananAttack Vector / Endpoint Security

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.

Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.

In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server.

Other scenarios entail the execution of a rogue VBScript that’s embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK.

“It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote,” Proofpoint said.

The infection chains are made possible owing to a OneNote feature that allows for the execution of select file types directly from within the note-taking application in what’s a case of a “payload smuggling” attack.

“Most file types that can be processed by MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote,” TrustedSec researcher Scott Nusbaum said. “These file types include CHM, HTA, JS, WSF, and VBS.”

Microsoft OneNote

As remedial actions, Finnish cybersecurity firm WithSecure is recommending users block OneNote mail attachments (.one and .onepkg files) and keep close tabs on the operations of the OneNote.exe process.

The shift to OneNote is seen as a response to Microsoft’s decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK.

The aim behind blocking macros is two-fold: To not only reduce the attack surface but also increase the effort required to pull off an attack, even as email continues to be the top delivery vector for malware.

But these are not the only options that have become a popular way to conceal malicious code. Microsoft Excel add-in (XLL) files and Publisher macros have also been put to use as an attack pathway to skirt Microsoft’s protections and propagate a remote access trojan called Ekipa RAT and other backdoors.

The abuse of XLL files hasn’t gone unnoticed by the Windows maker, which is planning an update to “block XLL add-ins coming from the internet,” citing an “increasing number of malware attacks in recent months.” The option is expected to be available sometime in March 2023.

When reached for comment, Microsoft told The Hacker News that it had nothing further to share at this time.

“It’s clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices,” Bitdefender’s Adrian Miron said. “These campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex