OneNote Malware

Evil-minded actors are using Microsoft OneNote attachments in phishing emails to spread malware. These unsafe attachments contain remote access malware that can be used to install additional harmful payloads or collect passwords. For years, attackers have been sending weaponized Word and Excel documents via email, which launch macros to download and install the malware. However, Microsoft's decision to automatically block macros on MS Office documents has likely caused the hackers to shift to abusing OneNote instead. Now, they are modifying legitimate format documents by embedding them with virulent content, which triggers the download/installation process of the malware when interacted with.

Threatening Payloads Spread through Trojanized OneNote Files

The OneNote files carrying malware are commonly spread through spam campaigns, either as attachments or via download links. Two of the malware threats observed to be deployed in this manner include the Qakbot banking Trojan and the RedLine Stealer. Qakbot targets finance-related information and could initiate chain infections, while the RedLine Stealer is designed to extract sensitive data from infected devices.

The spam emails used to distribute these compromised OneNote files are generally impersonal, with only some of the spam emails mentioning the recipient's last name in their subject lines. The OneNote files contain an HTML application (HTA file) embedded within them, which, when clicked, would leverage a legitimate application to download and install the malware threat. It should be pointed out that the delivered payload could vary based on the specific goals of the threat actors. Another notable fact is that for the infection chain to begin, users must interact and open the delivered OneNote documents.

Use Caution when Dealing with Unknown Emails and Files

Since OneNote files have become a popular target for ill-minded actors due to their ability to be embedded with unsafe content, users must be extra careful. Cybercriminals typically use social engineering tactics to trick unsuspecting victims into clicking the embedded content, such as fake buttons that appear to download the file from cloud storage or 'Double Click To View File.' If successful, this could lead to the spread of any malware type, depending on the capabilities of the program and the intentions of the attackers. As such, users must be aware of these potential threats and take steps to protect themselves against them.