Threat actors are increasingly using OneNote documents to deliver malware as Microsoft makes it difficult for them to use other Office documents by blocking macros by default.
Now, hackers are experimenting with other file types, including using virtual hard disk, compiled HTML and OneNote, according to new research from enterprise security software company Proofpoint.
The Sunnyvale, Calif.-based firm says in a new blog that their researchers have noticed an increase in the use of OneNote documents to deliver malware via email to end users. Proofpoint researchers says in December it observed six campaigns using OneNote attachments to deliver AsyncRat malware. In January, Proofpoint observed more than 50 OneNote campaigns with different malware payloads, including AsyncRAT, Redline, AgentTesla and DOUBLEBACK.
The use of OneNote to deliver malware, Proofpoint writes, is unusual. However, it comes as Microsoft continues to take steps to prevent its tools to be used for malicious purposes, such as blocking Office macros by default. Now, attackers are experimenting with different attachment types. Proofpoint came to a similar conclusion in July 2022, saying attackers were already experimenting with other file types when Microsoft first announced the move.
“The technique may be effective for now,” Proofpoint researchers wrote in the Feb. 1 blog. “At the time of analysis, multiple OneNote malware samples observed by Proofpoint were not detected by numerous anti-virus vendors on VirusTotal. Proofpoint continues to assess these activity clusters and does not attribute them to a tracked threat actor.”
The company says malware campaigns leveraging OneNote share similar characteristics, such as unique messages to deliver malware and the lack of threat hijacking. Messages typically contain OneNote attachments with themes such as invoice, remittance, shipping and seasonal themes including Christmas bonuses.
One group, TA577, a cybercrime group tracked by Proofpoint since 2020 that delivers payloads such as Qbot, IceID, SystemBC, SmokeLoader, Ursnif and Cobalt Strike, has been conducting similar campaigns using OneNote since late January.
According to Proofpoint, OneNote documents used maliciously contain embedded files, which are often hidden behind a graphic that looks like a button. When a user double clicks on the embedded file, they are prompted with a warning. If the user clicks “continue,” the file executes.
These malicious OneNote attacks have increased significantly between December 2022 and the end of January 2023. While the company only saw OneNote campaigns deliver AsyncRAT in December, researchers saw seven other malware payloads distributed via OneNote attachments last month, with targets located globally, including in North America and Europe.
Multiple threat actors are believed ot be using the OneNote attachment tactic in an attempt to bypass threat detections, and more sophisticated actors may begin using OneNote attachments soon, Proofpoint concludes.
TA577’s adoption of OneNote is particularly worrisome, as the group is an initial access broker that facilities follow-on infections for additional malware, including ransomware, Proofpoint researchers say.
“Based on data in open-source malware repositories, initially observed attachments were not detected as malicious by multiple anti-virus engines, thus it is likely initial campaigns had a high efficacy rate if the email was not blocked,” the company says, noting that its own customers were protected since Proofpoint detected the malicious emails. “It is likely more threat actors will adopt OneNote attachments to deliver malware.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!