Security researchers and Nuspire’s Threat Intelligence Team have recently identified an increase in threat actors’ use of Microsoft OneNote to deliver info-stealing remote access trojans (RATs). Here’s what you need to know.
The researchers analyzed a phishing campaign in which attackers sent emails with various tricks, including invoices, shipping notifications and mechanical sketches. The OneNote attachments contain Visual Basic Script (VBS) files, obscured behind a large “Double Click to View” button, and when clicked, will retrieve two files from a command and control (C2) server.
The first file was determined to be a decoy OneNote file, and the second was a malicious batch file that deployed any one of the following infostealer RAT variants: AsyncRAT, XWorm, QuasarRAT and Formbook. The RAT variants can harvest sensitive data like passwords, keystrokes, session cookies or even cryptocurrency wallets. Additionally, they can be used to deploy further malicious files, such as ransomware.
That’s correct. Historically, adversaries would insert Microsoft Word and Excel files with macros, which allowed malware to persist on victim devices. Microsoft banned the use of macros in Microsoft Office documents in mid-2022, which greatly impeded attackers’ ability to spread malware.
After Microsoft moved to block macros by default on Office documents, threat actors had to shift tactics. This type of campaign, where actors use trojanized OneNote files to distribute malware, is relatively new. However, it’s important to remember the core tactics remain the same: socially engineer the end user to interact with the malicious file.
Nuspire actively threat hunts for indications of compromise and has detection rules in place to help identify this type of activity in client environments.
While the methods are changing, threat actors’ core tactics still remain the same. Organizations should perform the following the help protect their environment from OneNote-based attacks: