Microsoft OneNote Attachments Increasingly Used to Deliver Infostealer RATs

Security researchers and Nuspire’s Threat Intelligence Team have recently identified an increase in threat actors’ use of Microsoft OneNote to deliver info-stealing remote access trojans (RATs). Here’s what you need to know.

What’s going on with Microsoft OneNote?

The researchers analyzed a phishing campaign in which attackers sent emails with various tricks, including invoices, shipping notifications and mechanical sketches. The OneNote attachments contain Visual Basic Script (VBS) files, obscured behind a large “Double Click to View” button, and when clicked, will retrieve two files from a command and control (C2) server.

The first file was determined to be a decoy OneNote file, and the second was a malicious batch file that deployed any one of the following infostealer RAT variants: AsyncRAT, XWorm, QuasarRAT and Formbook. The RAT variants can harvest sensitive data like passwords, keystrokes, session cookies or even cryptocurrency wallets. Additionally, they can be used to deploy further malicious files, such as ransomware.

Wait – didn’t Microsoft ban the use of VBA macros in Office documents?

That’s correct. Historically, adversaries would insert Microsoft Word and Excel files with macros, which allowed malware to persist on victim devices. Microsoft banned the use of macros in Microsoft Office documents in mid-2022, which greatly impeded attackers’ ability to spread malware.

After Microsoft moved to block macros by default on Office documents, threat actors had to shift tactics. This type of campaign, where actors use trojanized OneNote files to distribute malware, is relatively new. However, it’s important to remember the core tactics remain the same: socially engineer the end user to interact with the malicious file.

What is Nuspire doing?

Nuspire actively threat hunts for indications of compromise and has detection rules in place to help identify this type of activity in client environments.

What should I do?

While the methods are changing, threat actors’ core tactics still remain the same. Organizations should perform the following the help protect their environment from OneNote-based attacks:

  • Continue to provide cybersecurity awareness training with a focus on phishing. Inform users to be cautious around Microsoft Office files, especially OneNote files.
  • If OneNote is not used within your environment, consider blocking .one files at your email firewall to help prevent them from reaching end users.

Have you registered for our next event?