OneNote documents spread malware in several countries

A new phishing campaign is using OneNote documents to infect computers with the notorious AsyncRAT malware, targeting users in the UK, Canada and the US

A code screen with an alert symbolizing a malware attack.
Image: Sashkin/Adobe Stock

When Microsoft decided to change the default setting of its Office products to block macros in files downloaded from the Internet, cybercriminals saw one of their favorite infection methods disappear.

Some cyber criminals have already found a workaround to keep using some Microsoft Office products, e.g. B. the misuse of Excel’s XLL files. Some other cyber criminals have found another way to continue abusing Microsoft products to infect computers with malware: infected OneNote documents.

SEE: Mobile Security Policy (TechRepublic Premium)

Phishing attacks deliver AsyncRAT malware

A new Bitdefender study uncovers a phishing campaign that abuses OneNote to infect computers with malware. In this attack campaign, cybercriminals posed as Ultramar, a Canadian gas and fuel distributor, and sent phishing emails claiming to be from the company (Figure A).

Figure A

Phishing email impersonating Canadian company Ultramar.
Image: Bitdefender. Phishing email impersonating Canadian company Ultramar.

As can be seen in Figure AThe email contains text in English and French, but most importantly an attached file named – the .one file extension that indicates a OneNote file.

A second similar phishing campaign hit Canada, the UK and the US with a different attachment filename,

Once opened, the payloads triggered by these OneNote documents were downloaded by a Catholic church in Canada and a digital service provider in India. Both were compromised by the attackers, or possibly taken online to an Initial Access Broker (IAB) and used to host the malware. This is a common technique used by cyber criminals to avoid detection for long periods of time by using a legitimate website to host their malicious code.

In the end, users who opened the OneNote documents were infected with AsyncRAT, which Bitdefender describes as “a sophisticated remote access tool that allows an attacker to stealthily infiltrate the target device’s devices”.

What is AsyncRAT?

AsyncRAT source code has been freely available on the web since 2019, which means the original version is recognized by most security solutions, if not all. However, it also means that developers can use AsyncRAT’s source code and modify it to add or remove features or make it less recognizable.

Currently, this malware is capable of recording screens, capturing keystrokes, manipulating files on the system, executing code or launching distributed denial of service attacks. This means it can be used for a variety of purposes.

It has already been used by cyber espionage threat actors or for financially oriented goals. Once a computer is infected with AsyncRAT, the attacker can see the computer in the management panel of the tools and act on the computer if necessary (Figure B). Multiple infected computers can be managed from the same interface.

Figure B

AsyncRAT admin panel.
Image: Github. AsyncRAT admin panel.

More attacks in the wild

Bitdefender researchers are not the only ones who have studied the new AsyncRAT threat. In December 2022, Trustwave also reported on phishing attack campaigns, this time using the Formbook malware, a common information thief capable of stealing passwords, taking screenshots, executing code, and more.

“It’s clear to see how cybercriminals are using new attack vectors or lesser-known methods to compromise user devices,” said Adrian Miron, manager at Bitdefender’s Cyber ​​Threat Intelligence Lab. “These campaigns are likely to proliferate in the coming months, with cybercriminals trying better or improved angles to compromise victims.”

How to protect yourself from this threat?

Businesses that don’t use OneNote should block .one extensions on their email servers. This would prevent internal users from accidentally opening infected files on corporate tools. Instead, employees should request files in a different format, such as .doc or .xlsx, to avoid potential disclosure. As a more extreme step, these companies could prevent employees from downloading or using OneNote on company tools and systems, but this is not recommended as some employees could currently be using the tool.

Malicious OneNote files mostly use attached files within the document. When accessing these attachments, the software will issue a warning to inform the user that computer and data could be damaged. However, experience has shown that users often ignore these warnings and just click the validate button. Organizations can prevent these threats by:

  • Awareness of potentially harmful files and links for all employees.
  • Creation of logs and training on how to respond to warnings of malicious files or links.
  • Deploy security solutions that detect malicious code when triggered by a OneNote file or other threats.
  • Updating and patching all systems and software to avoid being compromised by a common vulnerability.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Leave a Reply

Your email address will not be published. Required fields are marked *