For years, threat actors have been hiding macros in emailed Microsoft Office documents as a way to deliver malware. When an unwitting employee clicks on the attachment to see the document, the macro runs silently in the background and leads to an infection.
But as Microsoft tightens security around macros, and email gateways look for and flag documents with macros, threat actors have found a new way to evade defences: Leveraging Microsoft OneNote’s ability to embed files to deliver malware. Unlike text .docx and spreadsheet .xlsx files, OneNote doesn’t support VBA macros. But malicious OneNote files can deliver threatening packages.
In two blogs this week, researchers at Trustwave detail how threat actors are abusing OneNote. It’s a warning to infosec leaders that they must ensure their defensive solutions can detect this vector of attack, and train employees not to be fooled.
One big problem: OneNote documents don’t include ‘Protected View’ and Mark-of-the-Web (MOTW) protection, Trustwave notes, increasing the risk of exposure to potentially malicious files and making it attractive to cybercriminals.
“We recently observed a notable spike in emails utilizing malicious OneNote attachments, with notorious malware strains also shifting to this delivery mechanism,” says the report.
OneNote is a note-taking application bundled into all versions of Microsoft Office. It’s also a standalone app. It allows users to take notes, organize information, and include files such as images, documents and executables in those notes.
From an end user’s point of view, a malicious OneNote document looks like any attachment.
In an example of a campaign, Trustwave has seen a threat actor send employees an email that purports to have an attached PDF product inquiry. [One hint it’s suspicious: It’s addressed to ‘Dear Sir/Madam] If the staffer clicks the ‘View Document’ button, it loads an embedded executable hidden in a OneNote notebook with a fake Adobe PDF Reader icon.
[As an aside, the embedded file hides its true name from the victim by using a right-to-left override trick so the file appears to be ‘Orderinvpif.pdf’ . With a .pdf extension it wouldn’t appear suspicious. But the real name of the file is ‘Orderinvpdf.pif’]
In this particular example, the malware leads to the installation of an information stealer, which does a number of things including capturing the computer’s public IP address, network adapters, browsing history, browser cookies, and stored Wi-Fi passwords.
Another email campaign uses an old scam, a claim the company owes money on an unpaid attached invoice. The OneNote document contains a ‘click to view document’ button image. If clicked, a batch script is implicitly clicked and executed. Note that to increase the click rate, threat actors purposely arrange copies of the script across the width of the button image. That way the script, which would be suspicious, is hidden.
The script copies a PowerShell executable to the current working directory and then renames it as skyy.bat.exe. It runs a PowerShell instance with a hidden window and bypasses execution policy while using the original batch script as an input to run more commands.
Ultimately the goal is to load AsyncRAT, a .NET-based open-source remote access trojan (RAT) used to gain control of computers and access data remotely. It provides a range of capabilities, such as keylogging and defense evasion features. Trustwave notes this is a popular tool of cybercriminals.
Recently, Trustwave has seen threat actors use OneNote to deliver the Qakbot malware. The OneNote attachment — which may have a OneNote icon — disguises itself as a document coming from the cloud. Right behind the ‘Open’ button hides an embedded batch file that will invoke PowerShell to download an additional payload that further leads to the Qakbot DLL. One of Qakbot’s tools is email thread hijacking, allowing the insertion of malicious content into an existing conversation between two or more people.
A third email campaign described by Trustwave pretends to be a property information notice from a construction company that includes a OneNote document. Again, an executable embedded in the OneNote hides behind a ‘Click to View Document’ button. This time the goal is to install the Remcos RAT.
“The extent of defense evasion techniques exhibited shows how aggressively the threat actors are attempting to increase the effectiveness of their attacks and make them more difficult to detect and analyze,” says the report.