Malware Spread Through Microsoft OneNote Files Grows in Post-Macro World

Hot potato: Attackers include OneNote attachments in their phishing emails to infect victims with remote access malware that can be used to steal passwords or even access cryptocurrency wallets. Malicious Word and Excel attachments that run macros to download and install malware have been used by cybercriminals to distribute malware via email for years. However, in 2022, Microsoft permanently disabled macros by default in Office documents, making this method of virus distribution ineffective.

According to security experts, the use of Microsoft OneNote pages to distribute malware to unsuspecting users is on the rise. Researchers at Proofpoint claim to have found six campaigns in December 2022, which used OneNote to spread the AsyncRAT malware during a thorough investigation. Less than a month later, they discovered over 50 campaigns in January 2023. That same month, an attacker named TA577 started distributing Qbot via OneNote.

XWorm, Qakbot, BATLOADER, Agent Tesla, DOUBLEBACK, Quasar RAT, AsyncRAT, RedLine Stealer, and FormBook are a few known malware families that use this propagation method.

OneNote files allow users to embed attachments that can download malware from remote locations. The report states that the hackers handed out laptops with messages such as “invoice, money order, shipping and seasonal themes like Christmas bonus” tricking their targets into thinking the contents were safe.

Sometimes phishing emails contain a OneNote file that has an embedded HTA file that runs a PowerShell script to retrieve a malicious payload from a remote server. Other scenarios execute malicious VBScript embedded in a OneNote page and hidden by an image that looks like a useful button. On the other hand, VBScript is designed to execute a Doubleback PowerShell script.

While email remains the most common malware distribution method, limiting the use of macros has the dual effect of reducing the attack surface and increasing the overhead associated with executing an attack. But other strategies for hiding malicious code have gained popularity as well. Ekipa RAT (Remote Access Trojan) and other backdoors were also distributed via Microsoft Publisher macros and Excel add-in (XLL) files as attack vectors.

Researchers from Proofpoint believe that OneNote’s popularity among hackers is the result of a thorough investigation. OneNote, which is part of the Microsoft Office suite but is now also offered for free as a standalone program, was chosen after trial and error with several types of attachments because detection rates have been poor so far.