Threat Insight: Spike in Threat Actors Distributing Malware Using Microsoft OneNote
Since December 2022, multiple security vendors and security researchers observed a spike in malspam campaigns distributing different malware families that abuse Microsoft OneNote to circumvent security controls and infect users. The main initial infection chain relied on unwitting users clicking (T1204.001) on malicious hyperlinks (T1566.002) to download weaponized OneNote files or malicious OneNote file attachments, further prompting users to double-click (T1204.002) on an “Open” or “View” button.
The below represents notable reports from December 2022 to February 2023:
- On January 31, 2023, Sophos researchers observed two concurrent malspam (T1566) campaigns dubbed “QakNote,” a reference to the use of Microsoft OneNote to deliver the QakBot payload. The first campaign attempted to lure victims into clicking on an embedded hyperlink (T1204.001) to download a malicious .one file attachment. The second campaign employed a known tactic called “email thread hijacking,” where the threat actor abuses an existing email thread to send a “reply-to-all” message and convince recipients to download the malicious OneNote file attachment (T1566.001). When unsuspecting Microsoft Windows users open the attachment, it prompts them to click on an “Open” button that contains an embedded HTA file. If clicked on, it retrieves the QakBot payload from a remote server onto the victim’s system and executes it.
- In December 2022, Proofpoint researchers observed six malspam campaigns using OneNote attachments to distribute the AsyncRAT. In January 2023, Proofpoint observed over 50 OneNote-related campaigns distributing seven additional malware families, such as Qakbot, AgentTesla (S0331), DoubleBack, NetWire RAT (S0198), Redline Stealer, QuasarRAT (S0262) and XWorm. Proofpoint noted the OneNote files contained embedded files, prompting users to click on a button that executes one of several malicious files, such as various executables, shortcut (LNK) files (T1547.009), HTA or Windows script file (WSF).
- In early December 2022, Trustwave researchers observed a malspam campaign where threat actors delivered information-stealing malware named FormBook using Microsoft OneNote file attachments. The campaign employed multiple themes, such as shipping notifications, invoices, remittances and mechanical sketches, to lure users into downloading the malicious OneNote attachment. The attachments contained Visual Basic Script (VBS) files hidden behind a “Double Click to View” button. When executed, the infected system retrieved two files from a remote server, one decoy OneNote file and the second a malicious batch file containing the Formbook malware.
The Kaseya Threat Management team recommends users exercise caution when receiving emails from unsolicited, untrusted or unexpected senders, regardless of the familiarity of the sender. We remind users to refrain from clicking on embedded hyperlinks or file attachments from unknown senders to prevent inadvertently infecting your system and network. Lastly, email administrators should consider blocking all .one file extensions since they are an uncommonly used file attachment and the infection risk remains high.
Further information on the abovementioned reports can be found at CRN, Cyble, Cyble, Cyble, Sophos, BleepingComputer, Proofpoint and Trustwave.
– Kaseya Threat Management Team