Threat Insight: Spike in Threat Actors Distributing Malware Using Microsoft OneNote

Since December 2022, multiple security vendors and security researchers observed a spike in malspam campaigns distributing different malware families that abuse Microsoft OneNote to circumvent security controls and infect users. The main initial infection chain relied on unwitting users clicking (T1204.001) on malicious hyperlinks (T1566.002) to download weaponized OneNote files or malicious OneNote file attachments, further prompting users to double-click (T1204.002) on an “Open” or “View” button.

The below represents notable reports from December 2022 to February 2023:

  • In early to mid-February 2023, Cyble researchers reported on several malspam campaigns containing OneNote file attachments (T1566.001) that deliver QakBot (S0650) or BatLoader payloads onto the victim’s systems. The QakBot campaigns attempt to lure users into downloading and opening the OneNote attachment, then convincing them to double-click to view the file. When the user opens the attachment, it drops an embedded HTML application (.hta) file with hidden JavaScript (T1059.007) and VBscript (T1059.005) functions and executes mstha.exe (T1218.005) to download the QakBot payload from a remote server (T1071.001). Another case entailed the OneNote attachment dropping and executing an embedded BAT file (T1059), which launches a PowerShell script (T1059.001) to retrieve and download from a remote location a malicious DLL containing the QakBot malware. Similarly, Cyble observed BatLoader drop and execute an obfuscated batch file, then run PowerShell to retrieve and load malicious payloads, such as AsyncRAT, QuasarRAT (S0262), DCRAT, RedLine Stealer and StormKitty Stealer. Separately, multiple security vendors corroborated Cyble reporting and highlighted the increased threat to managed service providers (MSPs) from threat actors leveraging Microsoft OneNote file attachments.
  • On January 31, 2023, Sophos researchers observed two concurrent malspam (T1566) campaigns dubbed “QakNote,” a reference to the use of Microsoft OneNote to deliver the QakBot payload. The first campaign attempted to lure victims into clicking on an embedded hyperlink (T1204.001) to download a malicious .one file attachment. The second campaign employed a known tactic called “email thread hijacking,” where the threat actor abuses an existing email thread to send a “reply-to-all” message and convince recipients to download the malicious OneNote file attachment (T1566.001). When unsuspecting Microsoft Windows users open the attachment, it prompts them to click on an “Open” button that contains an embedded HTA file. If clicked on, it retrieves the QakBot payload from a remote server onto the victim’s system and executes it.
  • In December 2022, Proofpoint researchers observed six malspam campaigns using OneNote attachments to distribute the AsyncRAT. In January 2023, Proofpoint observed over 50 OneNote-related campaigns distributing seven additional malware families, such as Qakbot, AgentTesla (S0331), DoubleBack, NetWire RAT (S0198), Redline Stealer, QuasarRAT (S0262) and XWorm. Proofpoint noted the OneNote files contained embedded files, prompting users to click on a button that executes one of several malicious files, such as various executables, shortcut (LNK) files (T1547.009), HTA or Windows script file (WSF).
  • In early December 2022, Trustwave researchers observed a malspam campaign where threat actors delivered information-stealing malware named FormBook using Microsoft OneNote file attachments. The campaign employed multiple themes, such as shipping notifications, invoices, remittances and mechanical sketches, to lure users into downloading the malicious OneNote attachment. The attachments contained Visual Basic Script (VBS) files hidden behind a “Double Click to View” button. When executed, the infected system retrieved two files from a remote server, one decoy OneNote file and the second a malicious batch file containing the Formbook malware.

The Kaseya Threat Management team recommends users exercise caution when receiving emails from unsolicited, untrusted or unexpected senders, regardless of the familiarity of the sender. We remind users to refrain from clicking on embedded hyperlinks or file attachments from unknown senders to prevent inadvertently infecting your system and network. Lastly, email administrators should consider blocking all .one file extensions since they are an uncommonly used file attachment and the infection risk remains high.

Further information on the abovementioned reports can be found at CRNCybleCybleCybleSophosBleepingComputerProofpoint and Trustwave.

– Kaseya Threat Management Team

Security Advisories Archives
RSS Feed

To View the RSS Feed of our advisory postings, please input this link into your feed reader.