iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have been monitoring the rise of a new technique for spreading malware, using Microsoft’s OneNote to deliver malicious payloads to unsuspecting victims.
Hackers have used Microsoft files to spread malware for years, especially via malicious macros shared in Excel files, but in 2022, Microsoft finally blocked macros from running by default. Undeterred, hackers have discovered that OneNote makes an ideal platform for their needs.
For one thing, OneNote — Microsoft’s popular note-taking application — is itself installed by default on most Windows PCs, so that OneNote files can easily be opened by most users. And if a user does not have it, it can be downloaded for free.
Researchers at Trustwave’s SpiderLabs first noticed the OneNote strategy being employed in December 2022, when their systems flagged a spam email with an attached .one file.
“It’s not typical to email .one files, so we took a closer look at the email,” the researchers said in a blog post.
In this instance, the email claimed to be from the “purchasing team” at another company, with a request for a quote for some unnamed service. The clever part is what happens when someone clicks on the attached OneNote file.
The file first displays an image lure, which pops up asking users to “view document”. When this is clicked, not only is the file downloaded, but so is a malicious payload, in this case a data-extracting Trojan called Formbook. Windows does pop up the usual warning about opening unknown attachments, but a lot of users are quite used to ignoring this.
Once this warning is dismissed, a Windows Script File embedded inside the OneNote runs, which in turn launches a PowerShell command that then downloads two files from command and control server with a .ru domain. The first file is a legitimate OneNote, which while opening, obfuscates the second file, which is the Formbook malware itself.
Formbook is capable of keylogging, taking screenshots, and recording data from websites and other apps.
“In sum, a WSF file embedded in a OneNote document is likely to fly under the radar,” the researchers said.
“It also means that OneNote can now join the list of other Office documents that need to be inspected for malicious components.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
