OneNote Malware

OneNote documents are increasingly being used by threat actors to send malware to unsuspecting end users via email, according to Proofpoint researchers. It infects victims with remote access malware that can be used to install additional malware, steal passwords, or even access cryptocurrency wallets.

Microsoft developed the digital notebook OneNote, which is available via the Microsoft 365 product suite.

“Threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs”, Proofpoint researchers

After years of employing malicious Word and Excel attachments that start macros to download and install malware, attackers are now utilizing this method to spread malware through emails.

Microsoft, however, finally banned macros as the default setting in Office documents in July, rendering this technique ineffective for spreading malware.

Reports say Messages typically contain OneNote file attachments with themes such as invoice, remittance, shipping, and seasonal themes such as Christmas bonus, among other subjects.

“The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. When the user double-clicks the embedded file, they will be prompted with a warning. If the user clicks continue, the file will execute”, explain the researchers

Various executables, shortcut (LNK) files, and script files, such as HTML applications (HTA) or Windows script files (WSF), could be present in the file.

onenote campaigns
The number of OneNote campaigns from December 2022 to January 2023

In the December campaign, a OneNote attachment in messages contained an HTA file that launches a PowerShell script to download an executable (like Excel.exe) from a URL. These communications were directed at companies in the industrial and manufacturing sectors.

lure spoofing
OneNote lure spoofing TP Aerospace

Research says thousands of communications were sent out as part of other efforts that made use of invoice and shipment themes, as well as “Christmas bonus” or “Christmas gift” lures that primarily targeted businesses in the education sector and other industries.

christmas themed lure
Christmas gift-themed lures containing OneNote attachments to deliver AsyncRAT

“The campaigns continued to use the same TTPs, with hidden embedded files in the OneNote attachment that ultimately lead to the download of a malware payload”, researchers.

“In multiple campaigns, the actors used the legitimate services “OneNote Gem” and Transfer.sh to host payloads”.

Further, one campaign employing invoice themes and distributing XWorm and AsyncRAT was discovered by researchers. The lure used both English and French. An OneNote attachment in messages had a PowerShell script that could be used to download a batch file (system32.bat) from a URL.

XWorm and AsyncRAT
Malware campaign delivering XWorm and AsyncRAT payloads using invoice themes

“On 19 January 2023, observed a low-volume campaign distributing the DOUBLEBACK backdoor. DOUBLEBACK is an in-memory backdoor that can enable host and network reconnaissance, data theft, and follow-on payloads”, researchers

Messages contained URLs on several domains with a URI ending with /download/[guid]. The actor purported to previously have contacted the victim and that the related files had been uploaded to cloud storage.

The victim was instructed to “Double Click To View File” by the template. OneNote would try to run a VBS file hidden behind the button. The victim would be warned about the security concerns before being allowed to open attachments. If the victim kept going, the VBS would be carried out to the end.

On January 31, 2023, the initial access broker TA577 resumed operation after a one-month absence and delivered Qbot with an attack chain that includes OneNote. Emails with a distinct URL in the email body seemed to reply to earlier conversations.

If the victim double-clicked the file and confirmed the security prompt, researchers say JavaScript code was executed that downloads a file from a remote URL and displayed a fake error message. 

Final Word

Researchers suspect that several threat actors are attempting to get around threat detections by employing OneNote attachments.

An attack can only be successful if the target interacts with the attachment—more precisely if they click on the embedded file and ignore the OneNote warning. End users should be informed about this tactic by organisations, and users should be urged to report suspicious emails and attachments.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.