Since Microsoft began blocking macros by default in 2022, cybercriminals have experimented with many new tactics, techniques, and procedures (TTPs), including the use of previously rarely observed file types such as virtual hard disk drives (VHD), compiled HTML (CHM), and now OneNote (.one). At the time of analysis, several OneNote malware samples observed by Proofpoint were not detected by numerous antivirus vendors on VirusTotal.
While the subjects and senders of the emails vary, almost all campaigns use unique messages to spread malware and typically do not use thread hijacking. The e-mails usually contain OneNote file attachments with topics such as "invoice", "bank transfer", "shipping" or seasonal topics such as "holiday bonus". In mid-January 2023, Proofpoint researchers observed cybercriminals using URLs to submit OneNote attachments that leverage the same TTPs to execute malware. This includes a TA577 campaign on January 31, 2023.
OneNote documents with embedded files
The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. If the user double-clicks the embedded file, he will be presented with a warning. When the user clicks Next, the file runs. The file can be different types of executable files, shortcut files (LNK) or script files like HTML application (HTA) or Windows script files (WSF).
The number of campaigns using OneNote attachments increased significantly between December 2022 and January 31, 2023. While Proofpoint experts only observed OneNote campaigns with AsyncRAT malware in December, in January 2023 the researchers found seven other types of malware distributed via OneNote attachments: Redline, AgentTesla, Quasar RAT, XWorm, Netwire, and DOUBLEBACK Qbot. The campaigns targeted organizations around the world, including Europe.
The increasing number of campaigns and the variety of malware deployed suggest that OneNote is now being used by multiple actors with different skill sets. While some campaigns use similar lures and audiences, most campaigns use different infrastructure, themes, and audiences. Only one campaign could be assigned to a specific cybercriminal group: TA577.
concern and hope
Proofpoint believes several cybercriminal groups are using OneNote attachments to trick defense mechanisms. TA577's use of OneNote indicates that other, more capable players will soon adopt this technique. This is worrying: as a so-called "initial access broker", TA577 paves the way for subsequent infections with other malware, including ransomware. Based on data in open-source malware repositories, Proofpoint determined that the attachments originally used were not detected as malicious by several antivirus engines. Therefore, it is likely that the initial campaigns had a high effectiveness rate (Proofpoint customers were protected as the messages were classified as malicious).
One cause for hope is the fact that an attack is only successful if the recipient takes action after opening the attachment, specifically by clicking the embedded file and ignoring the warning message that OneNote displays. Businesses should educate their end users about this technique and encourage them to report suspicious emails and attachments.
More at Proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.