Attackers Abusing OneNote Attachments to Spread RAT Malware

TechLatest is supported by readers. We may earn a commission for purchases using our links. Learn more.

Over the years, Threat actors have been deploying malware in emails via malicious Microsoft Word and Excel attachments, which then launch macros to download & install the malware.


Now attackers have targeted another Microsoft App, Mircosoft OneNote, in the same way, i.e., attaching malicious OneNote files in phishing emails to install remote access malware onto the victim’s computer to steal info regarding crypto wallet, passwords, or even installing other malware.

As we already know, OneNote is a note-taking app from Microsoft and is included with Microsoft Office & 365. With that being said, last year in July, Microsoft, by default disabled the macros again in Office Exel & Word, which ultimately made this technique useless.

Although that did not stop attackers as they started taking advantage of the new file formats such as ISO images & Zip files which are password protected! and on top of it, Windows Bug did help, too, by bypassing the security warnings & zip file archive utility not communicating the mark of the web to the extracted files. 

Well, these bugs were also fixed by Microsoft & 7 Zip which triggered frightening security messages when the user tried to open a download file in ISO & Zip files.

Attackers Abusing OneNote Attachments to Spread RAT Malware 1
Mark of the View files in ISO(Credits – BleepingComputer)

This did not stop threat attackers either, as they then switched to using a new file format using malicious spam attachments in Microsoft’s OneNote.

Various researchers from cybersecurity firms have already warned that the attackers have been distributing spam emails containing malicious OneNote attachments since Mid-December. 

As per the samples found by the Bleeping computer, these spammy emails impersonated DHL shipping, invoices, shipping documents, mechanical drawings, and ACH remittance forms.

Attackers Abusing OneNote Attachments to Spread RAT Malware 2
Fake DHL Email having OneNote malicious attachment(Credits – Bleeping Computer)

Microsoft OneNote does not support macros like Word or Excel, but it does allow the users to insert attachments into the notebook, and when it is double-clicked, it opens the attachment! 


Threat attackers are taking advantage of this feature by using a VBS attachment that will automatically open the script when the users double-click it to download the malicious malware from a remote site and then install it.

The OneNote attachment simply looks like a file icon, so the attachers then put a big overlay that read double click to view files over the attached VBS files to hide them.

Attackers Abusing OneNote Attachments to Spread RAT Malware 3
Malicious OneNote Attachment(Credits – Bleeping Computer)

After that, when the user tries to move away from the Click to View Document bar, the malicious attachment has two attachments in it, and as there’s a line of attachments so if the user doubles click anywhere on the button, it will double click on the attachments to download it.

Attackers Abusing OneNote Attachments to Spread RAT Malware 4
VBS Malicious Hidden files(Credits – Bleeping Computer)

Just like any other file warning which comes you download from the internet! OneNote also warns the user before launching it but as we know, users tend to ignore it and click on OK instead.

Attackers Abusing OneNote Attachments to Spread RAT Malware 5
Microsoft OneNote-Security warning(Credits – Bleeping Computer)

As soon as the user clicks on the OK button, it triggers the VBS script to download and then install malicious malware, and then the malicious VBS file downloads and runs two files from the remote server itself.

One example of such a luring OneNote document is that it appears to be a normal document, but in the background, the VBS file installs the malicious malware.

A cybersecurity researcher mentions that the OneNote attachments are installing Async and Xworm remote access malware. Another malware distributed by the threat actors is the Quasar remote access.

These kinds of trojan, once installed, lets the attackers remotely access the compromised device to steal files, browser password, etc., so it’s better not to install any unknown files as it could cause some major trouble.


Read: Cybercriminals Selling ‘Hook’ Android Malware for Remote Control of Smartphones

Leave a Comment
Related Topics
Notify of
Inline Feedbacks
View all comments