By Gagandeep Singh
24-Jan-2023
Attackers have been deploying malware in spammy emails via malicious Microsoft Word & Excel attachments that launch macros to download & install the malware.
Now, attackers have targeted Mircosoft OneNote attaching malicious OneNote files in phishing emails to install remote access malware onto the victim's computer to steal a crypto wallet, passwords & more.
In July, Microsoft, by default, disabled the macros again in Office Exel & Word, which ultimately made this technique useless.
After that, attackers started taking advantage of the new file formats, i.e., ISO images & Zip files. Windows Bug also helped by bypassing the security warnings.
As per the samples, these spammy emails impersonated DHL shipping, invoices, shipping documents, mechanical drawings, and ACH remittance forms.
OneNote does not support macros but allows users to insert attachments into the notebook, and when it is doubled clicked, it opens the attachment!
Attackers are using this feature using a VBS attachment that will automatically open the script when the users double-click it to download the malicious malware from a remote site & install it.
OneNote attachment looks like a file icon; the attachers then put a big overlay that read double click to view files over the attached VBS files to hide them.