In July, however, this approach to spreading viruses was rendered unreliable when Microsoft finally disabled macros by default in Office documents.
Soon after, threat actors started using new file formats, including ISO images and password-protected ZIP files. These file formats quickly gained popularity, assisted by a Windows issue that allowed ISOs to circumvent security warnings and the popular 7-Zip archive utility’s failure to propagate mark-of-the-web flags to files extracted from ZIP archives.
However, both 7-Zip and Windows had resolved these flaws, which caused Windows to display frightening security warnings when a user tried to access files in downloaded ISO and ZIP files.
FREE Cybersecurity Status Self-Assessment
Threat actors, undeterred, soon adopted a new file type in their malicious email (malspam) attachments: Microsoft OneNote attachments.
Microsoft OneNote is a free desktop digital notebook program that comes with Microsoft Office 2019 and Microsoft 365.
Because Microsoft OneNote is installed by default in all Microsoft Office/365 installations, even if a Windows user does not use the program, the file format is still accessible.
Since mid-December, cyber security experts have warned that threat actors have been circulating dangerous spam emails with OneNote attachments.
According to BleepingComputer samples, these malspam emails masquerade as DHL delivery alerts, invoices, ACH remittance forms, mechanical drawings, and shipping documentation.
Unlike Word and Excel, OneNote does not allow macros, which threat actors previously used to execute scripts that installed malware.
Instead, OneNote users can enter attachments into a NoteBook that will launch the attachment when double-clicked.
Threat actors are exploiting this functionality by adding malicious VBS attachments that, when double-clicked, activate the script and download and install malware from a remote site.
However, since the attachments resemble the symbol of a file in OneNote, the threat actors place a large ‘Double click to see file’ bar above the injected VBS attachments to disguise them.
Fortunately, when you start OneNote attachments, the software cautions you that doing so may cause damage to your machine and data.
Unfortunately, experience has shown that these sorts of notifications are often disregarded, with users just clicking the OK button.
The VBS script will start downloading and installing malware when you click the OK button. The script will download and execute two files from a remote site, as shown in one of the malicious OneNote VBS scripts discovered by BleepingComputer.
The first is a bogus OneNote document that opens and looks just like the one you anticipated. The VBS code, however, will also run a malicious batch file in the background in order to install malware on the device.
Defending against these dangers.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.