Advisory ID: NCC-CSIRT-0202-007
Summary: Attackers use OneNote attachments in phishing emails that infect victims with remote access malware. From samples found by BleepingComputer, the malicious emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents. Once installed, this type of malware can spread to install further malware, allows threat actors to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.
Vulnerable Platform(s): Windows Operating Systems
Threat Type:
· Malware
· Phishing
Product : Microsoft OneNote digital note taking applications
Version: All Version
Description: OneNote does not support macros (a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically), in contrast to Word and Excel, according to the BleepingComputer, which was how threat actors in the past launched scripts to spread malware. Instead, OneNote allows users to insert attachments into a NoteBook that, when double-clicked, will launch the attachment. Hackers are abusing this feature by attaching malicious VBS (Virtual Basic Script) attachments that automatically launch the script when double-clicked to download malware from a remote site and install it. However, the attachments look like a file's icon in OneNote, so the threat actors overlay a big 'Double click to view file' bar over the inserted VBS attachments to hide them. Therefore, if a user double-clicks anywhere on the bar, it will double-click on the attachment to launch it.
Consquences:
Install malware on the infected device which may allow hackers to remotely access vital information on victims' devices
Impact/Probability: CRITICAL/HIGH
Solution :
· Do not open files from people you do not know.
· Do not click OK and immediately exit the application if you receive a warning that opening an attachment or link can damage your computer or files.
· Share an unknown email you believe to be genuine with a security or Windows administrator to assist you determine whether the file is secure.
References:
https://www.microsoft.com/en-ww/microsoft-365/onenote/digital-note-taking-app
https://www.hkcert.org/security-news?item_per_page=10&year%5B%5D=2023&month%5B%5D=01