>
Hackers have discovered a new way to bypass the macro block in Microsoft Office files and still deliver malware (opens in new tab) to unsuspecting victims through the company’s suite of online collaboration apps.
Security experts at Beeping computer found newly distributed phishing emails with OneNote attachments.
OneNote is a digital note-taking app that allows people to create a shareable library of content. It comes as part of the wider Microsoft Office suite, which means that if people have this installed, they’ll also be able to open OneNote files. While OneNote’s files, called NoteBooks, don’t support macros, they do support attachments, which is what the crooks are now taking advantage of.
Malicious VBS files
The phishing emails themselves are nothing special – they contain fake DHL package notifications, fake invoices, fake shipping notifications, ACH remittance forms, and the like. Instead of carrying a Word or Excel file, they are carrying a OneNote file which, when opened, appears blurry, with a huge button in the center that says “Double click to view file” .
However, double-clicking executes the attachment, which in this case is a malicious VBS file.
This file then initiates communication with the command & control (C2) server and downloads the malware.
Beeping computer received a few of these emails and found that there are several remote access trojans and infostealers in circulation, including the AsyncRAT and XWorm remote access trojans, as well as the Quasar Remote Access trojan.
The best way to protect against these attacks is the same as always: teach your employees not to download attachments or click on email links from people they don’t know, don’t trust, or whose identity cannot be confirmed. They should also be trained not to ignore warning messages prompted by programs such as Word, Excel, or OneNote. Aside from that, having a strong antivirus solution and a firewall is welcome.
Finally, activating multi-factor authentication (MFA) where possible greatly reduces the chance of a more serious compromise.
Through: Beeping computer (opens in new tab)