More Microsoft OneNote files are being hijacked to spread malware
>
Researchers have discovered a new cyber campaign that uses Microsoft OneNote files to infect devices with the QBot malware (opens in new tab).
A report from Sophos claims that the campaign, dubbed “QakNote”, is currently active, with unknown threat actors sending phishing emails with NoteBook attachments that come with their own attachments.
These attachments can be in almost any format, and in this case it is an HTA file – an embedded HTML application.
Multistage attacks
When activated, the application retrieves the QBot malware payload, which the attackers can use to gain initial access to target endpoints. Later, they can use that access to deploy stage-two malware, be it infostelaers, ransomware, cryptominers, or something else.
To activate the attachment, victims have to double-click on a specific part of the NoteBook file.
Threat actors usually created a fake faded report with a big “Click here to view” button, leading people to believe that the contents of the file were “protected” for privacy reasons.
Microsoft OneNote has emerged as one of the more popular threat vectors, following the demise of Office macros. In 2022, Microsoft made it impossible to run macros in Office files downloaded from the Internet, effectively halting one of the most popular attack vectors in existence. Since then, threat actors have been looking for alternatives, and so far two methods are gaining popularity.
OneNote files with malicious attachments is one of the methods, with the second being shortcut files (.LNK) used to sideload malicious .DLLs.
In the second method, the attackers sent an archive folder containing a malicious .DLL file, a legitimate app such as the Windows Calculator, and a shortcut file whose icon had been changed to something else (for example, a .PDF file). If the victim clicks on the shortcut file, the application will run, which will activate the malicious .DLL file.
Whichever method the attackers choose, they all have one thing in common: action must come from the victim, as they must be the ones who actually execute the malicious code. That said, the best way to stay safe is to use common sense and caution when running files downloaded via email.
Through: Beeping computer (opens in new tab)