{"id":86873,"date":"2023-02-03T17:42:19","date_gmt":"2023-02-03T17:42:19","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4030950"},"modified":"2023-02-15T10:36:49","modified_gmt":"2023-02-15T10:36:49","slug":"onenote-documents-spread-malware-in-several-countries","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=86873","title":{"rendered":"OneNote documents spread malware in several countries"},"content":{"rendered":"<div id=\"\">\n<p> A new phishing campaign abuses OneNote documents to infect computers with the infamous AsyncRAT malware, targeting users in the U.K., Canada and the U.S.<\/p>\n<\/div>\n<div id=\"\">\n<figure id=\"attachment_3999287\" aria-describedby=\"caption-attachment-3999287\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-3999287\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/02\/onenote-documents-spread-malware-in-several-countries.jpg\" alt=\"A screen of code with an alert symbolizing a malware attack.\" width=\"770\" height=\"433\"><figcaption id=\"caption-attachment-3999287\" class=\"wp-caption-text\">Image: Sashkin\/Adobe Stock<\/figcaption><\/figure>\n<p>As Microsoft decided to <a href=\"https:\/\/learn.microsoft.com\/en-us\/deployoffice\/security\/internet-macros-blocked\" target=\"_blank\" rel=\"noopener noreferrer\">change<\/a> the default of its Office products to block macros on files downloaded from the internet, cybercriminals saw one of their favorite infection methods vanish.<\/p>\n<p>Some cybercriminals have already found a workaround to keep using some Microsoft Office products, like <a href=\"https:\/\/www.techrepublic.com\/article\/cisco-talos-xll-excel-vulnerability\/\">abusing the XLL files from Excel<\/a>. Some other cybercriminals have found a different way to keep abusing Microsoft products for infecting computers with malware: infected <a href=\"https:\/\/www.techrepublic.com\/resource-library\/ebooks\/microsoft-onenote-an-insider-s-guide\/\">OneNote<\/a> documents.<\/p>\n<p><strong>SEE: <\/strong><a href=\"https:\/\/www.techrepublic.com\/resource-library\/downloads\/mobile-device-security-policy\/\"><strong>Mobile device security policy<\/strong><\/a><strong> (TechRepublic Premium)<\/strong><\/p>\n<h2>Phishing attacks deliver AsyncRAT malware<\/h2>\n<p>A new Bitdefender <a href=\"https:\/\/www.bitdefender.com\/blog\/hotforsecurity\/threat-actors-impersonate-canadian-gas-retailer-to-deliver-malicious-onenote-phishing-campaign-bitdefender-labs-warns\/\" target=\"_blank\" rel=\"noopener noreferrer\">study<\/a> exposes a phishing campaign abusing OneNote to infect computers with malware. In that attack campaign, cybercriminals impersonated Ultramar, a Canadian gas and home fuel retailer, sending phishing emails supposedly coming from the company (<strong>Figure A<\/strong>).<\/p>\n<p><strong>Figure A<\/strong><\/p>\n<figure id=\"attachment_4030951\" aria-describedby=\"caption-attachment-4030951\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4030951\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/02\/onenote-documents-spread-malware-in-several-countries-1.jpg\" alt=\"Phishing email impersonating Canadian company Ultramar.\" width=\"770\" height=\"352\"><figcaption id=\"caption-attachment-4030951\" class=\"wp-caption-text\">Image: Bitdefender. Phishing email impersonating Canadian company Ultramar.<\/figcaption><\/figure>\n<p>As can be seen in <strong>Figure A<\/strong>, the email contains text in both English and French language, but most importantly an attached file named Invoice_32566.one \u2014 the .one file extension indicating a OneNote file.<\/p>\n<aside class=\"pinbox right\">\n<h3 class=\"heading\">Must-read security coverage<\/h3>\n<\/aside>\n<p>A second similar phishing campaign hit Canada, the U.K. and the U.S. with another filename for the attachment, Invoice_76562.one.<\/p>\n<p>The payloads triggered by those OneNote documents, once opened, were downloaded from a Catholic Church in Canada and a Digital Service Provider in India. Both were compromised by the attackers or possibly brought to some <a href=\"https:\/\/www.techrepublic.com\/article\/initial-access-brokers-how-are-iabs-related-to-the-rise-in-ransomware-attacks\/\">initial access broker<\/a> (IAB) online and used for hosting the malwares. This is a common technique used by cybercriminals to avoid detection for a longer period of time by using a legitimate website to host their malicious code.<\/p>\n<p>In the end, users opening the OneNote documents were infected with AsyncRAT, which Bitdefender describes as \u201ca nifty remote access tool designed to stealthily let an attacker infiltrate the devices of the target victim\u2019s device.\u201d<\/p>\n<h3>What is AsyncRAT?<\/h3>\n<p><a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.asyncrat\" target=\"_blank\" rel=\"noopener noreferrer\">AsyncRAT<\/a> source code has been available for free on the internet since 2019, which means the original version is detected by most security solutions, if not all. Yet, it also means developers can use the source code of AsyncRAT and modify it to add or remove features or to render it less detectable.<\/p>\n<p>Currently, that malware is capable of recording screens, capturing keystrokes, manipulating files on the system, executing code or launching distributed denial-of-service attacks. This means it can be used for a variety of purposes.<\/p>\n<p>It has already been <a href=\"https:\/\/www.netskope.com\/blog\/asyncrat-using-fully-undetected-downloader\" target=\"_blank\" rel=\"noopener noreferrer\">used by cyberespionage threat actors<\/a> or for financially-oriented goals. Once a computer is infected with AsyncRAT, the attacker can see the machine in the tools administration panel and act on the machine as needed (<strong>Figure B<\/strong>). Several infected machines can be handled in the same interface.<\/p>\n<p><strong>Figure B<\/strong><\/p>\n<figure id=\"attachment_4030952\" aria-describedby=\"caption-attachment-4030952\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4030952\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/02\/onenote-documents-spread-malware-in-several-countries-2.jpg\" alt=\"AsyncRAT administration panel.\" width=\"770\" height=\"396\"><figcaption id=\"caption-attachment-4030952\" class=\"wp-caption-text\">Image: Github. AsyncRAT administration panel.<\/figcaption><\/figure>\n<h2>More attacks in the wild<\/h2>\n<p>Bitdefender researchers are not the only ones who have investigated the new threat AsyncRAT poses. December 2022, Trustwave also <a href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/trojanized-onenote-document-leads-to-formbook-malware\/\" target=\"_blank\" rel=\"noopener noreferrer\">reported phishing attack campaigns<\/a>, this time delivering the <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.formbook\" target=\"_blank\" rel=\"noopener noreferrer\">Formbook<\/a> malware, a spread information stealer capable of stealing passwords, taking screen captures, executing code and more.<\/p>\n<p>\u201cIt\u2019s clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices,\u201d declared Adrian Miron, manager at Bitdefender\u2019s Cyber Threat Intelligence Lab. \u201cThese campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims.\u201d<\/p>\n<h2>How to protect from this threat?<\/h2>\n<p>Companies that don\u2019t use OneNote should block .one extensions in their email servers. This would prevent any internal users from accidentally opening infected files on company tools. Instead, employees should request files in another format like .doc or .xlsx to avoid potential exposure. As a more extreme step, these companies could prevent employees from downloading or using OneNote on company tools and systems, but this is not recommended as some employees might currently use the tool.<\/p>\n<p>Malicious OneNote files mostly make use of attached files inside the document. When accessing those attachments, a warning is raised by the software to tell the user it might harm the computer and data. Yet, experience has shown that users often neglect those warnings and just click the validation button. Companies can work to prevent these threats by:<\/p>\n<ul>\n<li>Raising awareness on potentially harmful files and links to all employees.<\/li>\n<li>Building protocols and training on how to respond to warnings of malicious files or links.<\/li>\n<li>Deploying security solutions that detect malicious code when it is triggered from a OneNote file or other threats.<\/li>\n<li>Updating and patching all systems and software to avoid being compromised by a common vulnerability.<\/li>\n<\/ul>\n<p><em><strong>Disclosure: <\/strong>I work for Trend Micro, but the views expressed in this article are mine.<\/em><\/p>\n<p><!-- default newsletter at the end --><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new phishing campaign abuses OneNote documents to infect computers with the infamous AsyncRAT malware, targeting users in the U.K., Canada and the U.S. Image: Sashkin\/Adobe Stock As Microsoft decided to change the default of its Office products to block macros on files downloaded from the internet, cybercriminals saw one of their favorite infection methods [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":86874,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,783,696,152,113,202,287],"tags":[],"class_list":["post-86873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-cloudsync","category-malware","category-microsoft","category-phishing","category-ransomware","category-security"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/86873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=86873"}],"version-history":[{"count":1,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/86873\/revisions"}],"predecessor-version":[{"id":88028,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/86873\/revisions\/88028"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/86874"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=86873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=86873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=86873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}