More Microsoft OneNote files are being hijacked to spread malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Researchers have uncovered a new cyber campaign using Microsoft OneNote files to infect devices with the QBot malware.

A report from Sophos claims the campaign, dubbed “QakNote”, is currently active, with unknown threat actors sending out phishing emails with NoteBook attachments  which come with attachments of their own.

These attachments can be in pretty much any format, and in this case, they’re an HTA file - an embedded HTML application.

Multi-stage attacks

If activated, the application retrieves the QBot malware payload, which the attackers can use to gain initial access to target endpoints. Later, they can use that access to deploy stage-two malware, be it infostelaers, ransomware, cryptominers, or something else, entirely.

To activate the attachment, the victims need to double-click a specific portion of the NoteBook file. 

Threat actors would usually create a fake blurred-out report with a large “Click Here to View” button, tricking people into thinking the contents of the file were “protected” for privacy reasons. 

Microsoft OneNote has emerged as one of the more popular threat vectors, following the demise of Office macros. In 2022, Microsoft made it impossible to run macros in Office files downloaded from the internet, effectively putting a stop to one of the most popular attack vectors in existence. Since then, threat actors have been looking for alternatives, and so far - two methods are growing increasingly popular.

OneNote files with malicious attachments is one of the methods, with the second one being shortcut files (.LNK) used to side-load malicious .DLLs. 

In the second method, the attackers would send an archive folder containing a malicious .DLL file, a legitimate app such as the Windows Calculator, and a shortcut file whose icon was changed to something else (for example, a .PDF file). If the victim clicks the shortcut file, they would run the application, which would trigger the malicious .DLL file. 

Whichever method the attackers go for, they all have one thing in common - there needs to be action from the victim, as they need to be the ones to actually run the malicious code. That being said, the best way to stay safe is to use common sense and be careful when running files downloaded via email. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.