Hackers have discovered a new way to bypass the macro block in Microsoft Office files and are still introducing malware (Opens in a new tab) For unsuspecting victims with a corporate suit of online collaboration apps.
Security experts in PC Newly distributed phishing emails with OneNote attachments were found.
OneNote is a digital note-taking app that people can use to create a shareable content library. It comes as part of the wider Microsoft Office suite, which means if people install this, they can open OneNote files as well. While OneNote files, called NoteBooks, don’t support macros, they do support attachments, and that’s what scammers are now taking advantage of.
Malicious VBS files
The phishing emails themselves are nothing unusual – they include fake DHL parcel notifications, fake invoices, fake shipping notes, ACH transfer forms, and so on. Instead of holding an attached Word or Excel file, they hold a OneNote file that if opened looks blurry, with a big button in the middle that says “Double click to view file”.
However, double-clicking it launches the attachment which is, in this case, a malicious VBS file.
This file then starts communicating with the command and control server (C2) and downloads malware.
PC We got a couple of these emails and determined that several remote access Trojans are circulating, including the AsyncRAT and XWorm Trojans, as well as the Quasar Remote Access Trojan.
The best way to protect against these attacks is the same as ever – educate your employees not to download attachments and click on email links from people they don’t know, trust, or whose identity they can’t confirm. Also, they should be taught not to ignore warning messages required in programs such as Word, Excel, or OneNote. Other than that, having a solid antivirus solution and firewall is welcome.
Finally, activating MFA where possible greatly reduces the chances of a more serious compromise.
Via: BleepingComputer (Opens in a new tab)