Researchers have discovered a new malicious campaign that distributes malware by sending emails with alleged files of Microsoft OneNote attachments, which are actually services that install malware in the background on devices.
Microsoft OneNote is a free note-taking, information-gathering, and multi-user collaboration application that is included in both Microsoft Office 2019 and Microsoft 365.
LOOK: Licenses for Windows 10 will stop selling from January 31
In mid-December of last year, a group of researchers from the cybersecurity company Trustwave detected a campaign suspected of being fraudulent, since it included a file ending in .one in an email.
Because it is an unusual extension on this messaging platform, analysts investigated it and determined that a button was displayed inviting the user to view a document.
From BleepingComputer they remember that, unlike other Microsoft programs, such as Word or Excel, OneNote does not support macros, that is, a series of instructions that are stored in the system so that they can be executed sequentially by means of a single execution order .
LOOK: Windows fixes bug that deleted shortcuts to apps
OneNote, on the other hand, allows users to insert attachments simply by double-clicking a button. Hence, cybercriminals have developed a decoy button, in order to trick the recipients of these emails and proliferate malicious files.
Specifically, they have placed four maliciously loaded OneNote WSF files hidden under an overlay button that encompasses and hides them, prompting users to ‘Double-click to view file’.
By clicking on any point on it, the user executes one of these files at random, that is, the one that is just below where they clicked. The system then issues an alert informing you that an attachment is being launched and that doing so risks damaging both your computer and the data it contains.
LOOK: Chrome, Firefox and Safari among the apps with the most vulnerabilities: reports increased 26% in 2022, according to analysis
Faced with this security alert, which offers two buttons (‘Accept’ and ‘Cancel’), the vast majority of users press the first to continue with the process, without stopping to read what the notification mentions, according to Bleeping Computer.
Accepting this operation starts the VBS script to download and install malware and downloads and executes two files from a remote server. The first of these files is a decoy document, which means that victims can view it as if it were a legitimate document.
LOOK: VALL-E, the AI-based technology developed by Microsoft that imitates voices with three-second recordings
Rather, this VBS file also runs another malicious one in the background to install malware on the device. The goal of this malicious software is to steal information from the device.
Also once this malware is installed, threat actors can remotely access the victim’s device to steal files, save browser passwords, take screenshots, record videos using the webcam, and even steal assets from crypto wallets.
Source: Elcomercio
I have worked in the news industry for over 10 years. I have a vast amount of experience in writing and reporting. I have also worked as an author for a number of years, writing about technology and other topics.
I am a highly skilled and experienced journalist, with a keen eye for detail. I am also an excellent communicator, with superb writing skills. I am passionate about technology and its impact on our world. I am also very interested in current affairs and the latest news stories.
I am a hardworking and dedicated professional, who always strives to produce the best possible work. I am also a team player, who is always willing to help out others.