23 Jan. (Portaltic/EP) –
Researchers have discovered a new malicious campaign that distributes ‘malware’ by sending emails with alleged Microsoft OneNote files attachments, which are actually services that install malicious software in the background on devices.
Microsoft OneNote is a free note-taking, information-gathering, and multi-user collaboration application that is included in both Microsoft Office 2019 and Microsoft 365.
A group of researchers from the cybersecurity company trustwave detected in mid-December of last year a campaign suspected of being fraudulent, since it included in an email a file ending in .one.
Because it is an unusual extension on this messaging platform, analysts investigated it and determined that a button was displayed inviting the user to view a document.
Since BleepingComputer remember that, unlike other Microsoft programs, such as Word or Excel, OneNote does not support macros, that is, a series of instructions that are stored in the system so that they can be executed sequentially by means of a single execution order.
OneNote, on the other hand, allows users to insert attachments simply by double-clicking a button. Hence, cybercriminals have developed a decoy buttonin order to trick the recipients of these emails and proliferate malicious files.
Specifically, they have placed four maliciously loaded OneNote WSF files hidden under an overlay button that covers and hides them, inviting users to ‘Double click to view the file’.
By clicking on any point on it, the user executes one of these files at random, that is, the one that is just below where they clicked. The system then issues an alert that an attachment is being started and that by doing so there is a risk of damage both the computer and the data it contains.
Faced with this security alert, which offers two buttons (‘Accept’ and ‘Cancel’), the vast majority of users press the first to continue with the process, without stopping to read what the notification mentions, according to Bleeping Computer.
Accepting this operation starts the VBS script to download and install ‘malware’ and downloads and executes two files from a remote server. The first of these files is a decoy document, which means that victims can view it as if it were a legitimate document.
On the contrary, this VBS file also runs another malicious one in the background to install ‘malware’ on the device. The objective of this malicious ‘software’ is to steal information from the device.
Also once this ‘malware’ is installed, threat actors can remotely access the victim’s device to steal files, save browser passwords, take screenshots, record videos using the webcam and even steal assets from crypto portfolios.
