Helping to share the web since 1996

Hackers using OneNote to Spread Malware

For a long time, cybercriminals exploited the macro function in applications like Word and Excel to infect users’ PCs with malware. They usually do this by injecting malicious code into a legitimate document, then tricking users into allowing macros to view the file in an ostensibly correct way.

Microsoft is aware of this threatening behavior, so it has blocked macros in Office documents by default. However, cybercriminals are now using another application to trick users into infecting their PCs with malware, and they have chosen OneNote to do this.

As it turns out, cybercriminals have been seen sending phishing emails that appear to contain DHL invoices, shipping forms, shipping notifications and documents, and mechanical drawings. Instead of using macros, which OneNote does not support, cybercriminals are exploiting that tool’s ability to attach files.

They do this by attaching malicious VBS files. When double-clicked, those files automatically download and install malware from a remote website. To hide them and make the OneNote document as legitimate as possible, hackers overlay a “Double-click to view file” box. This means that clicking on the box will launch malicious files, which will install malware on your device. The problem is that although OneNote warns users that opening attachments can harm the user’s computer and data, many users ignore the warning and click “OK”.

In emails seen by BleepingComputer, malicious OneNote documents often install remote access trojans that can steal confidential information and cryptocurrency wallets. Others may even take screenshots and record videos using the victim’s webcam. To protect yourself from these attacks, the main advice is not to open unsolicited emails from people you don’t know. Also, make sure your antivirus software is up to date so that it can properly detect and remove malware from your system.



Back to news headlines