We observed multiple malware delivery methods techniques in the different campaigns, using various script types that serve as loaders, such as CScript, WScript, as well as running MSHTA files. These changes began rolling out with OneNote Version 2304 in April 2023, but for all users who have not yet updated, this attack vector is prevalent. Microsoft released another notice in April, stating that 120 extensions will be blocked by default in OneNote, disabling the user’s interaction with a OneNote file completely. OneNote itself is installed by default as part of various versions of Microsoft Office installations, and allows embedding of macros. Similar to attacks delivering malicious Word macro attachments, various themed emails were seen sent at scale, luring potential victims into downloading an attached malicious OneNote file. In correlation with Microsoft’s notice, starting in early 2023, OneNote infected attachments have been seen spreading malware such as Emotet, Qakbot, and AsyncRAT to name a few. Malicious OneNote files have been made popular by various threat actors earlier this year, as a response to Microsoft blocking internet macros by default. The Cortex Threat Research team has been tracking recent campaigns that were using malicious OneNote email attachments as the initial attack vector.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |