New Update Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT

NoVirusThanks

NoVirusThanks

From NoVirusThanks
Thread author
Verified
Developer
Well-known
Aug 23, 2012
293
Users reported some malicious Microsoft OneNote documents in the past days that lead to AsyncRAT, a remote administration tool used to control and monitor other computers. While it is common to see Microsoft Word, Excel and PowerPoint maldocs distributed via emails, OneNote maldocs are something new that we don’t frequently see.

The infection starts with a OneNote document distributed via email that references to an invoice or order that needs to be reviewed. Once the malicious OneNote document is opened, the user is presented with a button “Double Click to View File” that if it...
Click to expand...

blog.osarmor.com

Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT | OSArmor Blog

Users reported some malicious Microsoft OneNote documents in the past days that lead to AsyncRAT, a remote administration tool used to control and monitor
blog.osarmor.com blog.osarmor.com
 
  • Like
  • Thanks
  • Wow
Reactions: Guilhermesene, simmerskool, Stopspying and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
This method uses HTA script embedded as OLE in a document. Normally, MS Office 2016 blocks the execution of several file types (EXE, COM, HTA, JS, VBS, and many more ...) embedded as OLE.

Excel for Microsoft 365 Word for Microsoft 365 PowerPoint for Microsoft 365 Publisher for Microsoft 365 Excel 2021 Word 2021 PowerPoint 2021 Publisher 2021 Visio Professional 2021 Visio Standard 2021 Excel 2019 Word 2019 PowerPoint 2019 Publisher 2019 Visio Professional 2019 Visio Standard 2019 Excel 2016 Word 2016 Publisher 2016 Visio Professional 2016 Visio Standard 2016

Packager Activation in Office 365 desktop applications - Microsoft Support

To improve your security Microsoft Office now blocks activation of high risk extensions. This article explains why and offers instructions on how to unblock them if you really need to.
support.microsoft.com support.microsoft.com
Click to expand...

It seems that Microsoft does not block (by default) potentially dangerous OLE in Onenote, so one has to use OSA or other tools to block this attack vector. There is also a policy that can be used:

Block additional file extensions for OLE embedding

This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise, and to subscription versions of Project and Visio.
admx.help
 
  • Like
  • +Reputation
  • Applause
Reactions: NoVirusThanks, Guilhermesene, simmerskool and 6 others

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Emotet malware now distributed in Microsoft OneNote files to evade defenses
Replies
15
Views
1,552
News Archive
ForgottenSeer 98186
F
silversurfer
    • Like
    • +Reputation
Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware
Replies
1
Views
788
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Beware: Hackers now use OneNote attachments to spread malware
Replies
3
Views
1,831
News Archive
spiritedawaymadmax
spiritedawaymadmax

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top