New Update Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT

NoVirusThanks

From NoVirusThanks
Thread author
Verified
Developer
Well-known
Aug 23, 2012
292
Users reported some malicious Microsoft OneNote documents in the past days that lead to AsyncRAT, a remote administration tool used to control and monitor other computers. While it is common to see Microsoft Word, Excel and PowerPoint maldocs distributed via emails, OneNote maldocs are something new that we don’t frequently see.

The infection starts with a OneNote document distributed via email that references to an invoice or order that needs to be reviewed. Once the malicious OneNote document is opened, the user is presented with a button “Double Click to View File” that if it...

 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This method uses HTA script embedded as OLE in a document. Normally, MS Office 2016 blocks the execution of several file types (EXE, COM, HTA, JS, VBS, and many more ...) embedded as OLE.

Excel for Microsoft 365 Word for Microsoft 365 PowerPoint for Microsoft 365 Publisher for Microsoft 365 Excel 2021 Word 2021 PowerPoint 2021 Publisher 2021 Visio Professional 2021 Visio Standard 2021 Excel 2019 Word 2019 PowerPoint 2019 Publisher 2019 Visio Professional 2019 Visio Standard 2019 Excel 2016 Word 2016 Publisher 2016 Visio Professional 2016 Visio Standard 2016

It seems that Microsoft does not block (by default) potentially dangerous OLE in Onenote, so one has to use OSA or other tools to block this attack vector. There is also a policy that can be used:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top