Life finds a way: OneNote malware on the rise

Luis Corrons 3 Apr 2023

Since macros from the internet have been blocked by default, we've seen different criminal groups trying out new malware delivery mechanisms.

Macro viruses have been a security nightmare for years. First appearing in 1995, they didn’t start gaining global popularity until 1999, when the Melissa virus showed up. Melissa virus was distributed via email attachments, and it quickly became the most rapidly spreading virus of its time, inspiring future mass-mailing types of malware. The Melissa virus was so destructive that its creator later served time in prison for his work. 

Macro viruses embed themselves in apparently harmless text documents and spreadsheets, and from there they infect other documents, replicate themselves in various ways, send emails, or even perform more catastrophic damage, like formatting hard drives. On top of that, macro viruses work for both PC and Mac, which makes them even more attractive to bad actors. However, in 2022 Microsoft announced (better late than never) that they will be blocking macros in files from the internet. 

Cybercriminals are creative and won’t stop. And, as Dr. Ian Malcolm said in the blockbuster Jurassic Park (1993), “Life finds a way.” And so do cybercriminals. 

The dilemma for cybercriminals is clear: One of their favorite ways to distribute malware has disappeared, and they need to find a substitute. Since macros from the internet have been blocked by default, we have seen different criminal groups trying out new malware delivery mechanisms, and the one that is getting traction is Microsoft OneNote. OneNote is a note-taking application developed by Microsoft, which allows users to create and share digital notes. OneNote files typically have the ".one" file extension. OneNote files themselves are not malicious; however, they can be used to deliver malware in a similar way to macros. 

To execute this type of attack, cybercriminals may disguise OneNote files as legitimate documents or files and attach them to emails. If a recipient opens the OneNote file, it may contain a script or code that downloads and installs malware onto their computer. 

 In recent months, cybercriminals have started using OneNote attachments in emails as an attack vector to deliver malware. The malware families involved in these campaigns include Qbot, Raccoon, IceID, AsyncRAT, Redline, and more. 

To illustrate the prevalence of this type of threat, we've provided a graph below. It shows the number of users we have protected daily against these specific attacks since January 1 to March 21, 2023. 

Number of daily users we have protected from OneNote malware since January 2023.

 As you can see, there is a growing trend of cybercriminals using OneNote attachments in emails to spread malware. While the number of attacks is still relatively low, we have already protected over 47,000 customers from these malicious attachments. 

Why have cybercriminals turned to OneNote files?

For starters, they needed a substitute for the widely known and popular macros. Additionally, cybercriminals aim to trick potential victims into opening the attachment by disguising the file type as benign. By using an app that comes installed by default with Windows, cybercriminals can more easily accomplish their goal. 

This is not the first time that cybercriminals have exploited an unfamiliar file format to spread malware. The infamous LoveLetter virus, which spread through emails with attachments using the .vbs extension, caused chaos in 2000. However, the problem wasn't just that users were tricked into running the malware; systems and security solutions were not equipped to handle the threat, and the antivirus software only scanned real-time for file extensions deemed risky. 

Our team is are prepared to handle these OneNote threats with a range of sophisticated technologies. Our antivirus web shield is capable of scanning and unpacking OneNote files to detect malware, and we have developed specific heuristics and Yara rules for these threats. Our backend systems work in coordination to offer the best possible protection to our customers. 

How to stay safe against OneNote malware

While the use of OneNote attachments as a delivery mechanism for malware is a new trend, it may become more widespread in the future. We recommend that users exercise caution when receiving OneNote files via email or downloading them from the internet. Plus, make sure your security provider is equipped to handle these threats.  

--> -->