Hackers are once again using malicious Microsoft OneNote files to infect unsuspecting users with the QBot malware which can steal financial info, browser data and even passwords.
While QBot originally started out as a banking trojan, it evolved into malware that’s used to gain initial access to a victim’s device — according to BleepingComputer (opens in new tab). From there, it can be used to load other malware or even ransomware on a compromised computer.
Hackers first began attaching malicious OneNote files to their phishing emails last month after Microsoft disabled macros in Office documents. What makes this new attack method particularly dangerous is the fact that an attacker can embed almost any file when creating a malicious OneNote document.
Weaponizing OneNote documents
The QBot malware is currently being distributed through phishing emails that include a malicious OneNote file as an attachment. The attackers behind this campaign are also using social engineering in order to get users to click on VBS attachments or LNK files including in these OneNote Notebooks.
Once a user clicks on a button that says “Double Click to View File” inside a OneNote Notebook, the attachments embedded in the file execute commands on their PC that download and install the QBot malware.
According to a new report (opens in new tab) from Sophos, the hackers behind this campaign are also hijacking email threads and using the “reply-to-all” feature to spread their malicious OneNote files. In this case, a fake button inside the Notebook file that reads “Open” is used to run any attachments included by the attackers.
How to stay safe from malicious email attachments
Just like with other malware and phishing campaigns in the past, you need to be extra careful when dealing with emails from unknown senders and avoid downloading or opening any attachments they may include.
If you use Microsoft OneNote for work or school, you’re more likely to open a malicious NoteBook which is why you may want to consider using another note taking app for the time being.
Even if you do accidentally click on one of the fake buttons in these malicious OneNote files, the best antivirus software can help protect your system from becoming infected with malware. Likewise, the best identity theft protection can help people who have been scammed and lost money as the result of a cyberattack.
Cybersecurity is often like a game of cat and mouse. When companies like Microsoft change their software so that it can’t be used maliciously, hackers then come up with a new attack method that has a higher chance of successfully infected unsuspecting users with malware and other viruses. This likely won’t be the last we see of the QBot malware which is why you need to be careful when dealing with any email attachment — even those from people you know.