On December 8, 2022, cybersecurity firm Trustwave SpiderLabs published a report that threat actors were using OneNote documents to spread Formbook malware, an information-stealing Trojan, that has been available on hacking forums since mid-2016 as malware-as-a-service, which has the ability to steal data from various web browsers and from other applications, can capture a screenshot, and also has keylogging capabilities. On December 6, 2022, researchers discovered a spam email containing a OneNote file attachment with the ".one" extension, which is not normally attached to an email. If the OneNote attachment is opened, an image is displayed asking the victim to click on "View Document." MailMarshal's engine unpacked the contents of the attachment and found a Windows Script File overlaid on "View Document" images, so when victims click on the "View Document" part of the image, it will trigger the standard security alert that a file is being opened from OneNote, which will also execute the WSF file. In addition, the WSF filename appears to be deceptive, probably intended to fool scanners, as the filename contains a right-to-left override character (U+202E) after "invoice," which reverses the text that follows. Some applications may display "fsw.xcoD" instead of "docx.wsf." The malicious behavior of the file begins to manifest when the user clicks "OK" against the security warning, then the embedded OneNote's WSF launches 'PowerShell' commands that download and execute two files from a0745450[.]xsph[.]ru. Initially, a decoy OneNote file will be downloaded from a0745450[.]xsph[.]ru/INVESTMENT[.]one and saved as %temp%\invoice.one, in order to hide the download of the second file, which contains the payload. The second file will be downloaded from a0745450[.]xsph[.]ru/DT6832.exe and saved to %temp%\system32.exe, which is Formbook malware.
Cisco issued a warning about a state-sponsored hacking group exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewal...
Citizen Lab's recent investigation revealed significant security vulnerabilities in various cloud-based pinyin keyboard apps, raising concerns about user privacy risks. Among t...
An unidentified attacker hacked the website of a Czech news service on April 23, 2024, and published a fake story claiming an assassination attempt on Slovakia’s newly elected pr...