I’d like to bring to your attention a new and dangerous attack vector that is spreading malware through .ONE files. These files, also known as Microsoft OneNote files, may appear to be from a trusted source, but in reality, they can contain malwarel.

In recent months, we have seen an increase in the number of threat actor groups utilizing .ONE files as a means to spread malware. Groups such as Async, Qakbot, and Redline are known to have used this technique to target individuals and organizations alike. These groups are constantly evolving their tactics as the ever changing landscape makes old techniques harder, With the recent changes Microsoft made to disable macro’s globally we saw these groups pivot once again to an old but successful method for spreading their malicious content.

What sets this attack vector apart from other email-based threats is that the malware in .ONE files is executed instantly when you click on a photo or button in the .one file. Unlike office macros, which require enabling content, this makes the attack vector even more dangerous to unsuspecting users who may not realize they are running a malicious file. I’ve seen many samples containing up to 10 different .bat payloads!

Rapid7 covered a redline sample on this!

To protect yourself against this threat, I recommend following these tips:

General users

There are also several steps that can be taken to stay safe from .ONE file malware. Firstly, avoid opening attachments from unknown or untrusted sources. Secondly, be cautious when downloading files, especially those that appear to be from a trusted source. Finally, if you receive a .ONE file from an unknown source or one that appears suspicious, report the email to IT and never open it!

IT teams

There are several simple technical measures that can be taken to limit the impact of .ONE files on the organization. Firstly, configuring email filters to block attachments with the .ONE file extension can help prevent malicious files from reaching employees. Secondly, implementing endpoint protection software with the latest signatures and updates can help detect and prevent malware infections caused by .ONE files. Finally, providing regular security awareness training to employees can help them recognize the signs of a malicious files and avoid falling for social engineering tactics.

By following these simple steps, you can help protect yourself and your organization from the dangers of .ONE file malware.

In conclusion, the .ONE file malware threat is a serious issue that should not be taken lightly. By following safe security practices and being mindful of email attachments, you can help protect yourself from this dangerous attack vector. As always, if you have any questions or concerns, feel free to reach out!

Malware samples:

Qakbot: https://bazaar.abuse.ch/sample/9cd900111f019f32112eba2c1ce1ecd9345d05f5d9a8a617c4a609d77cf2f95b/

Redline: https://bazaar.abuse.ch/sample/bf8c7c35cb5b8f47ad7fe7e89322960e105efa754360953ca854925a6b914092/

Async: https://bazaar.abuse.ch/sample/9037e60b24cf0f56cc9e03ea0c2dc2f96180ac160b90c5836e80cc409e6611eb/