Remote Access Tools or (RATs) describe a variety of methods or software applications which enable users to remotely access and control another users computer, with or without their knowledge.  RATing is a popular method hackers use where they utilize these type’s of remote access tools to steal victims data, or control their computers to hide their identities while launching further malicious attacks against others.

Cyber Security analysists with the website BleepingComputer have discovered a method that many hackers have employed for enabling RATing victims computers through OneNote. Microsoft office tools Word and Excel were once used by hackers for distributing malicous software to victims computers who were baited into downloading email attachments, but Microsoft eventually started blocking the exploit.

BleepingComputer analysts found that hackers adapted their methods, and moved on from Word and Excel to OneNote.  Hackers have begun exploiting the OneNote app to remotely control victims’ PCs, allowing them to install additional malware, breach cryptocurrency wallets, steal passwords, take screenshots through your webcam, and more.

How Hackers Gain Control of Your System

Luckily for this latest OneNote vulnerability to be exploited, the victim must first fall prey to a phishing email campaign.  Like so many exploits involved in hacking, they often all start by falling for a phishing email scam.  These phishing scams are luckily avoided by following some basic protocols, such as recognizing poor grammar, or checking the email headers to verify the senders address is indeed from the company they proport to be.

There are many ways to recognize and avoid phishing emails such as these, but inevitably a many people still fall victim to these scams each year.  BleepingComputer’s investigative team found that the cybercriminals masked their ill-intention, malware infected emails as official DHL correspondence.

This is a common trait among phishing emails, where hackers will dress an email up to look as official as possible.  Many hackers will use official imagery, proper dating in the message body, and may even have an official looking signature of the person they are purporting to be.  However you can always verify the sender of an email by viewing the full headers and closely reading the senders email address.

Programs like Outlook can display the senders name followed by the mailto: address which displays their full email address.  Read their email address closely to ensure that it is legitimately from the person claiming to send the email.  You may also check suspicious links contained within the body of a message, by simply hovering the mouse cursor over the link (without clicking it) to reveal the full web address below the message body.

In this particular attack, once a victim clicked on the OneNOte attachment in the phishing email, the information contained within would be blurred.  An overlay stated “Double Click to View File”, and if the quarry follow the instruction, the attack would be complete.

Threat actors have attached VBA attachments that launch scripts when double-clocked to download malware from a remote site and install it, according the BleepingComputer.  Remote Access Trojans (RAT) then had access to the devices webcam, cryptocurrency wallets, passwords, and more.

You can avoid these threats by following the advice to protect yourself from phishing emails.  Phishing emails account for a vast number of cyber fraud today, so recognizing phishing email attempts, protecting your personal identifying information (PII) can go a long way in avoiding headaches like these in the future.

Partnering with a Managed Services Provider like Natural Networks can also help take your IT security to the next level.  Natural Networks can work with you and your team to ensure they recognize and know what to do in the face of phishing emails, which can prevent massive attacks like these from ever occurring at your office.  If you are interesting in learning more, give us a call today!