This blog was written by Lachlan Godding, SenseOn Security Analyst.
SenseOn has analysed various strains of malware using OneNote as the delivery vector. We observed these samples in attack campaigns globally throughout early 2023.
This article will discuss the trends observed across these samples, and how SenseOn leveraged our state-of-the-art telemetry to gain insight into this attack vector.
In our analysis of malicious OneNote .one samples, we found a common infection chain:
Across the samples analysed, the most common payload was the Emotet trojan. This is regularly spread via malicious emails, and is linked to the threat actor Mummy Spider (also known as TA54).
Throughout late 2022 and early 2023, malicious actors increasingly abused OneNote documents to deliver malware via infected emails and URLs. A recent report by Proofpoint found that there has been a significant increase in the abuse of Microsoft OneNote in cyberattacks. This increase is observed following the disabling of automatic macro execution by default in traditional Microsoft Office tools, which threat actors traditionally rely heavily on for initial access. This, in combination with the need to bypass the Mark-of-the-web (MOTW) security feature, which flags files that were downloaded from the Internet, could be playing a role in this recent uptick of OneNote abuse.
To bypass these protection mechanisms, malicious scripts are being embedded within OneNote ‘.one’ files by threat actors, which are delivered to targets as part of attack campaigns. When opened, the malicious file delivers a second-stage payload. We observed Remote Access Trojans (RATs), such as AgentTesla and AsyncRAT, using this delivery mechanism throughout December of 2022. In recent months, other malware strains have become more prevalent among malicious OneNote payloads including Emotet, IcedID and Qakbot.
The malicious OneNote document displays a message imitating the document having remote attachments, in an attempt to dupe the user into selecting the ‘Open’ icon. Underneath this icon lies an embedded malicious CMD file, ‘Open.cmd’, which will execute automatically when the icon is clicked.
Analysing the malicious script in a text editor, it is observed leveraging PowerShell to execute a Base64 encoded command. The output of this command is written to a file located at ‘C:\programdata and subsequently executed.
Decoding this, the underlying PowerShell command to be executed is revealed.
This command is used to silently reach out to an external domain ‘https[:]//starcomputadoras[.]com’ over HTTPS and retrieve a malicious DLL called ‘01.gif’. The .gif file extension is likely a detection evasion mechanism. This file is stored in the local ‘C:\programdata’ directory as ‘putty.jpg’, and immediately loaded using rundll32 and the ‘Wind’ argument.
The below telemetry snapshot shows the process chain initiated from running this file
Although the domain used for the second stage was flagged as malicious by several online vendors it was no longer active at the time of analysis. Therefore, the second stage payload failed to download and execute, and we were unable to connect to the malicious URL.
This next sample involved a similar fraudulent popup advising the user to select a ‘View’ icon, which masked a malicious embedded script: ‘press to unlock.vbs’.
Analysing the contents of this script reveals several layers of obfuscation employed by the author. The malware author in this case is attempting to both evade detection by automated scanners and inhibit reverse-engineering activities by assigning variables to randomly generated words, and formulaically extracting certain characters from these variables to be executed as a command.
Looking toward the end of this script, we observe a call to create a WScript shell, which is used to run the resulting obfuscated command.
Modifying the script to instead echo this command instead of executing it, and then running this modified script, reveals the unobfuscated contents intended to be run by the original author.
As seen above, the deobfuscated script appears to use an instance of VBScript to run a created ‘.txt’ file. This file uses a ‘.txt’ file extension to evade detection and lower suspicions. Opening this file, a similar level of obfuscation can be seen, using random words and concatenating different parts of these variables to create the desired command.
Similarly modifying this script to return the command rather than executing it reveals it was being used to retrieve a final payload from a series of malicious domains, trying each listed domain until a success was received. In this case, uploading the MD5 hash of this file to VirusTotal reveals the payload to be a strain of the Emotet trojan.
Executing this malware in a sandbox environment, monitored by the SenseOn agent, several malicious actions can be observed both from analysis of raw ingested telemetry and looking at the relevant security observations generated by SenseOn.
The malicious VB script, can be seen retrieving the malicious payload over HTTP from the first of the malicious URLs referenced in the first de-obfuscated script.
The malware then abused the native ‘regsvr32.exe’ process to run a series of malicious binaries with seemingly randomly generated names, some of which were executed with the ‘/scomma’ argument, all run from the \AppData\Local\Temp directory.
Regsvr32 was also abused to establish Command and Control (C2) using connections to nodes in the Tor network.
Tor is likely used in this case to provide the author with an additional layer of anonymity and increase the difficulty of detection and remediation using traditional toolsets.
Regsvr32 was additionally leveraged to run a malicious “I7BUGMOAp1mnW79z5M0bLi0WI5oFMy2wIqc.dll” DLL file. This dll executed a series of information gathering commands such as ‘systeminfo’ and ‘ipconfig /all’. These are often used as enumeration techniques to determine device vulnerabilities and locations of interest, to begin the process of propagation.
To maintain persistence on the infected machine, the malware configures the malicious DLL file to be automatically run by Regsvr32 upon device startup, adding itself to the HKEY_USERS\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location
sachininternational.com[.]tr erkaradyator.com[.]tr esentai-gourmet[.]kz ardena[.]pro panel.chatzy[.]in toiaagrosciences1.hospedagemdesites[.]ws suppliercity.com[.]mx
159[.]65[.]88[.]10 167[.]172[.]253[.]162 95[.]217[.]221[.]146 82[.]223[.]21[.]224 147[.]139[.]166[.]154 183[.]111[.]227[.]137 201[.]94[.]166[.]162 186[.]194[.]240[.]217 206[.]189[.]28[.]199 1[.]234[.]2[.]232 188[.]44[.]20[.]25 159[.]89[.]202[.]34 149[.]56[.]131[.]28 45[.]176[.]232[.]124 153[.]92[.]5[.]27 45[.]235[.]8[.]30 129[.]232[.]188[.]93 79[.]137[.]35[.]198 119[.]59[.]103[.]152 103[.]75[.]201[.]2 173[.]212[.]193[.]249 139[.]59[.]126[.]41 185[.]4[.]135[.]165 197[.]242[.]150[.]244 94[.]23[.]45[.]86 115[.]68[.]227[.]76 202[.]129[.]205[.]3 107[.]170[.]39[.]149 5[.]135[.]159[.]50 172[.]105[.]226[.]75 213[.]239[.]212[.]5 167[.]172[.]199[.]165 209[.]126[.]85[.]32 198[.]199[.]65[.]189 187[.]63[.]160[.]88
MD5 Hash IOCs
cde1a4983674221e32035465ff72c577 9eae6f49a02d6eb9f75af7bbf4349808 c862aed0ddd602cafc5bfdf212e0bd4d
title: Detect Regsvr32 Binary execution description: Detects when regsvr32 executes an exe file other than an instance of itself status: experimental author: Lachlan Godding logsource: product: windows category: process_creation detection: selection: ParentImage|endswith: '\regsvr32.exe' Image|endswith: '\.exe' filter: Image|endswith: '\regsvr32.exe' condition: selection and not filter level: high
title: Detect Regsvr32 enumeration command description: Detects when regsvr32 runs commands commonly used for enumeration status: experimental author: Lachlan Godding logsource: product: windows category: process_creation detection: selection: ParentImage|endswith: '\regsvr32.exe' Image|endswith: - '\systeminfo.exe' - '\ipconfig.exe' condition: selection level: high
title: Powershell downloading unusual file types description: Detects PowerShell makes a web request to download suspicious file types status: experimental author: Lachlan Godding logsource: product: windows category: process_creation detection: selection: ParentImage|endswith: '\cmd.exe' Image|endswith: '\powershell.exe' CommandLine|contains: - 'invoke-webrequest' - 'SW52b2tlLVdlYlJlcXVlc3Q=' #base64 version filter: CommandLine|regex: - '-uri.*\.txt' - '-uri.*\.msi' - '-uri.*\.json' - '-uri.*\.csv' - '-uri.*\.pdf' #optionally adjust these to represent normal filetypes for the environment condition: selection and not filter level: high
title: OneNote spawning unusual child process description: Detects OneNote spawning suspicious child processes (not browser or office) status: experimental author: Lachlan Godding logsource: product: windows category: process_creation detection: selection: ParentImage|endswith: '\onenote.exe' filter: Image|endswith: - '\msedge.exe' - '\msedgewebview2.exe' - '\chrome.exe' - '\firefox.exe' - '\opera.exe' - '\brave.exe' - '\iexplore.exe' - '\winword.exe' - '\excel.exe' - '\powerpnt.exe' - '\acrord32.exe' - '\acrobat.exe' - '\onenotem.exe' - '\outlook.exe' - '\teams.exe' - '\notepad.exe' - '\protocolhandler.exe' - '\onenote.exe' - '\ai.exe' - '\splwow64.exe' condition: selection and not filter level: high
alert tcp any any -> any any (msg:”Potential Emotet User Agent Detected”; flow:to_server,established; content:”User-Agent|3a| Mozilla/5.0 (Windows NT 6.1; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0|0d 0a|”; nocase; sid:1000001; rev:1;)