Brad Freeman

19/05/2023

OneNote malware: A growing threat

This blog was written by Lachlan Godding, SenseOn Security Analyst.

SenseOn has analysed various strains of malware using OneNote as the delivery vector. We observed these samples in attack campaigns globally throughout early 2023.

This article will discuss the trends observed across these samples, and how SenseOn leveraged our state-of-the-art telemetry to gain insight into this attack vector.

In our analysis of malicious OneNote .one samples, we found a common infection chain:

Infected OneNote file delivered via phishing email
OneNote file containing an embedded VBS, WSF or CMD script, and a prompt for the user to click a false ‘Open’ icon
Upon execution, the embedded script will retrieve and execute the second-stage payload.

Across the samples analysed, the most common payload was the Emotet trojan. This is regularly spread via malicious emails, and is linked to the threat actor Mummy Spider (also known as TA54).

Background

Throughout late 2022 and early 2023, malicious actors increasingly abused OneNote documents to deliver malware via infected emails and URLs. A recent report by Proofpoint found that there has been a significant increase in the abuse of Microsoft OneNote in cyberattacks. This increase is observed following the disabling of automatic macro execution by default in traditional Microsoft Office tools, which threat actors traditionally rely heavily on for initial access. This, in combination with the need to bypass the Mark-of-the-web (MOTW) security feature, which flags files that were downloaded from the Internet, could be playing a role in this recent uptick of OneNote abuse.

To bypass these protection mechanisms, malicious scripts are being embedded within OneNote ‘.one’ files by threat actors, which are delivered to targets as part of attack campaigns. When opened, the malicious file delivers a second-stage payload. We observed Remote Access Trojans (RATs), such as AgentTesla and AsyncRAT, using this delivery mechanism throughout December of 2022. In recent months, other malware strains have become more prevalent among malicious OneNote payloads including Emotet, IcedID and Qakbot.

Sample 1

Failed to retrieve 2nd stage due to the domain failing to resolve

The malicious OneNote document displays a message imitating the document having remote attachments, in an attempt to dupe the user into selecting the ‘Open’ icon. Underneath this icon lies an embedded malicious CMD file, ‘Open.cmd’, which will execute automatically when the icon is clicked.

Figure 1. Malicious OneNote document with hidden embedded script.

Analysing the malicious script in a text editor, it is observed leveraging PowerShell to execute a Base64 encoded command. The output of this command is written to a file located at ‘C:\programdata and subsequently executed.

Figure 2. Contents of the malicious ‘Open.cmd’ script.

Decoding this, the underlying PowerShell command to be executed is revealed.

Figure 3. Decoded PowerShell script contents.

This command is used to silently reach out to an external domain ‘https[:]//starcomputadoras[.]com’ over HTTPS and retrieve a malicious DLL called ‘01.gif’. The .gif file extension is likely a detection evasion mechanism. This file is stored in the local ‘C:\programdata’ directory as ‘putty.jpg’, and immediately loaded using rundll32 and the ‘Wind’ argument.

The below telemetry snapshot shows the process chain initiated from running this file

Figure 4. SenseOn telemetry showing execution of malicious PowerShell script.

Although the domain used for the second stage was flagged as malicious by several online vendors it was no longer active at the time of analysis. Therefore, the second stage payload failed to download and execute, and we were unable to connect to the malicious URL.

Figure 5. VirusTotal flags domain as malicious and displays a ‘500’ error indicating it is unreachable.

Figure 6. Malicious https[:]//starcomputadoras[.]com domain can no longer be connected to.

Sample 2

Emotet

This next sample involved a similar fraudulent popup advising the user to select a ‘View’ icon, which masked a malicious embedded script: ‘press to unlock.vbs’.

Figure 7. Second infected OneNote file with embedded script.

Analysing the contents of this script reveals several layers of obfuscation employed by the author. The malware author in this case is attempting to both evade detection by automated scanners and inhibit reverse-engineering activities by assigning variables to randomly generated words, and formulaically extracting certain characters from these variables to be executed as a command.

Figure 8. Heavily obfuscated contents of the malicious script.

Looking toward the end of this script, we observe a call to create a WScript shell, which is used to run the resulting obfuscated command.

Modifying the script to instead echo this command instead of executing it, and then running this modified script, reveals the unobfuscated contents intended to be run by the original author.

Figure 9. Original tail of malicious script where a call to execute is made.

Figure 10. Modified version of the script which prints the command instead of executing.

Figure 11. Output of running the modified script.

As seen above, the deobfuscated script appears to use an instance of VBScript to run a created ‘.txt’ file. This file uses a ‘.txt’ file extension to evade detection and lower suspicions. Opening this file, a similar level of obfuscation can be seen, using random words and concatenating different parts of these variables to create the desired command.

Figure 12. Modified second-stage script to print the command instead of executing

Similarly modifying this script to return the command rather than executing it reveals it was being used to retrieve a final payload from a series of malicious domains, trying each listed domain until a success was received. In this case, uploading the MD5 hash of this file to VirusTotal reveals the payload to be a strain of the Emotet trojan.

Figure 13. Deobfuscated script reveals payload and several malicious URLs.

Executing this malware in a sandbox environment, monitored by the SenseOn agent, several malicious actions can be observed both from analysis of raw ingested telemetry and looking at the relevant security observations generated by SenseOn.

The malicious VB script, can be seen retrieving the malicious payload over HTTP from the first of the malicious URLs referenced in the first de-obfuscated script.

Figure 14. SenseOn telemetry capturing script execution and payload retrieval.

The malware then abused the native ‘regsvr32.exe’ process to run a series of malicious binaries with seemingly randomly generated names, some of which were executed with the ‘/scomma’ argument, all run from the \AppData\Local\Temp directory.

Figure 15. Security security observation generated by SenseOn for unusual activity from %AppData%.

Figure 16. SenseOn telemetry capturing execution of malicious binaries.

Regsvr32 was also abused to establish Command and Control (C2) using connections to nodes in the Tor network.

Figure 17. SenseOn telemetry showing outbound connections by regsvr32 to Tor nodes.

Tor is likely used in this case to provide the author with an additional layer of anonymity and increase the difficulty of detection and remediation using traditional toolsets.

Figure 18. SenseOn security observation generated in response to Tor traffic.

Figure 19. SenseOn telemetry showing execution of ‘I7BUGMOAp1mnW79z5M0bLi0WI5oFMy2wIqc.dll’.

Regsvr32 was additionally leveraged to run a malicious “I7BUGMOAp1mnW79z5M0bLi0WI5oFMy2wIqc.dll” DLL file. This dll executed a series of information gathering commands such as ‘systeminfo’ and ‘ipconfig /all’. These are often used as enumeration techniques to determine device vulnerabilities and locations of interest, to begin the process of propagation.

Figure 20. SenseOn security observation created for anomalous use of regsvr32.

Figure 21. SenseOn telemetry capturing enumeration commands by regsvr32

Figure 22. SenseOn security observation generated in response to unusual outbound connections by regsvr32

To maintain persistence on the infected machine, the malware configures the malicious DLL file to be automatically run by Regsvr32 upon device startup, adding itself to the HKEY_USERS\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location

Figure 23. SenseOn telemetry capturing the malicious startup item.

IOCs

Domain IOCs

sachininternational.com[.]tr
erkaradyator.com[.]tr
esentai-gourmet[.]kz
ardena[.]pro
panel.chatzy[.]in
toiaagrosciences1.hospedagemdesites[.]ws
suppliercity.com[.]mx

IP IOCs

159[.]65[.]88[.]10
167[.]172[.]253[.]162
95[.]217[.]221[.]146
82[.]223[.]21[.]224
147[.]139[.]166[.]154
183[.]111[.]227[.]137
201[.]94[.]166[.]162
186[.]194[.]240[.]217
206[.]189[.]28[.]199
1[.]234[.]2[.]232
188[.]44[.]20[.]25
159[.]89[.]202[.]34
149[.]56[.]131[.]28
45[.]176[.]232[.]124
153[.]92[.]5[.]27
45[.]235[.]8[.]30
129[.]232[.]188[.]93
79[.]137[.]35[.]198
119[.]59[.]103[.]152
103[.]75[.]201[.]2
173[.]212[.]193[.]249
139[.]59[.]126[.]41
185[.]4[.]135[.]165
197[.]242[.]150[.]244
94[.]23[.]45[.]86
115[.]68[.]227[.]76
202[.]129[.]205[.]3
107[.]170[.]39[.]149
5[.]135[.]159[.]50
172[.]105[.]226[.]75
213[.]239[.]212[.]5
167[.]172[.]199[.]165
209[.]126[.]85[.]32
198[.]199[.]65[.]189
187[.]63[.]160[.]88

MD5 Hash IOCs

cde1a4983674221e32035465ff72c577
9eae6f49a02d6eb9f75af7bbf4349808
c862aed0ddd602cafc5bfdf212e0bd4d

Detections

SIGMA Rules

title: Detect Regsvr32 Binary execution
description: Detects when regsvr32 executes an exe file other than an instance of itself
status: experimental
author: Lachlan Godding
logsource:
   product: windows
   category: process_creation
detection:
   selection:
     ParentImage|endswith: '\regsvr32.exe'
     Image|endswith: '\.exe'
   filter:
     Image|endswith: '\regsvr32.exe'
   condition: selection and not filter
   level: high

title: Detect Regsvr32 enumeration command
description: Detects when regsvr32 runs commands commonly used for enumeration
status: experimental
author: Lachlan Godding
logsource:
   product: windows
   category: process_creation
detection:
   selection:
     ParentImage|endswith: '\regsvr32.exe'
     Image|endswith:
       - '\systeminfo.exe'
       - '\ipconfig.exe'
   condition: selection
   level: high

title: Powershell downloading unusual file types
description: Detects PowerShell makes a web request to download suspicious file types
status: experimental
author: Lachlan Godding
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\cmd.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'invoke-webrequest'
      - 'SW52b2tlLVdlYlJlcXVlc3Q=' #base64 version
   filter:
     CommandLine|regex:
      - '-uri.*\.txt'
      - '-uri.*\.msi'
      - '-uri.*\.json'
      - '-uri.*\.csv'
      - '-uri.*\.pdf' 
#optionally adjust these to represent normal filetypes for the environment
   condition: selection and not filter
   level: high

title: OneNote spawning unusual child process
description: Detects OneNote spawning suspicious child processes (not browser or office)
status: experimental
author: Lachlan Godding
logsource:
   product: windows
   category: process_creation
detection:
   selection:
     ParentImage|endswith: '\onenote.exe'
   filter:
     Image|endswith:
     - '\msedge.exe'
     - '\msedgewebview2.exe'
     - '\chrome.exe'
     - '\firefox.exe'
     - '\opera.exe'
     - '\brave.exe'
     - '\iexplore.exe'
     - '\winword.exe'
     - '\excel.exe'
     - '\powerpnt.exe'
     - '\acrord32.exe'
     - '\acrobat.exe'
     - '\onenotem.exe'
     - '\outlook.exe'
     - '\teams.exe'
     - '\notepad.exe'
     - '\protocolhandler.exe'
     - '\onenote.exe'
     - '\ai.exe'
     - '\splwow64.exe'


   condition: selection and not filter
   level: high

Snort

alert tcp any any -> any any (msg:”Potential Emotet User Agent Detected”; flow:to_server,established; content:”User-Agent|3a| Mozilla/5.0 (Windows NT 6.1; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0|0d 0a|”; nocase; sid:1000001; rev:1;)