Introduction
In the past month, Blackpoint Cyber’s SOC caught and eliminated over a dozen instances of malicious OneNote files (.one) being used as an attempt to gain initial access. Attacks from various threat actors have been observed using similar techniques. Microsoft macros, which add additional features and functions to Microsoft Office products, have been used as an initial access vector for attackers for quite some time. To mitigate this attack surface, Microsoft rolled out a feature change in April 2022 that blocks macros by default on Office files downloaded from the internet. When a major initial access vector is blocked, adversaries must adapt their tactics, techniques, and procedures (TTPs) to remain active.
Like many initial access vectors, the OneNote attack comes as an attachment within a phishing email, requiring the victim to open the file and click the payload for execution. The payloads observed by Blackpoint Cyber’s Adversary Pursuit Group (APG) contained scripts to download and execute additional payloads from the adversary’s server. Using this technique allows adversaries the ability to launch various attack types and change payloads at their leisure.
Technical Analysis
The APG analyzed many of the recent OneNote attacks to identify trends and use cases of the adversaries.
Figure 1 is an example of what a malicious .one file displays upon opening with Microsoft OneNote. By default, the application opens the file in Read-Only mode and explains to the victim that the additional attachments are in the cloud.
Enabling edit mode on the file reveals that the “Open” button is just a text box which overlays an embedded file named “Open.cmd” (Figure 2).
Designed as a convenient addition to taking notes, OneNote allows files to be embedded as attachments. Multiple file types can be embedded and executed from OneNote including documents, videos, audio clips, batch scripts, HTA (HTML Application), JS (JavaScript), WSF (Windows Script File), and VBS (Visual Basic script). What was intended for convenience and ease of use has quickly turned into an attack vector by threat actors.
Figure 3 is an example of a deobfuscated batch script found embedded in one of the samples analyzed by the APG. This script downloads 01.gif, saves it as putty.jpg, and executes it with rundll32.exe. The APG also observed different hash signatures for every download of putty.jpg which implies the threat actor is using automation in their payload generation.
The putty.jpg file was a Dynamic Link Library (DLL) masquerading as an image file to evade detection. Upon execution, rundll32.exe loaded putty.jpg as module and created the following processes before killing its own process:
- wermgr.exe (Windows Problem Reporting)
- rundll32.exe injected shellcode into wermgr.exe using process hollowing
- This technique hides malicious code inside a legitimate process
- msra.exe (Microsoft Remote Assistant)
- Sets multiple registry keys under “HKCU\Software\Microsoft\Yerqbqokc\”
- Creates SearchProtocolHost.exe thread (an index of your filesystem)
- Queries values from multiple registry keys listed above
- svchost.exe (Service Host)
- Sets multiple registry keys under “HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks\”
- Modifies Windows Update Orchestrator
Most of the malware samples collected from the OneNote attacks collected by Blackpoint’s SOC were identified to be possible Qakbot attacks due to IoCs (Indicators of Compromise) matching known Qakbot attacks. This was determined by antivirus detection, YARA rules, and the APG. Qakbot is known for process injection into legitimate processes and the use of “Wind” as an exported function in their DLLs.
Conclusion
The execution of embedded OneNote payloads can have varying outcomes based on the adversary’s intent. The APG’s analysis revealed that this particular attack aimed to:
- establish persistence in the registry and scheduled tasks and
- set up for further payload delivery and C2 interactions.
However, other threat actors could leverage OneNote as a means to deliver ransomware or carry out more complex attacks. Currently, it seems that manual user interaction in the form of double-clicking one of the embedded files is required to initiate the attack, as OneNote does not possess built-in automatic execution. It is important to remain vigilant and cautious when handling unsolicited or suspicious OneNote files to prevent falling victim to this type of attack.
After observing this tactic for user execution, the SOC deployed a rule to improve detection on these attacks. Between Feb. 1-16, 2023, the rule has been triggered 39 times on 13 devices, as users typically execute multiple times. The SOC and APG will continue to monitor for, and defend against, the malicious use of OneNote.
Mitigation
- Block all .one attachments in emails.
- If the use of a OneNote attachment is required, validate the source and credibility before opening.
- Neo23x0 released a Yara rule for detecting suspicious embedded file types in OneNote files.
Indicators of Compromise
SHA256: DE9FDC6426C7DDF204FF5683130B7EAC03859F32D8F6860D99F849D759A3B84D
- File Name: notes.one
- File Type: OneNote file format
- Details: Initial payload
SHA256: d8202493557e94abeaeabd10f5940798e34fd73112a4a49468309e4c94195af9
- File Name: putty.jpg
- File Type: DLL
- File Size: 448055 bytes
- Details: Final payload executed with “rundll32.exe C:\programdata\putty.jpg,Wind”
SHA256: 8b02c7e9f0d7b08bf3dfc4feaa18363c9917e4ab35fda58c5720b723a9443b73
- File Name: 1.png
- File Type: DLL
- File Size: 1780063 bytes
- Details: Final payload executed with “rundll32.exe C:\ProgramData\1.png,Wind”
SHA256: 2544adb4a05f340fa280d596ca483ccc6d79b261233e40bb5b08855d4dc5b305
- File Name: system32.bat
- File Type: Win32 EXE
- File Size 35328 bytes
- Details: Final payload executed with “Start-Process -Filepath $env:tmp\system32.bat62576”
SHA256: 8C3DD90C78A217A15530E3CD96AE28E0DB7B73A5734E709BEEE9509A2342A832
- File Name: ComplaintCopy_25628(Feb01).one
- File Type: OneNote file format
- Details: Initial payload
Other files seen were not collected due to AV destruction.
Initial payload OneNote files:
- AgreementCancelation_367226(Feb08).one
- Cancellation.one
- document.one
- DocumentsFolder_780693(Feb03).one
- Cancelation.one
- cancelation.one
- Secured-Document.one
- ComplaintCopy_75601(Feb01).one
Embedded OneNote attachments:
- Open.cmd (Batch Script)
- as2ECOj.cmd (Batch Script)
- Open.hta (HTML Application Script)
- document.hta (HTML Application Script)
Final payload files:
- aYmyWrBC.jpg
- DLL executed with “rundll32.exe C:\programdata\aYmyWrBC.jpg,Wind”
- atzTG39.png
- DLL executed with “rundll32.exe C:\ProgramData\atzTG39.png,Wind”
- aCfzEaqD.png
- Deleted prior to execution
- index1.png
- DLL executed with “rundll32.exe C:\ProgramData\index1.png,Wind”
IPs:
Domains: