The Adventures of Malicious OneNote Attachments in Cortex XDR Land

Jul 05, 2023
10 minutes
... views

Executive Summary

The Cortex Threat Research team has been tracking recent campaigns that were using malicious OneNote email attachments as the initial attack vector. Malicious OneNote files have been made popular by various threat actors earlier this year, as a response to Microsoft blocking internet macros by default.

In correlation with Microsoft’s notice, starting in early 2023, OneNote infected attachments have been seen spreading malware such as Emotet, Qakbot, and AsyncRAT to name a few.

Similar to attacks delivering malicious Word macro attachments, various themed emails were seen sent at scale, luring potential victims into downloading an attached malicious OneNote file.

OneNote itself is installed by default as part of various versions of Microsoft Office installations, and allows embedding of macros.

Microsoft released another notice in April, stating that 120 extensions will be blocked by default in OneNote, disabling the user’s interaction with a OneNote file completely. These changes began rolling out with OneNote Version 2304 in April 2023, but for all users who have not yet updated, this attack vector is prevalent.

We observed multiple malware delivery methods techniques in the different campaigns, using various script types that serve as loaders, such as CScript, WScript, as well as running MSHTA files.

This writeup will examine some of the more salient techniques and provide insights on how Cortex XDR detects and blocks the infection chains derived from each file.

Initial Access and Structure

The initial access vector of OneNote malicious attachments consists of the “good old” method of luring the victim into opening an email containing a malicious attachment.

In the example below, we can see a targeted fake reply to a correspondence that is pretending to be of an urgent matter, in order to pressure the victim into opening the attached file. This email was part of a larger phishing campaign that targeted Italian-speaking users.

Figure 1. An email containing a malicious OneNote attachment
Figure 1. An email containing a malicious OneNote attachment

 

These malicious documents often feature intentionally blurred content, accompanied by a message that prompts the users to press a button with the promise of unblurring the content. Pressing on the said button enables the running of the malicious macro and ultimately triggers the infection chain.

The screenshot below depicts a malicious document that is pretending to be protected by a “security signature” of Microsoft Azure Cloud.

Figure 2. The content of the aforementioned OneNote malicious attachment
Figure 2. The content of the aforementioned OneNote malicious attachment

 

Extracting the MSI package’s content shows that these are all in fact just images, including the blurred “document” in the background. It is also interesting to note that the default names of the extracted image resources are in Russian and simply mean “unnamed painting”.

Figure 3. The images resources extracted from the OneNote file
Figure 3. The images resources extracted from the OneNote file

 

Another example shows a decoy email in German. This shows how widespread these attacks are, focusing on multiple potential victims and countries.

Figure 4. Content of the lure email
Figure 4. Content of the lure email

 

After opening the attached document, a window using the Office 365 theme appears, prompting the user to download a document allegedly hosted on the cloud.

Figure 5. Another example of a malicious document content
Figure 5. Another example of a malicious document content

 

The content of this document carries a malicious HTA file. After the user clicks on the “Open” button, they unknowingly execute the HTA file, and the JavaScript embedded in this file creates a fake popup message. The fake popup is used to divert the users’ attention from the fact that a malicious script is running in the background.

Figure 6. The fake message displayed while malicious code is running in the background
Figure 6. The fake message displayed while malicious code is running in the background

 

MSI Installer Variant

Once a user is successfully lured into clicking the aforementioned button, an MSI file is launched, including a malicious Windows script file that is actually bundled in it. Upon the installation of the MSI file the Windows script file is written to disk and then executed by the WScript engine.

Using the UniExtract2 tool, it is possible to reveal the aforementioned Windows script file that is bundled in the installation package.

Figure 7. Contents of the MSI installer
Figure 7. Contents of the MSI installer

 

The extracted script file is obfuscated and contains junk code. Parts of the script are also scattered in between benign text, such as excerpts from “Alice in Wonderland”, for example.

Figure 8. Contents of the Windows script including a benign text from Alice in Wonderland
Figure 8. Contents of the Windows script including a benign text from Alice in Wonderland

 

By breaking the script into pieces and embedding them in large benign text files, the attackers attempt to thwart analysis efforts and evade detection by AV solutions.

Two scripts are eventually dropped on disk, in the %programdata% folder, by the Windows script.

Figure 9. Names of the two script files that are being dropped on disk
Figure 9. Names of the two script files that are being dropped on disk

 

The scripts are executed in the background while the victim thinks they are installing Azure cloud software.

Figure 10. content of the two script files dropped on disk
Figure 10. content of the two script files dropped on disk

 

 

The content of these two additional scripts, prior to being written to disk, is embedded in a hex-encoded form in the Windows script file. There are two strings which are especially noticeable.

Decoding the first hex encoded string reveals the code below. This code downloads a file from a remote command and control server (C2) and saves it to disk.

Figure 11. Content of the first decoded hex string
Figure 11. Content of the first decoded hex string

 

Decoding the second hex string reveals another piece of code, responsible for executing the previously downloaded file with the right exports method, “Motd”, using the Windows built-in Rundll32 binary. This is indicative that the dropped file is actually a DLL file, rather than a .tmp file as the name would suggest.

Figure 12. Content of the second decoded hex string
Figure 12. Content of the second decoded hex string

 

The final payload is the well established Qakbot malware, an information stealer, and formally a banking Trojan, that has been around since at least 2007.

The execution of the MSI installer was detected and prevented by Cortex XDR, as seen in the screenshots below.

Figure 13. The MSI installer process tree as seen in Cortex XDR in detect mode
Figure 13. The MSI installer process tree as seen in Cortex XDR in detect mode

 

Figure 14. The MSI installer process tree as seen in Cortex XDR in prevent mode
Figure 14. The MSI installer process tree as seen in Cortex XDR in prevent mode

 

HTA File Variant

We observed another infection method using OneNote in a campaign that targeted German-speaking users. In this campaign, instead of an MSI installer, the attackers used an HTML Application (HTA) file.

The HTA file’s content is much shorter than the previous MSI variant’s Windows script, but it still contains some obfuscated strings. The string in its obfuscated form is depicted below.

Figure 15. Obfuscated content of the HTA file
Figure 15. Obfuscated content of the HTA file

 

Deobfuscating this string returns the following script, which reveals the main malicious functionality.

Figure 16. Deobfuscated content of the HTA file
Figure 16. Deobfuscated content of the HTA file

 

This part of the script shows the usage of the curl utility in order to download a payload to the disk, masquerading it as a PNG file. The script then proceeds to display the fake pop up message that the document is corrupted, as depicted in the “Initial Access” section.

After the deobfuscation, the script content is written to the registry, under the key HKCU\\SOFTWARE\\rq5w\\xczis\\x4dyhu.

Finally, the freshly written key is being read from the registry, and if it exists then the part of the script below provides the url parameter to the curl utility to download the malicious payload. The registry value is then deleted.

Figure 17. The C2 URL as seen in the HTA file
Figure 17. The C2 URL as seen in the HTA file

 

Cortex XDR detected and prevented the execution of the mshta.exe file, as seen in the screenshots below.

Figure 18. The HTA file execution as seen in Cortex XDR in detect mode
Figure 18. The HTA file execution as seen in Cortex XDR in detect mode

 

Figure 19. The HTA file execution as seen in Cortex XDR in prevent mode
Figure 19. The HTA file execution as seen in Cortex XDR in prevent mode

 

ISO + CHM Variant

We observed a third infection scenario that is an interesting combination of a bundled ISO image containing a CHM file. The theme of the document resembles the examples above. When the user clicks on the “Open” button, the ISO image that contains the CHM file is mounted.

Figure 20. The ISO image that is mounted on the user’s PC
Figure 20. The ISO image that is mounted on the user’s PC

 

After extracting the ISO file and the contents of the CHM file, we see the CHM file contains an additional command line that to be executed on click.

Figure 21. Content of the CHM file
Figure 21. Content of the CHM file

 

The Base64 encoded command line translates to the code that can be seen in figure 16. The encoded PowerShell command is in Base64 and decodes to start rundll32 $env:TEMP\PebbliestUndetractive.capriote, Motd;.

This time the attackers embedded an array of C2 servers, running in a loop, waiting for a successful connection in order to download and execute the Qakbot payload.

Figure 22. Base64 decoded PowerShell command
Figure 22. Base64 decoded PowerShell command

 

Cortex XDR detected and prevented the execution of the CHM file, as seen in the screenshots below.

Figure 23. The CHM file execution tree as seen in Cortex XDR in detect mode
Figure 23. The CHM file execution tree as seen in Cortex XDR in detect mode

 

Figure 24. The CHM file execution tree as seen in Cortex XDR in prevent mode
Figure 24. The CHM file execution tree as seen in Cortex XDR in prevent mode

 

Protections and Mitigations

Cortex XDR customers are protected against different variations of infection chains using malicious OneNote attachments. The different scenarios described in detail above and their infection chains are detected and blocked by the Cortex XDR platform and can be seen in each scenario above and the respective detection and prevention screenshots.

In addition to the classic detection, the unique SmartScore engine translates security investigation methods and their associated data into a ML-driven hybrid risk scoring system. All three scenarios detailed in this blog scored higher than 95 out of 100 by SmartScore.

Figure 25. SmartScore results for the MSI installer variant incident
Figure 25. SmartScore results for the MSI installer variant incident

 

Indicators of Compromise

MSI Installer Variant

Email

a6f3ce007be6810ef4df88e97aca226666c904065f1a1215079be4570b941227

OneNote Attachment

66a8e8fd9f50632b86408434cad6cf7238f243f2bca7f601dc108a933174c017

C2 Domain

logswalker[.]com

MSI Installer

1ce9f46beb6336aee67c548ce11aed6a80ec6816d89a35ed0ca6def577932198

Windows Script

3c9aa9fc46d14bcd25da2bcae0a924b0840c6b067c889ba242f0840a9e72fbd3

HTA File Variant

Email

9210833cd360ba3af63f7108cfc406308c04b85bef5f35e4660e687c1c8db45d

OneNote Attachment

ccea71c3007664a78b34ee6ffd5237b7d3a24f6957a59f654154244160f44c53

HTA File

51b74094e47e5e4b8387a47924576872170ba7b0b0618f6ea0b36954ba1a4b0f

C2 IP

51.255.141[.]79

ISO + CHM Variant

OneNote Document

67febd5039bb69c26e12f3ca6e82b0478b0e98b8965c0a6119763335088b246a

ISO File

3efd4aac02a180f8d49ec63105802c44a39b5d2a584b35aed43be997e1e0d5d5

CHM File

6c5c936c65311794478b2c35ca51aa17473f647b2a88af51dceed5fbe60eece2

C2 Domains

nayadofoundation[.]org

mrcrizquna[.]com

gsscorporationltd[.]com

zainco[.]net

erg-eg[.]com

carladvogadatributaria[.]com

citytech-solutions[.]com

hotellosmirtos[.]com

Additional Resources

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rising-trend-of-onenote-documents-for-malware-delivery/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/

 


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.