Microsoft OneNote files are widely used to deliver malware payloads

There is a never ending run between the threat actors and the security software. The malware authors always look for techniques which can penetrate the active security defenses to get access of victim’s machine and one of the way is, to switch among low profile file types to carry the malicious payload. The malware authors are now using OneNote files which were rarely used for malicious purpose in the past. For the last few weeks, SonicWall RDTMI has been detecting a spike of malicious OneNote files that are being delivered to the victim’s machine as email attachments. SonicWall threat research team observed that the OneNote files are delivering AgentTesla, AysncRAT and QakBot malware. Threat actors are attaching HTML Application (HTA) files, batch files and Portable Executable (PE) files into the OneNote pages and hide the attached files behind an image. The image displays a message to lure the victim to click on them (contains a hidden attachment) which then triggers the malware execution:

Case 1 (Payload: AgentTesla)

Threat actor attaches malicious HTML Application (HTA) file into the OneNote page and duplicates the attachment references, to wider the user click area to access the attachment. The attachments are hidden by overlapping two images, first image is a blurred image which further overlapped by another image which asks user to “View Document”. Once user clicks on the image it will trigger the execution of hidden HTA file:

The HTA file executes two PowerShell instances, one instance to show some image from the web and other instance to download and execute AgentTesla malware on the victim’s machine:

The blurred HSBC document from the web is displayed, to mislead the user while performing the malicious activity in the background:

The second PowerShell instance starts execution of the downloaded executable in the background which further executes VBScript file and injects the AgentTesla payload into RegSvcs.exe which exfiltrates and sends the user data to its telegram hosted Command and Control (C2) server h[t][t]ps://api.telegram.org/bot5729374237:AAEdSD-W5rWlJyyU5nwVKvjLxJBT1jTdKRY/:

Case 2 (Payload: AsyncRAT)

Threat actor attaches an obfuscated batch file into the OneNote page. The batch attachment is hidden behind the image which asks user “Click to view document”. The file contains background image of displaying text DHL WORLDWIDE EXPRESS to pretending itself as a delivery document:

The Batch file is obfuscated which drops the PowerShell executable into OneNote temp folder with name “invoice.bat.exe” and executes a PowerShell script using the dropped PowerShell executable:

The PowerShell script reads data from the batch file and decrypts it. The decrypted data is decompressed to get the AsyncRAT executable file which is then executed:

The AsyncRAT is widely know malware and its source code is available on the GitHub:

In one of the AsyncRAT delivering variant, we have seen the OneNote page is attached with an executable file which further drops a bat file to continue execution, which results in executing AsyncRAT on the victim’s machine:

Case 3 (Payload: QakBot)

Threat actor attaches a batch commands file into the OneNote page. The attached file is hidden behind the image which asks user “Open”. The OneNote page also contains image displaying text “This document contains attachments from the cloud, to receive them, double click “open”:

The batch commands file executes PowerShell cmdlet which drops and executes another batch file into C:\Users\Public\aSUNY81.cmd and passes two arguments:

The dropped script downloads the QakBot payload from the URL h[t][t]ps://famille2point0.com/oghHO/01.png which is provided as second argument. The QakBot Dynamic Link Library (DLL) is executed by calling the export function Wind:

The QakBot injects the malicious payload into iexplorer.exe using process injection. QakBot binary uses tradition method for injecting the payload which involves opening the iexplorer.exe in suspended mode using CreateProcess API, then allocating memory into the iexplorer.exe and writing the payload data into it. After injecting code, mostly malware changes the Instruction Pointer (EIP) to the injected code using SetThreadContext API but QakBot modifies the bytes at EIP which jumps to the injected code:

IOCs

SHA256 OneNote files:

8fc8a2b79cb0c0f8113993056e682cd9b56140781cad6bfeabfeac8e6df543e1

1d27ed598f1eab480f067c8920d8f9cd7f7da8b1833d0f58f75d2e2944589210

0a001cf1fd5f6d6994a1635f87493723ba6c6299b67fdf1569c341c87b8aeda1

SHA256 PE files:

b75aad495d0bff2f1b5a2b89a8df42a9257f1f01394c859f3ad2bb40d91607d3

a18402d77acd4d9c8b9ae637ffb8ef44b566c777902bb95d81a8cb6c23fec9e7

53a1cbccdb9988dca39ce32963a951b4f8b9d843db57c288195e1cd160bd7f17

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.