OneNote files are being used to deliver fileless backdoor

By

The SonicWall Capture Labs Research team is keeping an eye on malicious OneNote files since the last few weeks which are involved in delivering prevalent malware families including AgentTesla, AsyncRat and QakBot.  OneNote files are not commonly used by cybercriminals until recently. This is evident by the fact that SonicWall RTDMI detected this malicious OneNote file while it was missed by other security providers available on popular threat intelligence sharing portals at the time of analysis:

 

In previous variants, the malware was carrying the payloads with the OneNote file and hiding them behind an image. The victim is enforced using the image content, to click on the image which triggers the payload execution. But recently we have seen that instead of attaching payload in the OneNote files, the malware author putting an URL pointing to the payload. This change is made to stay undetected from the security vendors because the security vendors can trigger the detection based on the attached payload files. The OneNote file has no subject line and contains a hyperlink for a short URL “h[t][t]ps://rb.gy/zggy57” which says “Download from cloud”:

 

The short URL directs the request to h[t][t]p://myccc1.ddnsgeek.com/files/SCAN26022023.docs.zip which downloads an archive file:

 

The archive file contains a Windows Shortcut file (LNK) file which downloads and executes a batch script from an URL “http://myccc1.ddnsgeek.com/sched.php” to “%tmp%\1.cmd” using Client for URL (cURL) utility:

 

The batch script file registers a schedule task “wXlOKhHBDX” which runs every 2 minutes and deletes itself. The scheduled tasks executes a PowerShell script to further invoke a web hosted PowerShell script:

 

Backdoor

The PowerShell script is hosted on a URL “h[t][t]p://myccc1.ddnsgeek.com/rev.php” which is a backdoor which is obfuscated by aliasing the cmdlet with random names:

 

After replacing the random alias names with actual cmdlets and formatting the PowerShell script, it becomes readable. The script contains a function which accepts two argument a remote host URL and a port number. The PowerShell scripts executes in a while loop every 3 seconds and try to connect the remote host “myccc1.ddnsgeek.com” on port number “8448”, until the connection is established. The malware sends the username of the victim’s machine to the remote host and receives a PowerShell script. The malware executes the received PowerShell script, sends back the return value and waits for the next commands. At the time of analysis the remote host was sending a “echo <random_string>” which makes us an impression that either the malware author has identified the controlled environment execution or it has suspended it malicious activity for a while:

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.