The Rising Development of OneNote Paperwork for Malware supply

0
104
The Rising Development of OneNote Paperwork for Malware supply

[ad_1]

Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M 
noticed a brand new Malware marketing campaign which used malicious OneNote paperwork to entice customers to click on on an embedded file to obtain and execute the Qakbot trojan. 
OneNote is a Microsoft digital pocket book utility that may be downloaded free of charge. It’s a note-taking app that permits collaboration throughout organizations whereas enabling customers to embed recordsdata and different artifacts. It’s put in by default in Microsoft Workplace 2021 and Microsoft 365.   
Malicious Actors are at all times looking for new methods in to contaminate their victims. Akin to their shift to LNK recordsdata after Microsoft launched a coverage change disabled workplace macros by default. On account of a function that permits customers to connect recordsdata to OneNote paperwork it makes them a very good different to LNK recordsdata as distribution car to deploy their malware. This weblog incorporates evaluation on how OneNote paperwork are used malicious and two particular campaigns that made use of OneNote paperwork to obtain and execute the Qakbot malware.  
OneNote Campaigns within the wild 
Determine 1 Marketing campaign Heatmap
Determine 1  reveals the geo clever distribution of McAfee clients detecting malicious OneNote recordsdata. 
 Based mostly on the telemetry from our endpoints we’ve recognized the next risk households deployed by way of OneNote paperwork: 

Iceid 
Qakbot
RedLine
AsyncRat
Remcos
AgentTesla
QuasarRAT
XWORM
Netwire
Formbook
Doubleback 

Overview Of Malicious OneNote Paperwork 
A holistic view of the phishing campaigns that weaponize OneNote doc is proven in Determine 2 beneath.  The malicious doc is delivered in both zip recordsdata or ISO photographs to the goal by way of phishing emails. We now have noticed that many of the malicious paperwork both have Home windows batch script that invokes Powershell for dropping the malware on the system or Visible Fundamental scripts that does the identical.
Determine 2 Marketing campaign Overview
The generic theme of the e-mail is bill or authorized associated. A lot of these themes usually tend to be opened by the vicim. An instance electronic mail physique and attachment is proven in Determine 3 and 4. 
Determine 3 Electronic mail Physique
Determine 4 Attachment
A Deep Dive into OneNote File Format 
File Header 
To grasp how the information is specified by the file, we have to look at it at byte stage. Taking a detailed take a look at OneNote doc provides us an attention-grabbing remark as its magic bytes for the header will not be a trivial one. Determine 5 reveals the primary 16 bytes of the doc binary. 
Determine 5 OneNote Header
The primary 16 bytes have to be interpreted as GUID worth {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}. We are able to use the official documentation for OneNote specification to make sense of all of the bytes and its structuring. Determine 6 reveals header info taken from the OneNote specification doc. 
Determine 6 OneNote Specification
The Knowledge Stream in OneNote, Say Hey To FileDataStoreObject 
To search out the embedded information in a OneNote doc, we have to study extra concerning the FileDataStoreObject which has a GUID worth of {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}. The construction that holds the information is proven beneath: 

guidHeader (16 bytes) 
Dimension: 16 bytes 
Worth: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC} 
cbLength 
Dimension: 8 bytes 
Worth: Dimension of the information 
unused 
Dimension: 4 bytes 
reserved 
Dimension: 8 bytes 
FileData 
Dimension: Variable 
guidFooter 
Dimension: 16 bytes 
Worth: {71FBA722-0F79-4A0B-BB13-899256426B24} 

The FileData member of the FileDataStoreObject is the important thing member that holds the embedded information within the OneNote doc. The dimensions may be retrieved from the cbLength member. 
Determine 7 reveals the “on disk” illustration of the FileDataStoreObject  That is taken from a malicious OneNote doc used to unfold the Qakbot payload. The guidHeader for the information object is highlighted in yellow and the information is proven in purple. As it’s evident from the picture the information represents a textual content file which is a script to launch PowerShell.  
Determine 7 Embedded information in Knowledge object
For extra info on the OneNote specification, go to reference part  
Artifact Extraction  
Now we’ve an concept of what the information object is, with this data we will automate the method of extracting embedded artifacts for additional evaluation from the OneNote doc by following the beneath algorithm. 

Seek for FileDataStoreObject GUID within the binary. 
Interpret the FileDataStoreObject construction  
Retrieve cbLength member (dimension of the information represented by FileDataStoreObject) 
Learn N bytes (cbLength) after Reserved 8 bytes in FileDataStoreObject. 
Dump the bytes learn on to disk 
Repeat above steps for each FileDataStoreObject current within the binary

Embedded Executable Objects In OneNote  
Execution Of Embedded Entities  
Trying on the runtime traits of OneNote Desktop utility we’ve noticed that when an embedded file will get executed by the consumer, it’s saved quickly within the OneNote listing within the Person’s Temp location. Every listing with GUID values represents a distinct doc opened within the OneNote utility. 
Determine 8 OneNote listing in Temp
By analyzing quite a few malicious paperwork, we’ve been capable of create a “check” OneNote doc that executes a batch file that incorporates the “whoami” command. The picture in Determine  9 present the batch file being created within the consumer’s temp location. 
Determine 9 OneNote drops embedded artifacts in Temp listing
Qakbot Marketing campaign 1: 
This part incorporates particular particulars on a Qakbot marketing campaign. In marketing campaign 1, the malware creator used phishing emails to ship malicious OneNote doc both as attachment or a URL hyperlink to zip file containing the OneNote doc. The OneNote contained aHTA file that when executed would make use of  the curl utility to obtain Qakbot after which execute it. 
An infection Circulate: 
Determine 10 An infection Chain

Spam electronic mail delivers a malicious OneNote file as an attachment or a hyperlink to a ZIP file that incorporates a OneNote file. 
OneNote file incorporates an embedded HTA  attachment and a pretend message to lure customers to execute the HTA  file 
The HTA file makes use of curl utility to obtain the Qakbot payload and is executed by rundll32.exe. 

Technical Evaluation: 
The OneNote file with the embedded HTA file is proven within the Determine 11. As soon as this OneNote file is opened, it prompts the consumer with a pretend message to double-click on open to view the attachment. 
Determine 11 OneNote Template
Upon clicking the Open button, it drops the HTA file with the identify Open.hta to the %temp% Folder and executes it utilizing mshta.exe. 
Determine 12 Drop file in Temp location
The HTA file incorporates obfuscated script as proven beneath: 
Determine 13 Obfuscated HTA script
The HTA file is loaded by MSHTA and creates a registry key in HKEY_CURRENT_USERSOFTWARE with obfuscated content material as proven beneath: 
Determine 14 Registry key creation

The obfuscated registry is then learn by MSHTA and the obfuscated code is de-obfuscated. The code is then initialized to a brand new perform object as proven in Block1. 
Lastly, MSHTA calls this perform by passing the malicious URL as a parameter after which deletes the registry key as proven in Block 2.

De-obfuscated content material from the HTA file is proven beneath: 
Determine 15 Deobfuscated HTA content material

Curl is used to obtain the malicious DLL file in C:ProgramData Folder with .png extension. The script will then execute the downloaded file with Rundll32.exe with the export perform Wind.

Determine 16 Downloaded payload in ProgramData

A pretend error message is displayed after loading the downloaded payload and MSHTA is terminated.  

Determine 17 Faux error message
Determine 18 reveals the  
Determine 18 Course of Chain
IOCs: 

Sort 
Worth 
Product 
Detected 

Campain 1 – OneNote File 
88c24db6c7513f47496d2e4b81331af60a70cf8fb491540424d2a0be0b62f5ea 
Complete Safety and LiveSafe 
VBS/Qakbot.a 

Campain 1 – HTA File 
e85f2b92c0c2de054af2147505320e0ce955f08a2ff411a34dce69c28b11b4e4 
Complete Safety and LiveSafe 
VBS/Qakbot.b 

Campain 1 – DLL File 
15789B9b6f09ab7a498eebbe7c63b21a6a64356c20b7921e11e01cd7b1b495e3 
Complete Safety and LiveSafe 
Qakbot-FMZ 

Marketing campaign 2: 
Inspecting Malicious OneNote Paperwork 
The OneNote doc for marketing campaign 2 is proven in Determine 19. At first look it it seems that there’s a ‘Open’ button embedded throughout the doc. The message above the ‘Open’ button instructs the consumer to “double click on” with a view to obtain the attachment.
Determine 19 Malicious content material
A better take a look at the doc reveals the graphical components are all photographs positioned in a layered fashion by the malicious actor. By shifting the icons apart, we will see the malicious batch file which when executed downloads the payload from the Web and executes on the goal system. 
Determine 20 Hidden Malicious dropper script
Execution Of Payload Dropper 
Upon execution of the batch file, Powershell will likely be invoked and it fetch the Qakbot payload from Web and execute it on the goal system. This part will cowl particulars of dropper script used to deploy QakBot. The Determine 21 Present the method tree after the execution of the script and you’ll see that powershell.exe was launched by cmd.exe and the mother or father of cmd.exe is onenote.exe. 
Determine 21 Course of chain
The contents of course of cmd.exe (7176) are proven beneath.  
Determine 22 Cmd.exe properties
The base64 decoded batch file is proven in Determine 23.  It will use powershell to obtain the payload after which execute it with rundll32.exe
Determine 23 Base64 Decoded directions in dropper
 IOCS 

Sort 
Worth 
Product 
Detected 

Campain 2 – Zip File 
000fb3799a741d80156c512c792ce09b9c4fbd8db108d63f3fdb0194c122e2a1 
 
Complete Safety and LiveSafe 
VBS/Qakbot.a 

Campain 2 – OneNote File 
2bbfc13c80c7c6e77478ec38d499447288adc78a2e4b3f8da6223db9e3ac2d75 
Complete Safety and LiveSafe 
One/Downloader.a 

Campain 2 – Powershell File 
b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424 
Complete Safety and LiveSafe 
PS/Agent.gs 

Campain 2 – OneNoteFile 
a870d31caea7f6925f41b581b98c35b162738034d5d86c0c27c5a8d78404e860  
Complete Safety and LiveSafe 
VBS/Qakbot.a 

 
 
 
 

Domains: 
starcomputadoras.com 
Conclusion: 
Malware authors are getting extra refined with regards to hiding their payloads. This Weblog highlights the latest Qakbot marketing campaign that delivers its payload which makes use of the OneNote utility as a supply mechanism. McAfee Prospects ought to hold their techniques up-to-date and chorus from clicking hyperlinks and opening attachments in suspicious emails to remain protected. 
 References: 
https://study.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/405b958b-4cb7-4bac-81cc-ce0184249670 
https://study.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/8806fd18-6735-4874-b111-227b83eaac26 
x3Cimg peak=”1″ width=”1″ fashion=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);

[ad_2]