Microsoft OneNote is becoming a growing vector for malware delivery, as threat actors embed malicious payloads in OneNote documents distributed via phishing emails and other deceptive tactics. Across multiple case studies, attackers use obfuscation and scripting within OneNote to bypass detections and deploy RATs, bankers, and stealers, including MAAS networks around OneNote-based campaigns.
#OneNote #Qakbot
#OneNote #Qakbot
Keypoints
- Threat actors are increasingly using Microsoft OneNote documents to deliver malware via phishing emails.
- OneNote is installed by default in all Microsoft Office/365 installations, enabling malicious OneNote files to be opened even if users don’t actively use OneNote.
- Macros by default were disabled by Microsoft in July 2022, making macro-based distribution less reliable for attackers.
- OneNote can embed similar malicious code as macro/VBA documents and can run scripts (CHM, HTA, JS, WSF, VBS) with multi-layer obfuscation to bypass detections.
- Attackers can execute MSHTA, WSCRIPT, and CSCRIPT from within OneNote, expanding execution paths and evading security controls.
- Case studies show distribution of AsyncRAT, Quasar RAT, NetWire, Xworm, IcedID, Qakbot, and Redline via OneNote, with some campaigns hosted on a Malware-as-a-Service ecosystem (NET_PA1N Reborn).
- Zscaler ThreatLabz notes tools like OneNoteAnalyzer help investigators analyze suspicious OneNote artifacts.
MITRE Techniques
- [T1566] Phishing – Threat actors are increasingly using Microsoft OneNote documents to deliver malware via phishing emails. [‘Threat actors are increasingly using Microsoft OneNote documents to deliver malware via phishing emails.’]
- [T1204] User Execution – The OneNote approach deceives a user into executing malware on their systems via OneNote. [‘deceives a user into running malware on their systems via OneNote.’]
- [T1059] Command and Scripting Interpreter – OneNote can embed script types and execute them (CHM, HTA, JS, WSF, VBS). [‘OneNote Document can run the following types of scripts CHM, HTA, JS, WSF, and VBS.’]
- [T1059.001] PowerShell – Powershell code associated with the OneNote payload was obfuscated and deobfuscated to reveal the final payload. [‘The Powershell code associated with it was obfuscated and difficult to comprehend, so researchers manually pretty print to deobfuscate and reformat the file…’]
- [T1218.005] System Binary Proxy Execution: Mshta – MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote. [‘MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote’]
- [T1112] Modify Registry – VBScript creates a registry key and stores the deobfuscated data in it. [‘VBScript creates a registry key and stores the deobfuscated data in it.’]
- [T1204] User Execution – The OneNote-based infection for IcedID involves a deceptive link and prompts user interaction to view content. [‘deceives the user into double-clicking to view it, thereby initiating the IcedID infection process.’]
Indicators of Compromise
- [MD5] Case Study-1 – e9f0dbbd19ef972dd2fc163a4b34eae1, 19905a73840430e28c484b97546225c6, and 2 more hashes
- [MD5] Case Study-2 – 5139af509129641b1d29edd19c436b54, 6b1e64957316e65198e3a1f747402bd6, and 4 more hashes
- [MD5] Case Study-3 – 973e87ec99502aac9a12f987748a812a, 39f3c510f46d605202844e35c07db84b, and 3 more hashes
- [Network Indicators] Case Studies – http://helthbrotthersg[.]com/view.png, https://transfer[.]sh/get/vpiHmi/invoice.pdf, and 4 more indicators
- [File Name] Case Studies – PaymentAdv.one; zoo1.bat; zoo1.bat.exe; and 1 more
Read more: https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution