Threat Research

Malware: The Rise of Threat Actors Using OneNote for Campaigns – InQuest

Securonix

Microsoft OneNote is increasingly used as a carrier to deliver malware via phishing attachments, exploiting benign file formats to bypass defenses. The piece traces its evolution, highlights sample campaigns and loader stages, and outlines layered defenses organizations can deploy. #Qakbot #OneNote

Keypoints

  • OneNote is increasingly used as a threat carrier, with attackers delivering weaponized content through OneNote attachments in phishing emails.
  • The trend builds on the idea that OneNote is a low-risk, benign-looking file type that can bypass defenses and enable delivery of malicious payloads.
  • Early observations date back to 2022, with Trustwave noting FormBook using OneNote carriers and a wave of OneNote abuse continuing through late 2022 and into 2023.
  • Threats observed delivering via OneNote include multiple loader platforms and malware families, such as Qakbot and IcedID, across campaigns and delivery chains.
  • OneNote campaigns have leveraged a hosting infrastructure (e.g., 77.91.122.13 linked to STARK-INDUSTRIES) as part of broader crimeware ecosystems.
  • Defensive guidance emphasizes user education, updating protections, blocking/quarantining OneNote deliveries, and deploying layered detection/response tooling (e.g., File Detection and Response with ML and YARA).

MITRE Techniques

  • [T1566.001] Phishing – Present a believable lure, convincing the user to open an attached file from a trusted service. “Present a believable lure, convincing the user to open an attached file from a trusted service.”
  • [T1204.002] User Execution – The embedded payload is invoked when the user double clicks the hidden file, prompting the user for confirmation and executing the script. “The embedded payload is often some form of executable content, ranging from direct EXE files to batch scripts, HTA files, VBS scripts, or WSF script files.”
  • [T1105] Ingress Tool Transfer – The batch script fetches the payload DLL from a remote site and uses PowerShell; the download/execution chain is described as a loader path. “batch script to fetch the payload DLL from a remote site using PowerShell and invoked using rundll32.exe.”
  • [T1059.001] PowerShell – Used to fetch the payload DLL from a remote site. “batch script to fetch the payload DLL from a remote site using PowerShell…”

Indicators of Compromise

  • [IP] Hosting infrastructure used by campaigns – 77.91.122.13, context: part of a bulletproof hosting ecosystem associated with multiple threats
  • [Hash] File hash – 660870c3f3e8ff105e5cc06b3b3d04436118fc67533c93d0df56bde359e335d0
  • [URL] Public tooling/resources referenced – https://github.com/InQuest/malware-samples/tree/master/2023-02-OneNote, https://github.com/InQuest/yara-rules-vt/blob/main/Microsoft_OneNote_with_Suspicious_String.yar
  • [File Extension] Known OneNote formats – .one, .onepkg, .onetoc2
  • [GUID] OneNote file format signatures – {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}, {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}

Read more: https://inquest.net/blog/2023/02/27/youve-got-malware-rise-threat-actors-using-microsoft-onenote-malicious-campaigns