Rapid7 observed attackers using Microsoft OneNote to deliver base64-encoded payloads that decrypt to Redline Infostealer or AsyncRat, via a multi-stage chain starting with a phishing OneNote attachment. The analysis details how a hidden batch script launches a renamed PowerShell process to decrypt and execute a payload, leading to a final Redline Infostealer infection. #RedlineInfostealer #AsyncRat #OneNote
Keypoints
- Phishing email delivered a OneNote file that presented a deceptive “Double Click to View File” button to trigger hidden shortcuts to a batch script.
- Batch script nudm1.bat executes in the background, reading base64 data and decrypting it with AES to produce a payload executable.
- The decrypted payload is a 32-bit .NET executable that loads into memory and culminates in the Redline Infostealer or AsyncRat payloads.
- Redline Infostealer capability includes stealing cryptocurrency wallet data, Discord data, and web browser data including cookies.
- Qakbot also leverages OneNote embeddings (Open.cmd) to decode base64 content, download additional payloads, and execute via rundll32.
- Rapid7 detects related behaviors and provides a OneNote embedded-file parser for Velociraptor to help detect similar payloads.
- IOCs and MITRE mappings illustrate a multi-stage execution chain from initial access to C2, with several defensive mitigations proposed.
MITRE Techniques
- [T1566.001] Phishing – The attack vector began when a user was sent a OneNote file via a phishing email. “The attack vector began when a user was sent a OneNote file via a phishing email.”
- [T1059.003] Windows Command Shell – The batch script nudm1.bat executed in the background, using batch scripting to drive the payload. “the batch script nudm1.bat executed in the background without the user’s knowledge.”
- [T1059.001] PowerShell – A PowerShell script was printed to the console after deobfuscation and executed from a renamed PowerShell binary. “piped the deobfuscated result to a text file. The text file contained a PowerShell script”
- [T1027] Obfuscated/Compressed Files and Information – The batch script contained a large section of base64-encoded data that would be decoded. “Near the middle of the script, we observed a large section of base64 encoded data”
- [T1055] Process Injection – The decrypted and decompressed payload was reflectively loaded into memory. “Reflectively loaded the decrypted and decompressed contents into memory”
- [T1059.001] PowerShell – See above; used for decoding/downloading via PowerShell during the Open.cmd/Qakbot chain. “Invoke-WebRequest” download step described in Qakbot section
- [T1105] Ingress Tool Transfer – The Qakbot/Open.cmd chain downloads a file from a URL using PowerShell Invoke-WebRequest. “Download a file from URL … using PowerShell Invoke-WebRequest”
- [T1071] Command and Control – The Redline payload ultimately communicates in ways that involve IP addresses extracted from the loaded DLL (C2-style behavior). “decrypted the resource COMPONENT-08 … extracted over 100 IP addresses”
Indicators of Compromise
- [Filename] Nudm1.bat, Footstools.exe, tmpFBF7.tmp, Rem Adv.one – SHA1 hashes listed in IOCs
- [IP Address] 172.245.45[.]213 – Base64-decrypted IP used by Redline Infostealer
- [Filename] Putty.jpg, comrepl.dll, Document.One – associated with the Qakbot/Open.cmd chain
- [Domain] starcomputadoras[.]com – hosts downloaded payload from Open.cmd chain
- [Filename] Nudm1.bat.exe – renamed PowerShell binary used in the chain