Threat Research

Trojanized OneNote Document Leads to Formbook Malware | Trustwave

Securonix

Trustwave SpiderLabs uncovered threat actors using a OneNote attachment to deliver Formbook malware via a Windows Script File overlay. The attack chain activates when users view the lure and PowerShell downloads and runs the Formbook payload from a remote host. #Formbook #OneNote #Trustwave #SpiderLabs #PowerShell

Keypoints

  • OneNote (.one) attachments are used in phishing emails to deliver Formbook malware.
  • An image lure is displayed in the OneNote file and clicking the lure triggers a security warning and execution.
  • The WSF (Windows Script File) segment is disguised with deception, including a right-to-left override in the filename.
  • The WSF launches PowerShell commands to download and execute payloads from a remote host.
  • A decoy file (pdf172.one) is downloaded first to hide the real payload (DT6832.exe) which is saved as system32.exe in %temp%.
  • Formbook can steal data from browsers and other applications, and includes keylogging and screen capture capabilities.
  • Mitigation includes blocking or flagging inbound .one attachments and Trustwave MailMarshal adding heuristics for this attachment.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The OneNote attachment delivered via spam email carries the WSF payload. “One file type that caught our eye on December 6, 2022, was the aforementioned OneNote attachment, with a .one extension attached to a spam email in our telemetry system.”
  • [T1059.001] PowerShell – The WSF file launches PowerShell commands to download and execute two files from a remote host. “The WSF embedded in the OneNote file launches ‘PowerShell’ commands to download and execute two files from a0745450[.]xsph[.]ru.”
  • [T1105] Ingress Tool Transfer – The PowerShell commands download and execute files from a remote server. “download and execute two files from a0745450[.]xsph[.]ru.”
  • [T1204] User Execution – The user clicks the lure and proceeds, triggering malware execution. “When the user goes against the warning and clicks ‘OK,’ the malicious behavior of the file will start to manifest.”
  • [T1036] Masquerading – The WSF filename uses a right-to-left override to disguise as something else. “The filename contains a right-to-left override character (U+202E) after ‘invoice’, which causes the text that follows to be displayed in reverse.”
  • [T1555.003] Credentials in Web Browsers – Formbook can steal data from browsers and other applications. “Formbook malware can steal data from various web browsers and from other applications.”
  • [T1113] Screen Capture – Formbook can take screenshots. “This malware also has keylogging functionality and can take screenshots.”
  • [T1056.001] Keylogging – Formbook includes keylogging capability. “This malware also has keylogging functionality.”

Indicators of Compromise

  • [File hash] 81bd8c431811f83f335735847d42fb4f64f80960 – pdf172.one decoy OneNote file
  • [File hash] d5ee9183be486bf153d7666ca4301e600ea06087 – DT6832.exe payload
  • [File hash] 33d8fb75f471bdc4ebaff053e87146721f32667a – INVESTMENT.one decoy
  • [URL] a0745450[.]xsph[.]ru/DT6832[.]exe – payload download
  • [URL] a0745450[.]xsph[.]ru/INVESTEMENT[.]one – decoy/attachment
  • [File name] pdf172.one – decoy OneNote file
  • [File name] INVESTMENT.one – decoy OneNote file

Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/