Microsoft OneNote Files to Orchestrate Cyber Attacks

Hackers have been found leveraging Microsoft OneNote files as a vector to compromise systems across various industries.

The campaign, under the radar of cybersecurity experts, showcases a new trend in cyber threats, exploiting commonly used office applications to gain unauthorized access to corporate networks.

The Campaign Unveiled

The malicious campaign was first documented by pr0xylife on their GitHub repository. It revealed a widespread email phishing operation targeting companies in Manufacturing, Technology, Energy, Retail, Insurance, and several other sectors.

The emails contained OneNote attachments purporting to be “secure messages,” a guise to trick recipients into opening the files.

Document

Download Free CISO’s Guide to Avoiding the Next Breach

Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

  • Understand the importance of a zero trust strategy
  • Complete Network security Checklist
  • See why relying on a legacy VPN is no longer a viable security strategy
  • Get suggestions on how to present the move to a cloud-based network security solution
  • Explore the advantages of converged network security over legacy approaches
  • Discover the tools and technologies that maximize network security

Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

Proofpoint Threat Research highlighted the campaign’s relatively low volume, with fewer than a thousand messages observed over two days, as reported by Thedfirreport.

However, the broad targeting across unrelated industries underscores the threat actors’ intent to cast a wide net, hoping to snag unsuspecting victims.

Execution and Initial Access

The attack begins with the victim receiving an email containing a OneNote file.

Upon opening, this file presents a large “Open” button behind which lies a Windows batch file named “O p e n.cmd.”

Once executed, this file leverages PowerShell to download an IcedID DLL disguised as a JPG file. This DLL then connects to command and control servers, signaling the system’s successful compromise.

OneNote Phishing Email
OneNote Phishing Email

The simplicity of the initial access vector, coupled with the use of a non-sophisticated OneNote file, highlights the attackers’ reliance on social engineering rather than technical sophistication to breach corporate defenses.

Cobalt Strike Beacon and Persistence

The intrusion doesn’t stop at the initial breach.

On the 33rd day of the intrusion, the IcedID malware facilitated the execution of Cobalt Strike beacons, a testament to the attackers’ patience and persistence.

The IcedID malware was observed dropping several files
The IcedID malware was observed dropping several files

Cobalt Strike, a legitimate tool used by cybersecurity professionals, has been co-opted by hackers for malicious purposes, allowing them to maintain a foothold within the compromised network.

The campaign also demonstrated a method for achieving persistence by creating scheduled tasks and installing AnyDesk, a remote desktop software.

During the deployment of AnyDesk, a service creation event was generated under the System channel
During the deployment of AnyDesk, a service creation event was generated under the System channel

This allowed the attackers to return to the compromised system at will, further entrenching their presence within the victim’s network.

Defense Evasion and Privilege Escalation

The attackers employed various techniques to evade detection, including masquerading the malware DLL as a standard image file type and using standard Windows process names for their malicious payloads.

The earliest indicators that something suspicious occurred were the Sysmon events
The earliest indicators that something suspicious occurred were the Sysmon events

Additionally, the initial compromise was facilitated through an account in the domain administrators’ security group, bypassing the need for privilege escalation.

Exfiltration and Impact

The campaign’s ultimate goal appears to have been data exfiltration and ransomware deployment.

Threat actors were so kind to use the sponsored version, to bring some additional PUPs as well
Threat actors were so kind to use the sponsored version, to bring some additional PUPs as well

The attackers prepared for exfiltration by installing FileZilla on the compromised server and later deployed Nokoyawa ransomware, encrypting files and demanding a ransom for their release.

Nokoyawa.

If you see this, your files have been successfully encrypted and stolen.

Don't try to search free decryption method.

It's impossible.

We are using symmetrical and asymmetric encryption.

ATTENTION:

        - Don't rename encrypted files.

        - Don't change encrypted files.

        - Don't use third-party software.

You are risking irreversibly damaging the file by doing this.

If you manage to keep things quiet on your end, this will never be known to the public.

To reach an agreement you have 48 hours to visit our Onion Website.

How to open Onion links:

        - Download the TOR Browser from the official website.

        - Open and enter this link:

               http://nokopay<REDACTED>

        - On the page, you will see a chat with the Support.

        - Send your first message.

Don't waste your time.

Otherwise, all your valuable and sensitive data will be leaked.

Our websites are full of companies that doubted the fact of the data breach or its extent.

        - http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion/

        - http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion/

        - http://snatchteam.top

This campaign underscores the evolving landscape of cyber threats, where attackers exploit the trust in commonly used applications to bypass traditional security measures.

The use of Microsoft OneNote files to deliver malware represents a shift towards more creative attack vectors, necessitating a reevaluation of cybersecurity strategies to protect against such threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *