www.zscaler.com
Open in
urlscan Pro
2606:4700::6812:1d4a
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
Submission: On March 08 via api from DE — Scanned from DE
Submission: On March 08 via api from DE — Scanned from DE
Form analysis 5 forms found in the DOM
POST https://www.zscaler.com/search
<form action="https://www.zscaler.com/search" method="post" id="nav-search-form" accept-charset="UTF-8" role="search" aria-label="sitewide" __bizdiag="1663869817" __biza="WJ__">
<div class="js-form-item form-item js-form-type-textfield form-type-textfield js-form-item-keyword form-item-keyword form-no-label">
<input placeholder="Enter search" data-drupal-selector="edit-keyword" type="text" id="edit-keyword" name="keyword" value="" size="60" maxlength="128" class="form-text">
</div>
<div class="submit-wrapper"><i class="fa fa-search fg-color-white"></i>
<input title="Submit" data-drupal-selector="edit-submit" type="submit" id="edit-submit" name="op" value="Submit" class="button button--primary js-form-submit form-submit">
</div>
<input autocomplete="off" data-drupal-selector="form-m6eooqzsdhf-ozj7chlm0p3kbq6x-fj1dqqvqwwa2zo" type="hidden" name="form_build_id" value="form-M6eOOqZsDhF_OZJ7CHLm0P3KBQ6X_FJ1dQqVQWWA2zo">
<input data-drupal-selector="edit-nav-search-form" type="hidden" name="form_id" value="nav_search_form">
</form><form id="mktoForm_7140" data-formid="7140" class="subscription-form-blog-new mkto-form-check mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" __bizdiag="1714217501" __biza="WJ__">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoRound .mktoButton {
color: #fff;
border: 1px solid #a3bee2;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
background-color: #779dd5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
background-image: linear-gradient(to bottom, #779dd5, #5186cb);
padding: 0.4em 1em;
font-size: 1em;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
outline: none;
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
background-color: #5186cb;
background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
background-image: linear-gradient(to bottom, #5186cb, #779dd5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="7140"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256">
</form><form id="mktoForm_1944" data-formid="1944" class="subscription-form mkto-form-check mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 414px;" __bizdiag="1714217501" __biza="WJ__">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoRound .mktoButton {
color: #fff;
border: 1px solid #a3bee2;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
background-color: #779dd5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
background-image: linear-gradient(to bottom, #779dd5, #5186cb);
padding: 0.4em 1em;
font-size: 1em;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
outline: none;
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
background-color: #5186cb;
background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
background-image: linear-gradient(to bottom, #5186cb, #779dd5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1944"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256">
</form><form data-formid="7140" class="subscription-form-blog-new mkto-form-check mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" __bizdiag="-830122153" __biza="WJ__"></form><form data-formid="1944" class="subscription-form mkto-form-check mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" __bizdiag="-830122153" __biza="WJ__"></form>Text Content
Skip to main content
This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
Open Open Open
Search Toggle
* Careers
* Blog
* Partners
* Risk Assessment
* Support
* Contact Us
* Get in touch
* 1-408-533-0288
* Chat with us
* Sign In
* admin.zscaler.net
* admin.zscalerone.net
* admin.zscalertwo.net
* admin.zscalerthree.net
* admin.zscalerbeta.net
* admin.zscloud.net
* Zscaler Private Access
* en
* fr
* de
* it
* ja
* mx
* es
The world’s largest security platform built for the cloud
* See The Difference
* Zero Trust
* Zscaler Difference
* What is Zero Trust The strategy on which Zscaler was built
* How Zscaler Delivers Zero Trust A platform that enforces policy based on
context
* Zero Trust Resources Learn its principles, benefits, strategies
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI,
IoT, and OT technologies to become more agile and reduce risk
Learn More
* Customer Success Stories Hear first-hand transformation stories
* Analyst Recognition Industry experts weigh in on Zscaler
* See the Zscaler Cloud in Action Traffic processed, malware blocked, and
more
* Experience the Difference Get started with zero trust
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI,
IoT, and OT technologies to become more agile and reduce risk
Learn More
* Products & Solutions
* Overview
* Industries & Partners
* Secure Your Users Provide users with seamless, secure, reliable access to
applications and data. Secure Your Workloads Build and run secure cloud
apps, enable zero trust cloud connectivity, and protect workloads from
data center to cloud. Secure Your OT and IoT Provide zero trust
connectivity for OT and IoT devices and secure remote access to OT
systems.
* Products Transform your organization with 100% cloud-native services
* Secure Internet Access (ZIA)
* Secure Private Access (ZPA)
* Digital Experience (ZDX)
* Posture Control
* Solutions Propel your business with zero trust solutions that secure and
connect your resources
* Stop Cyberattacks
* Protect Data
* Zero Trust App Access
* VPN Alternative
* Accelerate M&A/Divestitures
* Optimize Digital Experiences
* Zero Trust SD-WAN
* Build and Run Secure Cloud Apps
* Zero Trust Cloud Connectivity
* Zero Trust for IoT/OT
Make hybrid work possible
Secure work from anywhere, protect data, and deliver the best experience
possible for users
Get Started
* Industries Our ecosystem of zero trust partners
* Zscaler for Public Sector
* Zscaler for Federal
* Zscaler for State and Local
* Zscaler for Education
* Zscaler for Australian Government
* Zscaler for China
* Zscaler for Banking and FS
* Zscaler for Healthcare
* Partner Integrations Simplified deployment and management
* Microsoft
* CrowdStrike
* AWS
* Okta
* Splunk
* Aruba
* Cisco
* VMware
* SAP
* Salesforce
* ServiceNow
Secure your ServiceNow Deployment
It’s time to protect your ServiceNow data better and respond to security
incidents quicker
Get Started
* Platform
* Platform
* Technology
* Platform Overview Unified platform for transformation
* Zero Trust Exchange
* Zscaler Client Connector
* Zscaler Resilience
* Compliance
* Privacy
* Capabilities Integrated services, infinitely scalable
* SSL Inspection
* Advanced Threat Protection
* Bandwidth Control
* Machine Learning Security
* Security Service Edge
* Secure Access Service Edge
* Zero Trust Network Access
Accelerate your transformation
Protect and empower your business by leveraging the platform, process and
people skills to accelerate your zero trust initiatives
Learn More
* Technologies Global proxy-based cloud architecture
* Secure Web Gateway
* Firewall
* IPS
* DLP
* Sandbox
* Browser Isolation
* Cloud Configuration Security (CSPM)
* Cloud Identity and Entitlements (CIEM)
* Cloud Access Security Broker (CASB)
* Cloud Native Application Protection Platform (CNAPP)
* Deception
Gartner Magic Quadrant Leader
Zscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge
(SSE) New Positioned Highest in the Ability to Execute
Read Report
* Resources
* Learn
* Act
* Engage
* Content Library Explore topics that will inform your journey
* Blog Perspectives from technology and transformation leaders
* Security Assessment Toolkit Analyze your environment to see where you
could be exposed
* Webinars and Demos A first-hand look into important topics
* Executive Insights App Security insights at your fingertips
* Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
* Training and Certifications Engaging learning experiences, live training,
and certifications
* Customer Success Center Quickly connect to resources to accelerate your
transformation
* Customer Success Stories Hear first-hand transformation stories
Customer Success Center
All your Zscaler essentials in one place
Get Started
* Security & Threat Analytics Threat dashboards, cloud activity, IoT, and
more
* Security Advisories News about security events and protections
* Vulnerability Disclosure Program Webinars, training, demos, and more
* Trust Portal Zscaler cloud status and advisories
Zero Trust Content Library
Dive into the latest security research and best practices
Get Started
* The Cloud-First Architect Tools and best practices for the cloud
* Zenith Community Discuss ideas and issues with peers
* CXO REvolutionaries Events, insights, and resources for CXOs
* Cloud Security Alliance Securing the cloud through best practices
* Events Upcoming opportunities to meet with Zscaler
Zero Trust Content Library
Dive into the latest security research and best practices
Get Started
* Company
* About
* Media
* Partners
* About Zscaler How it began, where it’s going
* Leadership Meet our management team
* Investor Relations News, stock information, and quarterly reports
* Compliance Our adherence to rigorous standards
* ESG Our Environmental, Social, and Governance approach
* Events Upcoming opportunities to meet with Zscaler
Zscaler Careers
Join a recognized leader in Zero trust to help organization transform
securely
Apply Now
* Media Center News, blogs, events, photos, logos, and other brand assets
* News and Press Zscaler in the news
Zscaler Careers
Join a recognized leader in Zero trust to help organization transform
securely
Apply Now
* Partner Portal Tools and resources for Zscaler partners
* Summit Partner Program Collaborating to ensure customer success
* System Integrators Helping joint customers become cloud-first companies
* Service Providers Delivering an integrated platform of services
* Technology Deep integrations simplify cloud migration
* Partner Inquiry Become a Zscaler partner
Zscaler Careers
Join a recognized leader in Zero trust to help organization transform
securely
Apply Now
* * Request a demo
* Request a demo
INSIGHTS AND RESEARCH
March 01, 2023
ONENOTE: A GROWING THREAT FOR MALWARE DISTRIBUTION
Attackers are increasingly using OneNote documents to distribute malware, due to
the heightened security measures against macro-based attacks and the widespread
adoption and popularity of the platform. Analyzing several related case studies,
this article showcases the obfuscation techniques used by threat actors to
bypass threat detection measures and deceive users into executing malware on
their systems via OneNote.
KEY TAKEAWAYS:
* Threat actors are increasingly using Microsoft OneNote documents to deliver
malware via phishing emails.
* OneNote is installed by default in all Microsoft Office/365 installations,
even if a Windows user does not use the application, it is still available to
open the file format because it is easy to deceive a user to run a malicious
OneNote Document.
* Previously Threat actors target users with malicious macro enabled documents
but, in July 2022, Microsoft disabled Macros by default on all Office
applications, making this approach unreliable for distributing malware.
* The advantage of OneNote documents is that they can embed similar malicious
code as macro/VBA office documents with less detection.
* Also MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote and
attackers can use multi-layer obfuscation with this script to bypass threat
detection.
* OneNote Document can run the following types of scripts CHM, HTA, JS, WSF,
and VBS.
* ThreatLabz detected various types of malware distributed through OneNote
documents including Bankers, Stealers and RAT (Remote-Access-Trojan).
WHY ONENOTE?
Attackers have shifted from using traditional macro-based attacks to using
Microsoft OneNote as a delivery mechanism for malware. OneNote has become an
increasingly attractive vector for attackers due to its popularity, wider reach,
lack of awareness and security measures, and ability to integrate with other
Microsoft products. Attackers use OneNote to deliver malicious payloads by
obfuscating the content and exploiting the trusted application status of
OneNote. Specific reasons for this shift include:
1. Increased Security Measures: Due to the growing awareness of macro-based
attacks, many organizations have been implementing security measures to
prevent such attacks. As a result, it has become more challenging for
attackers to deliver malware through these attacks. Furthermore, in July
2022, Microsoft disabled Macros by default on all Office applications,
rendering this approach unreliable for malware distribution.
2. OneNote's Popularity and Wider Reach: OneNote's popularity as a widely used
note-taking application and its ability to embed different types of content
make it a useful tool for attackers to distribute malware. It is
pre-installed in all Microsoft Office/365 installations, meaning that even
if a Windows user does not use the application, the file format is still
available for malicious OneNote documents to deceive a user into running
them.
3. Lack of Awareness and Security Measures: Exploits in Microsoft OneNote are
not as well-known as macro-based attacks, which often leads to organizations
not having sufficient security measures to prevent these types of attacks.
4. Evasion Techniques: Although the "Mark of the Web" is a Windows security
feature that protects users from potentially harmful content downloaded from
the internet, OneNote does not propagate this feature on its attachments.
This allows attackers to embed unsigned executables or macro-enabled
documents without triggering Microsoft's recent security restrictions.
5. Trusted Application and Microsoft Integrations: Due to OneNote being a
trusted application, users may be more inclined to interact with files from
this application compared to other types of attachments or links.
Additionally, OneNote can be integrated with other Microsoft products such
as Office and OneDrive, which makes it easier for attackers to spread
malware through these products as well.
To detect and mitigate these attacks, organizations must implement security
measures to detect malicious content and malicious payloads, as well as leverage
tools like OneNoteAnalyzer, a valuable resource developed by ThreatLabz
Researcher Niraj to streamline and expedite the process of analyzing suspicious
artifacts in OneNote Documents.
Fig.1 - Open source OneNoteAnalyzer tool developed by a ThreatLabz researcher
CASE STUDY-1: RAT
Starting in December 2022, attackers have been using OneNote files to distribute
Remote Access Trojans (RAT) such as AsyncRAT, Quasar RAT, NetWire, and Xworm.
These RATs use complex obfuscation techniques with OneNote files in order to
evade detection by security software.
During the course of the investigation, researchers found the file containing
the malicious payload disguised under the misleading name "PaymentAdv.one".
Fig.2 - OneNote phishing document
After analyzing the file with OneNoteAnalyzer, researchers uncovered that the
attack was carried out by dropping and executing a batch file called "zoo1.bat".
Fig.3 - Malicious files extracted from OneNote document
The batch file was obfuscated and contained an encrypted blob at the start,
followed by heavily obfuscated PowerShell code.
Fig.4 - Obfuscated batch file
By removing the "@echo off" line and adding "echo" to the start of each line in
the batch file, researchers were able to decode the file's activities and log
the output as shown in the screenshot below.
Fig.5 - Commands executed by “zoo1.bat.exe”
The log indicated that the batch file had copied and disguised the malicious
program as "zoo1.bat.exe" in an attempt to hide its activities.
The Powershell code associated with it was obfuscated and difficult to
comprehend, so researchers manually pretty print to deobfuscate and reformat the
file, making it more readable as demonstrated in the screenshot below.
Fig.6 - Obfuscated Powershell code in readable format
After deobfuscation, researchers discovered that the script used base64 encoding
to split the encrypted blob seen in the initial batch file into its actual data,
AES key, and index using the backslash character. With these values, the script
was able to decrypt the data and decode it using gzip encoding to reveal the
final executable.
Fig.7 - AES Key and IV identified in the blob
Now lets the cook the above recipe using Cyberchef and check what does
it results:
Fig.8 - Decrypted payload extracted using CyberChef
Similarly we can decode the second blob which will also result in a Portable
Executable (PE) file.
Fig.9 - AgileDotNet Packed AsyncRAT Payload
The resulting file is a .NET File packed with AgileDotNet, which was revealed to
contain a malicious AsyncRAT payload after deobfuscating and unpacking with the
.NET Kali Linux tool known as de4dot.
CASE STUDY-2: BANKER
Starting in January 2023, Qakbot began experimenting with OneNote files as a
vector to deliver malware. Researchers subsequently observed IcedID doing the
same, using OneNote files with embedded HTML applications (HTA files with .hta
extension).
The following figure illustrates how IceID's OneNote Malspam (malware spam) is
distributed and executed.
Fig.10 - IcedID Attack Chain & execution flow.
The phishing email from the attacker includes an attachment named
"unpaid_4178-February-03.one", which is a OneNote file containing a fake
Microsoft 365 page. The page appears to contain a cloud attachment and deceives
the user into double-clicking to view it, thereby initiating the IcedID
infection process.
Fig.11- Fake MS 365 page.
When the user clicks on the "View" button within the OneNote attachment, an .hta
file is silently dropped into the Temp directory of the compromised system
without any type of notification. This action triggers the download of both the
IcedID malware payload and a decoy PDF file called "invoice.pdf" that displays
phony invoice information.
Fig.12 - Execution of HTA file.
Fig. 13 - Process tree of OneNote execution.
Upon further observation, it was noted that the IcedID malware infection was
followed by the download and execution of a Powershell script, which in turn
downloaded the Cobalt Strike DLL beacon. This behavior is similar to previous
variants of IcedID and Qakbot, where they infect the system with Cobalt Strike
approximately 45 minutes after the initial infection.
Fig.14 - Powershell script to download CobaltStrike.
Continued analysis of the increasing number of OneNote samples has uncovered an
intriguing method employed by Qakbot to download and execute its payload. When
the user clicks the "Open" button in the OneNote file, the HTA file is dropped
into the Temp directory of the infected system. The HTA file utilizes JavaScript
to deobfuscate the obfuscated data from the <div> element. Following this,
VBScript creates a registry key and stores the deobfuscated data in it. A
separate JavaScript code creates a WshShell object and executes Curl to download
the Qakbot payload.
Fig.15 - Qakbot OneNote obfuscation.
It has also been observed that the latest OneNote Qakbot samples have altered
their execution flow. Instead of using HTA files, they are now dropping CMD
files to download and execute the final payload.
* Onenote -> cmd -> powershell -> rundll32 (final Qakbot payload).
Fig.16. - New Qakbot OneNote execution.
CASE STUDY-3: STEALER
Numerous RATs and banking malware have been observed spreading through OneNote
since the malware campaign began, with Qakbot malware being the most prevalent.
However, only Redline has been identified as distributing through OneNote files
in the stealer category. Recently, a suspicious OneNote sample was discovered
due to its network activity.
Fig.17 - Phishing document malicious content
After using the onedump.py tool by Didier Stevens to analyze the sample,
multiple data blobs were discovered. Stream 2, 3, and 5 contained HTML files
with hidden code. After dumping the files, it was discovered that two of them
used URL encoding for obfuscation. CyberChef was used to decode the scripts,
which were revealed to be VBScript files that download payloads from malicious
URLs and execute them using the Start-Process command.
Fig.18 - Decoded text from encoded HTA files.
The third file underwent multiple layers of obfuscation before revealing the
final binary. It was first encoded with URL encoding and then subjected to
several layers of base64 encoding. Additionally, it used the gzip library to
decode the final code. The output of the decoded code was a PowerShell file
path, presumably for use in later stages of execution.
Fig.19 - Decoded Script
After investigating the downloaded payloads from the scripts, we discovered one
payload located at https://oiartzunirratia[.]eus/install/clean/Lcovlccdxd.exe.
This file was found to be a .NET file encrypted with a pureCrypter. Through
analyzing its configuration, we identified this payload as Redline. The
configuration of the final payload includes the following details:
{
"C2 url": [
"194.26.192.248:7053"
],
"Bot Id": "cheat"
}
During the analysis of this sample, it was discovered that it is distributed
through the Telegram group "NET_PA1N Reborn," which operates as a
Malware-as-a-Service (MaaS) provider. The group sells their own Crypter and
Stealer named "Youhacker Crypter" and "Youhacker Stealer" as well as popular
Remote-Access-Trojans (RATs) and Stealers.
Fig.20 - Telegram group mentioned in OneNote.
Fig.21 - YouHacker stealer and crypter.
CONCLUSION
In recent months, a OneNote malware campaign has been observed spreading RATs,
Bankers, and Stealer category malware. One of the most frequently seen malware
in this campaign is Qakbot. However, Redline has also been observed distributing
through OneNote files. Threat actors are continuously experimenting with initial
attack vectors to evade detection and deceive users into executing malware. They
have adapted this new technique using OneNote to distribute their malware, as
many antivirus engines have not caught up with inspecting and detecting
malicious OneNote files attached to email. Zscaler's ThreatLabz team is
continuously monitoring the campaign and sharing new findings. During their
investigations, Zscaler has discovered various samples of OneNote malware with
different payloads, encoding, and obfuscation techniques. They have analyzed the
behavior of these samples and identified their MITRE ATT&CK techniques. Some of
the samples have been distributed through a Telegram group named "NET_PA1N
Reborn," where they are working as a Malware-as-a-Service (Maas) and selling
their own crypter and stealer along with RATs and other Stealers.
ZSCALER SANDBOX COVERAGE
The behavior of various files was analyzed by Zscaler Sandbox, displaying threat
scores and the number of MITRE ATT&CK techniques triggered, as shown in the
screenshots below.
Fig.22 - Zscaler Sandbox report for AsyncRAT.
Fig.23 - Zscaler Sandbox report for IcedID.
Fig.24 - Zscaler Sandbox report for CobaltStrike.
Fig.25 - Zscaler Sandbox report for Redline
Zscaler’s multilayered cloud security platform detects payloads with following
threat names:
* Win32.Backdoor.AsyncRAT
* Win64.Banker.Icedid
* Win64.Backdoor.CobaltStrike
* Win32.Banker.Qakbot
* Win32.PWS.Redline
MITRE ATT&CK TECHNIQUES:
Tactic
Technique ID
Technique Name
Initial Access
T1566
Phishing
Execution
T1204
T1059
T1047
User Execution
Command and Scripting Interpreter
Windows Management Instrumentation
Defense Evasion
T1027
T1070.004
T1112
T1218.011
T1218.005
Obfuscated Files or Information
File Deletion
Modify Registry
System Binary Proxy Execution: Rundll32
System Binary Proxy Execution: Mshta
Command and Control
T1071
T1095
Application Layer Protocol
Non-Application Layer Protocol
INDICATORS OF COMPROMISE (IOCS):
CASE STUDY-1:
[+] MD5:
* e9f0dbbd19ef972dd2fc163a4b34eae1 = AsyncRAT OneNote File
* 19905a73840430e28c484b97546225c6 = Dropped Batch File
* 146f4f1c9b29e7505f275772378bfec9 = AsyncRAT payload1
* 1d9aa7c9aa3f8dc9dd58a38176ea36fe = AsyncRAT payload2
CASE STUDY-2:
[+] MD5:
* 5139af509129641b1d29edd19c436b54 = IcedID OneNote File
* 6b1e64957316e65198e3a1f747402bd6 = IcedID DLL Payload
* 6b500ad29c39f72cd77c150a47df64ea = CobaltStrike DLL Payload
* 4c6a40f40dcd0af8d5c41d0fcc8e4521 = Qakbot OneNote File (hta dropped)
* 3c7c265f618912d81856bf460bf19f61 = Qakbot OneNote File (cmd dropped)
* fa49fd13fc49ab38b97d2d019cc04b39 = CMD file to download Qakbot
[+] Network Indicators:
* http://helthbrotthersg[.]com/view.png = IcedID Payload from
OneNote File
* https://transfer[.]sh/get/vpiHmi/invoice.pdf = Decoy PDF
* http://ehonlionetodo[.]com = IcedID C2
* http://167[.]172[.]154[.]189/36.ps1 = Powershell
for CobaltStrike
* http://167[.]172[.]154[.]189/360702.dll = Cobalt Strike Payload
* https://thefirstupd[.]com = Cobalt Strike C2
* https://myvigyan[.]com/m1YPt/300123.gif = Qakbot Payload (hta dropped)
* https://starcomputadoras[.]com/lt2eLM6/01.gif = Qakbot (cmd dropped)
CASE STUDY-3:
[+] MD5:
* 973e87ec99502aac9a12f987748a812a = Redline OneNote File
* 39f3c510f46d605202844e35c07db84b = Dropped Hta File 1
* 558da264c83bfe58c1fc56171c90c093 = Dropped Hta File 1
* C6ba1a7b2b90e18b6c25382453370169 = Dropped Hta File 1
* d3713110654dc546bd5edc306a6e7efd = Redline payload
[+] Network Indicators:
* https://somosnutrisalud[.]cl/installs/clean/payroll.exe = Payload1
* https://wi-protect[.]com/install/Eulsm.exe
= Payload2
* https://oiartzunirratia[.]eus/install/clean/Lcovlccdxd.exe = Redline
Payload
* 194[.]26[.]192[.]248:7053
=Redline C2 Url
* Security Research
* Insights and Research
*
*
*
*
*
AUTHORS
MEGHRAJ NANDANWAR
SHATAK JAIN
RECOMMENDED FOR YOU
WHAT’S NEXT FOR ZTNA? NEW INSIGHTS FROM THE ENTERPRISE STRATEGY GROUP
SNIP3 CRYPTER REVEALS NEW TTPS OVER TIME
TECHNICAL ANALYSIS OF RHADAMANTHYS OBFUSCATION TECHNIQUES
2022 CLOUD (IN)SECURITY REPORT
GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX
*
Subscribe
Subscription confirmed. More of the latest from Zscaler, coming your way soon!
By submitting the form, you are agreeing to our privacy policy.
* Platforms & Products
* Zero Trust Exchange
* Zscaler Client Connector
* Zscaler Internet Access
* Zscaler Private Access
* Zscaler B2B
* Zscaler Cloud Protection
* Zscaler Digital Experience
* Solutions
* Secure Work-from-Anywhere
* Modern Workplace Enablement
* Security Transformation
* Technologies & Capabilities
* Secure Access Service Edge
* Zero Trust Network Access
* Secure Web Gateways
* Firewall
* Sandbox
* IPS
* DLP
* Browser Isolation
* Technologies & Capabilities
* Cloud Identity and Entitlements
* CASB
* SSL Inspection
* Advanced Threat Protection
* Bandwidth Control
* Machine Learning Security
* Popular Links
* Careers
* About Zscaler
* Leadership
* Content Library
* News and Press Releases
* Media Kit
* CXO REvolutionaries
* Zenith Community
* Information
* Zpedia
* Plans and Pricing
* Virtual Briefing Center
* Zscaler FAQs
* Contact Us
*
Subscribe
Thanks for subscribing
*
*
*
*
* Sitemap
* Privacy
* Legal
* Security
©2023 Zscaler, Inc. All rights reserved. Zscaler™ and Zero Trust Exchange™ are
either (i) registered trademarks or service marks or (ii) trademarks or service
marks of Zscaler, Inc. in the United States and/or other countries. Any other
trademarks are the properties of their respective owners.
Zscaler uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners.Please review
our Cookies Policy for more information.
Cookies Settings Accept Cookies