Threat Reports

Analyzing Embedded Files in Malicious OneNote Documents

Written by Marketing | Jun 21, 2023 3:26:45 PM

Executive Summary

Threat actors continually innovate and adapt their tactics to deliver malware through phishing campaigns, often leveraging widely used software. Media coverage has highlighted the increased use of OneNote files as a first stage dropper to infect victim endpoints. Several threat families including IcedID, QakBot, AsyncRat, AgentTesla, have been observed abusing OneNote documents.

To address this emerging infection vector, Avertium’s threat hunters have been studying these files to improve detection methods and hunt for those that have evaded existing detections. Our research focuses on the exploitation of embedded files within OneNote, a prominent technique in recent adversary campaigns. By gaining a deeper understanding of this technique, we aim to proactively counteract the evolving strategies employed by threat actors and safeguard against potential vulnerabilities. Let’s dive into the analysis of embedded files in malicious OneNote Documents.

 

 

 

initial analysis

We downloaded five different malicious OneNote files to develop a sample of common activity among these files. The samples were associated with threat families like Emotet, Snake Keylogger, Qakbot, and Gozi. Initially, we ran the command “file” against the OneNote files, but it only categorized the files as “data”.

 

Image 1: Command on How to Identify OneNote Files 1

 

Thankfully, “trid” was able to identify them as Microsoft OneNote files.

 

Image 2: Command on How to Identify OneNote Files 2

 

As an alternative, we also executed XXD (HEX dump command) against the OneNote sample files to review the first few bytes, which were found to be identical. This approach could be valuable for creating a Yara rule that specifically looks for OneNote files. The below condition uses big endian to check the first four bytes of the file.

 

Image 3: Command on How to Identify OneNote Files 3

 

An example condition for a Yara rule based on this could be what we see below.

Unit32be(0x0) == 0xE4525C7B

According to Didier Stevens blog post on One Note files, the beginning of an embedded file section in OneNote is indicated by the following HEX string:

“E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC”

The HEX string corresponds to the GUID {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}. This particular GUID is linked to the FileDataStoreObject structure, which defines the data for a file data object, as specified by Microsoft.

Following this, OneNote reserves twenty bytes, wherein the initial eight bytes indicate the file length, the subsequent four bytes are unused and set to zero, and the final eight bytes are reserved and also set to zero. As a result, the resulting HEX string looks like the following:

“E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00".

Following the above HEX string, the embedded file data is stored. Fortunately, OneNote does not attempt to encrypt any of the contents, rendering the contents of the file readable in a HEX editor. An example screenshot of this is shown in image 4. Notice the content is represented in plaintext.

 

Image 4: Content Represented in Plain Text

 

Based on our findings, we can include this string in a Yara rule that searches for the FileDataStoreObject GUID in HEX format. This will allow us to identify all OneNote files that contain an embedded file.

$FileDataStoreObject = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC }

 

 

analyzing the onenote file

Now that we have gained a clear understanding of the contents of a malicious OneNote file, we can conduct further analysis on a single OneNote file. This will allow us to better understand the specimen, as well as how these files commonly work. Below is high-level information on the Specimen we will be analyzing.

What is commonly seen in these malicious OneNote files is an embedded file with a picture placed over it, with phrases to convince the user to click in the area the file is placed in. Below is an example of what this commonly looks like.

 

Image 5: Example of Malicious OneNote File

Source: Sophos

 

When the user clicks the “Open” image in the above screenshot, it opens the file hidden behind it. Didier Stevens developed a Python script to assist with analyzing OneNote files named onedump.py. After running it against the malicious OneNote file, the embedded objects appear to be in a similar format of what is commonly seen, with the .PNG images covering the “Set” object.

 

Image 6: Running onedump.py

 

After extracting the “Set” object, it provides the following PowerShell script, which creates a C2 connection via ‘Invoke-WebRequest’. This connection is used to download another PowerShell script called “boy1start.ps1”.

 

Image 7: PowerShell Script Inside OneNote File

 

From the above script, we have some useful indicators to assist with identifying this malicious OneNote file:

After accessing the website, it downloads a PowerShell script that contains a Base64 encoded executable, we provided sample snippets of the code below.

 

Image 8: Sample Snippets of Code 1

 

End of the script:

In the image below, it is worth noting that towards the end of the script, the Base64 encoding is decoded, and the resulting file, named 'boy1.pif,' is added to the 'C:\Users\Public' directory and subsequently executed.

 

Image 9: Sample Snippets of Code 2

 

After decoding the Base64, we were able to verify it as a Windows executable based on the Windows MZ signature at the beginning.

 

Image 10: Windows MZ Signature

 

After executing the dropped PowerShell script, it decoded the Base64 and dropped the file “boy1.pif” in the “C:\Users\Public” directory as expected. It’s worth mentioning that we removed the last line of the script (Start-Process -FilePath "C:\Users\Public\ boy1.pif"), which attempts to automatically execute the .pif file, allowing us to have better control of the file while analyzing it.

 

Image 11: Dropped PowerShell Script

 

After executing the dropped file “boy1.pif”, it was observed reaching out to IP address 37[.]139[.]128[.]83 which has a malicious reputation on multiple OSINT sites.

 

Image 12: Malicious File Reaching Out to IP Addressess

 

 

conclusion

Our analysis of this particular file has reached its conclusion. It is strongly associated with Snake Keylogger, a malware known for exploiting Office and PDF documents to gather account credentials for use in account takeover. In addition, we observed various other malicious activities performed by the file. The activities include attempts to manipulate the task schedule using schtasks.exe and attempts to harvest and steal browser information (passwords, history, etc.).

Additionally, the file demonstrated the theft of FTP login credentials, emphasizing its scope of unauthorized access and potential for unauthorized file transfers. Finally, it actively attempted to identify the external IP address of the infected machine, potentially to establish remote control or facilitate communication with command-and-control servers.

Our analysis serves as a reminder of the ever-present threats lurking in cyberspace, with adversaries constantly honing their techniques and deploying increasingly sophisticated malware. Vigilance and robust security measures are essential in safeguarding against such threats. Stay informed, keep your defenses up-to-date, and remain proactive in protecting your digital assets from the evolving landscape of cybercrime.

Note: This blog entry was written by Senior Cybersecurity Analyst Alex Johnson, with editorial contributions by Portia Cole.

 

 

MITRE MAP

As an overview of this malicious OneNote files capabilities, below is a TTP breakdown based on MITRE ATT&CK.

Tactic_ID

Tactic

Technique_ID

Technique

Procedures

TA0043

Reconnaissance

T1589.002

Gather Victim Identity Information: Email Addresses

Adversaries may gather email addresses that can be used during targeting. Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets.

TA0001

Initial Access

T1566

Phishing

Adversary will send a phishing email containing a “.One” attachment enticing the user to open the file and click the image that has a malicious attachment hidden behind it.

TA0002

Execution

T1059.001

Command and Scripting Interpreter: PowerShell

When the user clicks on the embedded file, it executes a malicious PowerShell script that is invoked by wscript.

TA0005

Defense Evasion

T1027

Obfuscated Files or Information

The downloaded PowerShell script has a “.pif” file encoded in Base64, which is decoded and dropped in the C:\Users\Public\ directory, then automatically executed.

TA0009

Collection

T1056.001

Input Capture: Keylogging

When executed, boy1.pif acts as a keylogger, attempting to harvest and steal browser information (passwords, history, etc), steal ftp login credentials, and attempts to identify the external address of the machine it infected.

TA0011

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

The malicious PowerShell script invokes a web request to bitbucket[.]org to download a second PowerShell script.


 

 

avertium's recommendations

  • User Education and Awareness: Malicious OneNote files are commonly spread via phishing attempts. Cybersecurity awareness training can assist employees with properly identifying attempted phishing campaigns and what actions they should take.

  • Multifactor Authentication: In this instance, the malicious OneNote file was a keylogger. The common goal of keyloggers is to steal user login credentials for later use. Strong MFA (Multifactor Authentication) makes it more difficult for the adversary to use stolen passwords to access accounts due to required access to other authentication methods.

  • Email Security Solutions: Malicious OneNote files spread via phishing attempts. Email security solutions can identify and mitigate emails that contains malicious documents.

  • Anti-Virus: Having an up-to-date Anti-Virus solution can potentially catch and mitigate some of these.

  • Network IDS/IPS: Having a network security device, preferably in blocking mode, can also help catch and mitigate some of this. Depending on the signatures that are enabled it may be able to catch and alert at various stages.

  • Threat Hunting: In a worst-case scenario, the malicious OneNote file evades existing detections and is successfully executed on a user’s system. Proactive threat hunting can help detect these types of threats, allowing you to take action and minimize the overall impact and cost of the incident. This can also lead to new detection rules to automatically detect this type of activity going forward.

 

 

how avertium is protecting our customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe:

  • Avertium offers THaaS (Threat Hunting as a Service), which involves applying human expertise to proactively search for signs of malicious activity in customers' IT infrastructure that have evaded existing security controls. By integrating threat intelligence and employing advanced hunting techniques, THaaS can uncover the adversary's Tactics, Techniques, and Procedures (TTPs) that conventional security measures miss. Stay steps ahead with THaaS and fortify your defenses like never before—a proactive, dynamic solution that will, over time, improve your security posture.
  • Avertium offers user awareness training through KnowBe4. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.
  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
  • Avertium offers Vulnerability Management VM to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.

 

 

INDICATORS OF COMPROMISE (IOCs)

  • new.one:

File Type: One Note

MD5 hash: 1691d647ecc17d6b41c49a1303a0832c

SHA1 hash: 979670e264f7585a31362cf6e79d4187f18c95b1

SHA-256 hash: 2623024aba1ee994dcb82e937a8beb59abbebf51b6aa4cde8434bb56458b47da

 

  • boy1.ps1:

File Type: ASCII text, with very long lines (65536), with no line terminators

MD5: C0AA6A02799611928896463D8C6A324D

SHA1: 0FB21E6665E06E1C4014649872A1A0973195D11F

SHA-256: F9FD9B8F43086A5C5F8B638E12C83D6732B344D78F6A7071C18A9A2FC28915C2

 

  • boy1.pif:

File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

MD5: 77472E194EB88BEFDA1974BFFB53240C

SHA1: B307F49590DDC1A1D4C432D315AD8C5DDEA05721

SHA256: 625C96F6FEDA28DAC1BF5CB32C9B83BCCEBE5B8D97155F431A0BADDC3D941A2D

 

  • Network:

hxxps[://]bitbucket[.]org/!api/2[.]0/snippets/mounmeinlylo/jqMGMx/27fc0a1358d8c2669262a0bed6bae8de365ff059/files/boy1start[.]ps1

37[.]139[.]128[.]83

 

  • File Path:

-OutFile 'C:\Users\Public\boy1[.]ps1'

C:\Users\Public\boy1[.]pif


 

Related Resource:

 

 

SUPPORTING DOCUMENTATION

Qakbot mechanizes distribution of malicious OneNote notebooks – Sophos News

Beta/onedump.py at master · DidierStevens/Beta · GitHub

Gather Victim Identity Information: Email Addresses, Sub-technique T1589.002 - Enterprise | MITRE ATT&CK®

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.