2023-03-15

New And Emerging Dangers Hide Within OneNote

Level: 
Tactical
  |  Source: 
Trustwave
Global
Share:

New And Emerging Dangers Hide Within OneNote

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Trustwave

Since December 2022, there has been an increase of weaponized Microsoft OneNote files infecting users and initiating an infection chain resulting in data compromises or ransomware. Threat actors appear to be favoring OneNote due to its ability to embed files. Malware discovered to be distributed in these recent campaigns has included Formbook, Qakbot, and AsyncRAT (remote access trojan). A recent infection chain reported by Trustwave SpiderLabs begins with a phishing email themed as a "fake product inquiry" with an accompanying OneNote document masquerading as a PDF file. Once executed, the trojanized OneNote file continues to appear as a PDF document and prompts the user to click on a link to "View Document," but actually initiates activity with a PyInstaller-based executable and executes a PowerShell script. Several commands are executed by the script to download a zip file containing credential collection tools, gather system information on the victim's host, clear logs and artifacts, and exfiltrate data to a remote FTP server.

Anvilogic Scenario:

  • Malicious Script/Package Installs Malware

Anvilogic Use Cases:

  • Python Execution
  • Invoke-WebRequest Command
  • Windows FTP Exfiltration

Get trending threats published weekly by the Anvilogic team.

Sign Up Now