Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

A Noteworthy Threat: How Cybercriminals are Abusing OneNote – Part 2

In part one, we examined how threat actors abuse a OneNote document to install an infostealer. Part 2 of this series discusses an AsyncRAT infection chain while detailing important parts of the code. We’ll also quickly analyze other notable malware strains such as Qakbot and RemcosRAT.

AsyncRAT

This campaign starts with threat actors emailing potential victims claiming that they have an unpaid invoice. The email has a sense of urgency trying to push victims to open the OneNote attachment.

19668_image002

Figure 1. MailMarshal console showing the suspicious batch file, images and text contained in the OneNote notebook.

The OneNote document contains only one section with a ‘click to view document’ button image placed right above the batch script. When a user clicks the button image, the batch script is implicitly clicked and executed, prompting a security warning that recipients often ignore. As a trick to increase the click rate, threat actors purposely arrange copies of the script across the width of the button image.

19669_image004

Figure 2. The OneNote document uses a plain background with a button image placed right above the batch file.

Infection Chain

19670_image006

Figure 3. This delivery mechanism employs a lot of containerization. Starting from the OneNote, to the batch file which contains the loader, then the main payload embedded inside the loader.

Batch Script

The batch script uses obfuscation by splitting its main code into multiple parts. Notice that it sets the environment variables to the value ‘set,‘ and these variables referencing the set operator were then used to create variables containing the code slices. Then, the batch script concatenates the variables to generate the main code.

19671_image008

Figure 4. This batch script uses a chain of set function calls to obfuscate and split its malicious code. To reconstruct the code, the script concatenates the variables. To view the actual code, just add the echo command at the start of each concatenation.

The script copies a PowerShell executable to the current working directory and then renames it as skyy.bat.exe. It runs a PowerShell instance with hidden window and bypassed execution policy while using the original batch script as an input.

The PowerShell command reads the batch script and then looks for a commented base64 chunk marked by the ‘::’ symbol. Next, the command initially decodes the base64 chunk, followed by an AES-CBC decryption routine with the hardcoded key and initialization vector, then passing the output for decompression using Gzip. A .NET-based executable is the file hidden in the base64 chunk. Finally, the command loads the executable in memory using the .NET Assembly.Load method.

19672_image010

Figure 5. This is the reconstructed code used to unpack and decrypt the code inside the batch script. Notably, it obfuscates function names like Load, ReadAllText and FromBase64String by reversing their character order.

.NET Loader

Let’s now examine the entry point. The loader dynamically resolves Windows API functions using a combination of GetProcAddress and LoadLibrary calls.

As a quick note, some Windows API names and notable strings are encrypted using the AES-CBC algorithm and then base64-encoded. The key and initialization vector (IV) is hardcoded in the executable, and the AES decryption function in the loader requires three arguments, namely: input, key and IV. The same key-IV pair is also used to decrypt the main payload.

  • Key: CLUnQ5OX0VGId/0Mcukekl6k3e72rzwV4EupkumpVGQ=

19673_image012

Figure 6. The loader function used to decrypt encrypted strings with AES in CBC mode.


IV: 7WJ4i/8wa+eRcMTbbLS/+g==

Figure 7 . At the loader entry point, it starts with evading defenses by bypassing the Antimalware Scan Interface (AMSI) and disabling Event Trace for Windows (ETW) through memory patching.

Moving on, the loader first resolves the memory address of VirtualProtect followed by the AmsiScanBuffer API function from their respective libraries. The AmsiScanBuffer API name was originally encrypted, then consecutively decrypted and resolved in a function chain. After resolving the memory address of AmsiScanBuffer, the loader sets the memory space of the function to writable by calling VirtualProtect. Then, it overwrites that AmsiScanBuffer memory region with a crafted byte array before reverting the memory space to its original protection state. This technique bypasses Antimalware Scan Interface (AMSI) by forcing the scan result to clean, allowing the malicious code to run unrestricted.

Next, the loader resolves the memory address of EtwEventWrite from the ntdll.dll library. A similar process occurs with the AmsiScanBuffer bypass, which passes an opcode to disable the Event Trace for Windows (ETW) functionality. Both techniques aim to evade defenses like anti-virus and event logging setting up the environment for the successful execution of the malicious payload.

The loader proceeds to retrieve the main payload stored in its resource section by decrypting the resource name, payload.exe, before passing the resource name to a method that loads the resource’s data in memory. Subsequently, the loader passes the data in memory to the AES decrypt function followed by Gzip decompress obtaining another .NET-based executable.

Eventually, the main payload is reflectively loaded in memory and executed using the Assembly.Load function.

At the end of the loader routine, a command line process is started with arguments consisting of the concatenation of encrypted strings and the calling process referring to skyy.bat.exe, which is a PowerShell copy. The resulting command ‘cmd.exe /c choice /c y /n /d y /t 1 & attrib -h -s skyy.bat.exe & del skyy.bat.exe’ removes the hidden and system attributes of the skyy.bat.exe then deletes it afterwards.

19674_image014

Figure 8. Calling the ‘Assembly.Load(rawAssembly).Entrypoint’ functions loads the main payload in the memory. After that, the loader removes the copy of PowerShell from its working directory.

Main Payload: Async RAT

AsyncRAT is a .NET-based open-source remote access tool (RAT) used to gain control of computers and access data remotely. It provides a range of capabilities, such as keylogging and defense evasion features making it a popular choice for cybercriminals.

The AsyncRAT variant had its configuration encrypted using AES-256 in CBC mode. Its full capabilities are well-documented in its public repository, available from 2019.

19675_image016

Figure 9. The original filename of the assembly  is ‘AsyncClient’, which is a common name of binaries generated from AsyncRAT builder.

Async RAT configuration:

  • Key: QXVacHdzc0VabU1jaFVCQU5zbDBJWVZTbDdSd1pkU3A=
  • Ports: 6606,7707,8808
  • Hosts: mikludoykxx[.]ddns.net, mikeludomax[.]ddns.net, mikeludoyyxx[.]ddns.net
  • Version: 0.5.7B
  • InstallFolder: %AppData%
  • MTX: AsyncMutex_6SI8OkPnk
  • Delay: 3

Other Notable Malware Strains

Recently, we have seen Qakbot actively abusing OneNote to deliver its payload. Compared with its previous campaigns, it has a similar infection chain, and what varies is the attachment used, shifting from HTML smuggling to a trojanized OneNote notebook.

The Qakbot’s email lure retains the email thread  hijacking technique as part of its arsenal. Email thread hijacking is an attack where a threat actor inserts malicious content into an existing conversation between two or more people. This technique takes advantage of the trust that already exists between recipients of the email, thus, increasing the chances of those users clicking the malicious links or attachments.

The OneNote attachment disguises itself as a document coming from the cloud. Right behind the ‘Open’ button hides an embedded batch file that will invoke PowerShell to download an additional payload that further leads to the Qakbot DLL.

19677_image020

Figure 10. Qakbot's OneNote lure attempts to trick the users into clicking the hidden batch script.

19678_image022

Figure 11. The Qakbot's batch script encodes its download URL and execution command with hex codes. It attempts to bypass static scanning and AV signatures.

Qakbot continues to infest enterprise networks and users by tapping into new delivery methods, this time abusing OneNote to its advantage.

Another campaign abusing OneNote delivers Remcos RAT. Remcos is a commercial remote access tool with robust features out-of-the-box which appeals to threat actors.

The email lure disguised as a property information notice from a construction company comes with a OneNote document. An executable embedded in the OneNote hides behind the ‘click to view document’ button.

19679_image024

Figure 12. This lure sports a simpler design like the AsyncRAT campaign, but this OneNote has an embedded executable.

When we examine the executable, it appears to be a Delphi-based loader known as ModiLoader. Upon executing, the loader excludes the path C:\Users from AV scanning. Doing so prevents the AV scanner from blocking the execution of the payload. Eventually, the loader downloads a binary from a remote URL leading to Remcos RAT being installed on the victim’s machine.

Remcos RAT configuration.

  • Version: Remcos 3.1.0 Pro
  • C2 Servers:
  • 184[.]75[.]221[.]171:5129
  • 199[.]249[.]230[.]27:5129
  • 185[.]103[.]96[.]143:5129
  • 185[.]104[.]184[.]43:5129
  • Mutex: -O1VWSP

Conclusion

In this analysis, we observed the shift to OneNote documents as the initial payload for AsyncRAT delivery. We explored the stages of the infection chain, highlighting defense evasion techniques such as memory patching to bypass antivirus, file obfuscation, and reflective code loading.

Overall, the extent of defense evasion techniques exhibited shows how aggressively the threat actors are attempting to increase the effectiveness of their attacks and make them more difficult to detect and analyze.

From what we have seen, any files can be easily embedded in OneNote.  Together with tricky social engineering techniques, threat actors can successfully take control of a target’s system and steal sensitive data. Furthermore, OneNote documents do not include ‘Protected View’ and Mark-of-the-Web (MOTW) protection increasing the risk of exposure to potentially malicious files and making it attractive to cybercriminals.

These campaigns show that threat actors are quick to adapt to new and trending methods, riding the wave to achieve their malicious goals. We expect a wave of campaigns leveraging OneNote to continue for a while yet.

Please continue to Part 3 of our OneNote research where we discuss a OneNote spearphishing campaign.

Indicators of Compromise

 

AsyncRAT

 

ce7a8a6a8fdc7846b9022a746c39a00a6eb4d19c

Invoice #10974543.one

a2bbfb23b51cb1f2bb213dfe410601bc7fa53875

skyy.bat

7a0ccfb531bdc864a87bd47ce4af91e4243d9c9b

loader

d2fd7053dc13293a02851cb74837d0788dc1d159

AsyncRAT

 

Qakbot

 

1523e0e1f454e480e6e2f8c0282d3fa6ed589059

372068.one

9ff9c3c674cfd13e2ed6199815d5f1287cd95ff2

Open.Bat

hxxp://198[.]44[.]140[.]78/210/184/187737.dat

 

 

Remcos RAT

 

360c70c00d6c2804b3b64f53ef2b68a7e9d79016

Property List.one

adb39f9a5f7d82e3886f551418344761f1e668df

Kgthldmuaxrymp.exe (Modiloader)

hxxps[://]tottenham02[.]duckdns[.]org/Kgthldmuaxr

 

162[.]247[.]153[.]39

 

About the Author

Bernard Bautista is Security Researcher, SpiderLabs at Trustwave, where he specializes in email and malware analysis. He focuses on improving the security posture of customers by analyzing email-borne threats and developing detection mechanisms to protect against emerging cyber threats. Follow Bernard on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo