SpiderLabs Blog

OneNote Spear-Phishing Campaign | Trustwave

Written by Reegun Jayapaul | Mar 9, 2023 6:00:00 AM

Trustwave SpiderLabs “noted” in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.

In this blog, we uncover the current attack techniques with the detection of network indicators and MITRE coverage.

For details about the initial decoy document, please refer to the TWSL blog Trojanized OneNote Document Leads to Formbook Malware.

Figure 1. Initial Decoy OneNote

 

Malware Campaigns

The current investigation starting January 31, 2023, shows the campaign is primarily delivering Qakbot and stealers like XWorm, Icedid, and AsyncRAT. We observed different infection chains with the PowerShell download cradle, VBS downloaders and batch file executions. Below are some of the techniques observed.

PowerShell Download Cradle:

  • PowerShell download cradle -> Qbot DLL download -> Execute via Rundll32.exe -> Inject to process.

Figure 2.  PowerShell download cradle - Method 1

Figure 3. PowerShell download cradle - Method 2

Figure 4. PowerShell download cradle - Method 3

 

VBS Downloader/Installer:

  • exe -> VBS Downloader -> Download batch file with encrypted payload -> Drops PowerShell.exe as renamed -> PowerShell.exe decrypts and executes payload.

Figure 5. VBS Installer with PowerShell - Method 1

  • exe -> JavaScript payload execution - > VBS script execution -> PowerShell download cradle downloads and executes payload.

Figure 6. VBS Installer with PowerShell - Method 2

 

Analysis of Qakbot aka Qbot

SpiderLabs has observed Qakbot more than any other malware variants. As of this date, we have observed five-bot campaigns from Qakbot with 264 C2s. Below is the analysis from the Qakbot file.

 

Qakbot Infection Flow

As seen from the above techniques, Qakbot was delivered using multiple downloading techniques with PowerShell or MSHTA predominantly used as the initial payload delivery.

Figure 7. Qakbot Infection Chain

  1. The initial decoy OneNote document is embedded with an ‘Open.cmd’ file.
  2. Upon execution of ‘Open.cmd’, it invokes the PowerShell download cradle.
  3. The hex encoded data is then decoded and passed to the parser to download the Qbot DLL.

Figure 8. PowerShell Download Cradle Parser

  1. Once downloaded, it will get executed with Rundll32.exe with the ‘Wind’ function.
  2. The Qbot packed DLL then injects into memory of process ‘grpconv.exe’ (‘msra.exe’ in some instances), and starts networking connections to Qbot C2’s.

Figure 9. Qakbot Injected into ‘grpconv.exe’ Process.

Figure 10. Qakbot C2's Decrypted in Memory

Figure 11. Qakbot Post C2 Connections

  1. The encrypted data is stored in the registry. The key would be random and not in a readable format. The decrypted stored registry values show the Qbot campaign name and persistence created.
  • The variant of Qbot malware will have its unique BotName tag for campaign identification. As of now we have five Qbot bot tags: BB12, BB14, BB15, tok01, and Obama239.

Figure 12. Decrypted Strings from Registry Shows the Qakbot Botnet Tag ‘BB15’

  • The decrypted registry value shows the persistence to Qakbot DLL.

Figure 13. Decrypted Strings from Registry Shows the Qakbot Persistence

 

Decrypted Qakbot Strings from Memory

The decrypted Qakbot strings from memory show lots of their behaviors, some of which are:

  • Querying for installed security products and running debuggers.

Figure 14. Decrypted Qakbot Strings

Figure 15. Checking for Installed Security Products and Debuggers Running

  • Post infection data collected for profiling victim and sent to C2.

Figure 16. Post Infection Data Collected

  • The memory dumps show more interesting traces like campaign name, persistence, victim bot-id, and C2 requests.

Figure 17. More info - Campaign Name, Persistence, Victim BotID

 

XWorm and Icedid

SpiderLabs has observed the usage of OneNote decoy documents by other malware variants like XWorm and Icedid. This is because they share a similar infection pattern along with VB Script payload installers.

Figure 18. XWorm Infection Flow

Figure 19. ICEdid Infection Flow

 

Detections

From the above infection flow, we can frame our detection rules custom to the working security appliances, some of which are:

  • OneNote with child process ‘cmd.exe’ with command line contains ‘.cmd,.gif,.jpeg,.jpg,.pdf,.bat.'
  • Multiple variants of PowerShell download cradles
  • OneNote with child process ‘wscript.exe, mshta.exe.’
  • A process events search for mshta.exe. In some cases, this will be run as a new instance.
  • The command line contains ‘Rundll32’ and ‘.cmd,.gif,.jpeg,.jpg,.pdf,.bat.’
  • Rundll32 events with DLLs run with ordinal functions ‘Wind’, ‘Updt’
  • Rundll32 events with network connections are a good indicator.
  • Rundll32 as parent process with any child (Suspected Injected Process) and having network connections.

The Rundll32 events will be noisy, but it is a good starting point for an investigation that, as a goal, is "Better safe than sorry."

 

MITRE Coverage

Tactic

Technique

Defense Evasion

File and Directory Permissions Modification - T1222

 

Obfuscated Files or Information - T1027

 

Obfuscated Files or Information: Indicator Removal from Tools - T1027.005

 

Rundll32 - T1218.011

 

Regsvr32 - T1218.010

 

Deobfuscate/Decode Files or Information - T1140

 

Mshta - T1218.005

 

Process Injection - T1055

 

Modify Registry - T1112

Discovery

File and Directory Discovery - T1083

 

System Information Discovery - T1082

 

System Location Discovery - T1614

 

Query Registry - T1012

Execution

Command and Scripting Interpreter - T1059

 

User Execution - T1204

 

Malicious File - T1204.002

 

Malicious Link - T1204.001

 

Windows Management Instrumentation - T1047

Initial Access

Spearphishing Attachment - T1566.001

Persistence

Registry Run Keys / Startup Folder - T1547.001

 

Scheduled Task - T1053.005

Command and Control

Application Layer Protocol - T1071

 

Conclusion

Once an adversary has successfully gained a foothold with their initial access being a phishing email, they must establish a backdoor and persistence. There are many ways to accomplish these feats, all while evading detection. Depending on what reconnaissance informs them and the intel they gather from their target’s environment, the tools they use to employ those techniques can vary. Therefore, it is ever important to remain vigilant and continually hunt for these behaviors.

Trustwave's recent revamp of its Advanced Continual Threat Hunt (ACTH) with a new patent-pending methodology enables Trustwave to conduct threat hunts and monitor our customers as this campaign continues. ACTH is now offered as an option in Trustwave's Managed Detection and Response Services. For more information, please read Trustwave Revamps Continual Threat Hunting Enabling Significantly More Hunts and Unique Threat Findings.

IOCs

IoCs for payload delivery URLs and Qakbot C2 IP Addresses are available here: https://github.com/SpiderLabs-Threat-Ops/SpiderLabs-Threat-Hunt/tree/main/Threat%20Indicators/OneNote_Campaign_February2023.