High-level view of the infection routine of the campaign with email as initial access vector.
The fake inquiry tricks the user into thinking that the opened file is a legitimate document, but in the background malicious activities were conducted.įigure 2. Trojanized OneNote document with one section using PDF viewer as a lure to let targets click on the ‘View Document’ button. Like the sample we saw last December, the embedded file abuses the RTLO character (U+202E) to disguise the file name making it appear harmless.Īn embedded fake inquiry PDF pops out once the executable is clicked. In addition, the executable masquerades as an Adobe PDF Reader icon. Once the user clicks the ‘View Document’ button, it loads an embedded executable sporting the right-to-left override (RTLO or RLO) trick making it appear as ‘Orderinvpif.pdf’ to the user and flipping the extension ‘ pdf.pif’. The OneNote document purports to be a product inquiry document in PDF format. MailMarshal manages to extract the images, texts and executable embedded in the OneNote notebook making it easy to spot suspicious contents. A fake product inquiry email with attached malicious OneNote document.
Trustwave’s MailMarshal manages to unpack and extract the contents of that OneNote document making it easy to spot suspicious embedded files.įigure 1. The first campaign uses a fake product inquiry to lure users into downloading a OneNote attachment. Unlike DOCX and XLSX, OneNote does not support VBA macros. A OneNote document consists of sections, pages, and user-created content. It is a popular application used by many organizations and individuals. It allows users to take notes, organize information and insert files such as images, documents, and even executables. OneNote is a note-taking application developed by Microsoft and bundled in its Office application suite. This multi-part blog series highlights recent campaigns we observed using this technique. We recently observed a notable spike in emails utilizing malicious OneNote attachments with notorious malware strains also shifting to this delivery mechanism. The campaign is an example of a shift away from macro-enabled documents after Microsoft tightened security measures for files downloaded from the Internet, making macro-based attacks less effective. Last December, we discovered a malicious campaign involving a trojanized OneNote document delivering Formbook. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems. Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.
0 kommentar(er)
