Saturday, July 13, 2024

Hackers Using Microsoft OneNote Files to Orchestrate Cyber Attacks

Hackers have been found leveraging Microsoft OneNote files as a vector to compromise systems across various industries.

The campaign, under the radar of cybersecurity experts, showcases a new trend in cyber threats, exploiting commonly used office applications to gain unauthorized access to corporate networks.

The Campaign Unveiled

The malicious campaign was first documented by pr0xylife on their GitHub repository. According to researchers from THE DFIR REPORT, it revealed a widespread email phishing operation targeting companies in manufacturing, technology, energy, retail, insurance, and several other sectors.

The emails contained OneNote attachments purporting to be “secure messages,” a guise to trick recipients into opening the files.


Download Free CISO’s Guide to Avoiding the Next Breach

Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

  • Understand the importance of a zero trust strategy
  • Complete Network security Checklist
  • See why relying on a legacy VPN is no longer a viable security strategy
  • Get suggestions on how to present the move to a cloud-based network security solution
  • Explore the advantages of converged network security over legacy approaches
  • Discover the tools and technologies that maximize network security

Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

Proofpoint Threat Research highlighted the campaign’s relatively low volume, with researchers saying that fewer than a thousand messages were observed over two days.

However, the broad targeting across unrelated industries underscores the threat actors’ intent to cast a wide net, hoping to snag unsuspecting victims.

Execution and Initial Access

The attack begins with the victim receiving an email containing a OneNote file.

Upon opening, this file presents a large “Open” button behind which lies a Windows batch file named “O p e n.cmd.”

Once executed, this file leverages PowerShell to download an IcedID DLL disguised as a JPG file. This DLL then connects to command and control servers, signaling the system’s successful compromise.

OneNote Phishing Email
OneNote Phishing Email

The simplicity of the initial access vector, coupled with the use of a non-sophisticated OneNote file, highlights the attackers’ reliance on social engineering rather than technical sophistication to breach corporate defenses.

Cobalt Strike Beacon and Persistence

The intrusion doesn’t stop at the initial breach.

On the 33rd day of the intrusion, the IcedID malware facilitated the execution of Cobalt Strike beacons, a testament to the attackers’ patience and persistence.

The IcedID malware was observed dropping several files
The IcedID malware was observed dropping several files

Cobalt Strike, a legitimate tool used by cybersecurity professionals, has been co-opted by hackers for malicious purposes, allowing them to maintain a foothold within the compromised network.

The campaign also demonstrated a method for achieving persistence by creating scheduled tasks and installing AnyDesk, a remote desktop software.

During the deployment of AnyDesk, a service creation event was generated under the System channel
During the deployment of AnyDesk, a service creation event was generated under the System channel

This allowed the attackers to return to the compromised system at will, further entrenching their presence within the victim’s network.

Defense Evasion and Privilege Escalation

The attackers employed various techniques to evade detection, including masquerading the malware DLL as a standard image file type and using standard Windows process names for their malicious payloads.

The earliest indicators that something suspicious occurred were the Sysmon events
The earliest indicators that something suspicious occurred were the Sysmon events

Additionally, the initial compromise was facilitated through an account in the domain administrators’ security group, bypassing the need for privilege escalation.

Exfiltration and Impact

The campaign’s ultimate goal appears to have been data exfiltration and ransomware deployment.

Threat actors were so kind to use the sponsored version, to bring some additional PUPs as well
Threat actors were so kind to use the sponsored version, to bring some additional PUPs as well

The attackers prepared for exfiltration by installing FileZilla on the compromised server and later deployed Nokoyawa ransomware, encrypting files and demanding a ransom for their release.


If you see this, your files have been successfully encrypted and stolen.

Don't try to search free decryption method.

It's impossible.

We are using symmetrical and asymmetric encryption.


        - Don't rename encrypted files.

        - Don't change encrypted files.

        - Don't use third-party software.

You are risking irreversibly damaging the file by doing this.

If you manage to keep things quiet on your end, this will never be known to the public.

To reach an agreement you have 48 hours to visit our Onion Website.

How to open Onion links:

        - Download the TOR Browser from the official website.

        - Open and enter this link:


        - On the page, you will see a chat with the Support.

        - Send your first message.

Don't waste your time.

Otherwise, all your valuable and sensitive data will be leaked.

Our websites are full of companies that doubted the fact of the data breach or its extent.

        - http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion/

        - http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion/


This campaign underscores the evolving landscape of cyber threats, where attackers exploit the trust in commonly used applications to bypass traditional security measures.

The use of Microsoft OneNote files to deliver malware represents a shift towards more creative attack vectors, necessitating a reevaluation of cybersecurity strategies to protect against such threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles