Friday, April 12, 2024

Hackers Using Microsoft OneNote Files to Orchestrate Cyber Attacks

Hackers have been found leveraging Microsoft OneNote files as a vector to compromise systems across various industries.

The campaign, under the radar of cybersecurity experts, showcases a new trend in cyber threats, exploiting commonly used office applications to gain unauthorized access to corporate networks.

The Campaign Unveiled

The malicious campaign was first documented by pr0xylife on their GitHub repository. According to researchers from THE DFIR REPORT, it revealed a widespread email phishing operation targeting companies in manufacturing, technology, energy, retail, insurance, and several other sectors.

The emails contained OneNote attachments purporting to be “secure messages,” a guise to trick recipients into opening the files.


Download Free CISO’s Guide to Avoiding the Next Breach

Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

  • Understand the importance of a zero trust strategy
  • Complete Network security Checklist
  • See why relying on a legacy VPN is no longer a viable security strategy
  • Get suggestions on how to present the move to a cloud-based network security solution
  • Explore the advantages of converged network security over legacy approaches
  • Discover the tools and technologies that maximize network security

Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

Proofpoint Threat Research highlighted the campaign’s relatively low volume, with researchers saying that fewer than a thousand messages were observed over two days.

However, the broad targeting across unrelated industries underscores the threat actors’ intent to cast a wide net, hoping to snag unsuspecting victims.

Execution and Initial Access

The attack begins with the victim receiving an email containing a OneNote file.

Upon opening, this file presents a large “Open” button behind which lies a Windows batch file named “O p e n.cmd.”

Once executed, this file leverages PowerShell to download an IcedID DLL disguised as a JPG file. This DLL then connects to command and control servers, signaling the system’s successful compromise.

OneNote Phishing Email
OneNote Phishing Email

The simplicity of the initial access vector, coupled with the use of a non-sophisticated OneNote file, highlights the attackers’ reliance on social engineering rather than technical sophistication to breach corporate defenses.

Cobalt Strike Beacon and Persistence

The intrusion doesn’t stop at the initial breach.

On the 33rd day of the intrusion, the IcedID malware facilitated the execution of Cobalt Strike beacons, a testament to the attackers’ patience and persistence.

The IcedID malware was observed dropping several files
The IcedID malware was observed dropping several files

Cobalt Strike, a legitimate tool used by cybersecurity professionals, has been co-opted by hackers for malicious purposes, allowing them to maintain a foothold within the compromised network.

The campaign also demonstrated a method for achieving persistence by creating scheduled tasks and installing AnyDesk, a remote desktop software.

During the deployment of AnyDesk, a service creation event was generated under the System channel
During the deployment of AnyDesk, a service creation event was generated under the System channel

This allowed the attackers to return to the compromised system at will, further entrenching their presence within the victim’s network.

Defense Evasion and Privilege Escalation

The attackers employed various techniques to evade detection, including masquerading the malware DLL as a standard image file type and using standard Windows process names for their malicious payloads.

The earliest indicators that something suspicious occurred were the Sysmon events
The earliest indicators that something suspicious occurred were the Sysmon events

Additionally, the initial compromise was facilitated through an account in the domain administrators’ security group, bypassing the need for privilege escalation.

Exfiltration and Impact

The campaign’s ultimate goal appears to have been data exfiltration and ransomware deployment.

Threat actors were so kind to use the sponsored version, to bring some additional PUPs as well
Threat actors were so kind to use the sponsored version, to bring some additional PUPs as well

The attackers prepared for exfiltration by installing FileZilla on the compromised server and later deployed Nokoyawa ransomware, encrypting files and demanding a ransom for their release.


If you see this, your files have been successfully encrypted and stolen.

Don't try to search free decryption method.

It's impossible.

We are using symmetrical and asymmetric encryption.


        - Don't rename encrypted files.

        - Don't change encrypted files.

        - Don't use third-party software.

You are risking irreversibly damaging the file by doing this.

If you manage to keep things quiet on your end, this will never be known to the public.

To reach an agreement you have 48 hours to visit our Onion Website.

How to open Onion links:

        - Download the TOR Browser from the official website.

        - Open and enter this link:


        - On the page, you will see a chat with the Support.

        - Send your first message.

Don't waste your time.

Otherwise, all your valuable and sensitive data will be leaked.

Our websites are full of companies that doubted the fact of the data breach or its extent.

        - http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion/

        - http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion/


This campaign underscores the evolving landscape of cyber threats, where attackers exploit the trust in commonly used applications to bypass traditional security measures.

The use of Microsoft OneNote files to deliver malware represents a shift towards more creative attack vectors, necessitating a reevaluation of cybersecurity strategies to protect against such threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...

Taxi App Vendor Data Leak: 300K Passengers Data Exposed

Around 300,000 taxi passengers' personal information was left exposed on the internet, causing concern...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles