Hackers have been found leveraging Microsoft OneNote files as a vector to compromise systems across various industries.
The campaign, under the radar of cybersecurity experts, showcases a new trend in cyber threats, exploiting commonly used office applications to gain unauthorized access to corporate networks.
The malicious campaign was first documented by pr0xylife on their GitHub repository. According to researchers from THE DFIR REPORT, it revealed a widespread email phishing operation targeting companies in manufacturing, technology, energy, retail, insurance, and several other sectors.
The emails contained OneNote attachments purporting to be “secure messages,” a guise to trick recipients into opening the files.
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
Proofpoint Threat Research highlighted the campaign’s relatively low volume, with researchers saying that fewer than a thousand messages were observed over two days.
However, the broad targeting across unrelated industries underscores the threat actors’ intent to cast a wide net, hoping to snag unsuspecting victims.
The attack begins with the victim receiving an email containing a OneNote file.
Upon opening, this file presents a large “Open” button behind which lies a Windows batch file named “O p e n.cmd.”
Once executed, this file leverages PowerShell to download an IcedID DLL disguised as a JPG file. This DLL then connects to command and control servers, signaling the system’s successful compromise.
The simplicity of the initial access vector, coupled with the use of a non-sophisticated OneNote file, highlights the attackers’ reliance on social engineering rather than technical sophistication to breach corporate defenses.
The intrusion doesn’t stop at the initial breach.
On the 33rd day of the intrusion, the IcedID malware facilitated the execution of Cobalt Strike beacons, a testament to the attackers’ patience and persistence.
Cobalt Strike, a legitimate tool used by cybersecurity professionals, has been co-opted by hackers for malicious purposes, allowing them to maintain a foothold within the compromised network.
The campaign also demonstrated a method for achieving persistence by creating scheduled tasks and installing AnyDesk, a remote desktop software.
This allowed the attackers to return to the compromised system at will, further entrenching their presence within the victim’s network.
The attackers employed various techniques to evade detection, including masquerading the malware DLL as a standard image file type and using standard Windows process names for their malicious payloads.
Additionally, the initial compromise was facilitated through an account in the domain administrators’ security group, bypassing the need for privilege escalation.
The campaign’s ultimate goal appears to have been data exfiltration and ransomware deployment.
The attackers prepared for exfiltration by installing FileZilla on the compromised server and later deployed Nokoyawa ransomware, encrypting files and demanding a ransom for their release.
Nokoyawa.
If you see this, your files have been successfully encrypted and stolen.
Don't try to search free decryption method.
It's impossible.
We are using symmetrical and asymmetric encryption.
ATTENTION:
- Don't rename encrypted files.
- Don't change encrypted files.
- Don't use third-party software.
You are risking irreversibly damaging the file by doing this.
If you manage to keep things quiet on your end, this will never be known to the public.
To reach an agreement you have 48 hours to visit our Onion Website.
How to open Onion links:
- Download the TOR Browser from the official website.
- Open and enter this link:
http://nokopay<REDACTED>
- On the page, you will see a chat with the Support.
- Send your first message.
Don't waste your time.
Otherwise, all your valuable and sensitive data will be leaked.
Our websites are full of companies that doubted the fact of the data breach or its extent.
- http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion/
- http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion/
- http://snatchteam.top
This campaign underscores the evolving landscape of cyber threats, where attackers exploit the trust in commonly used applications to bypass traditional security measures.
The use of Microsoft OneNote files to deliver malware represents a shift towards more creative attack vectors, necessitating a reevaluation of cybersecurity strategies to protect against such threats.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…
Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…
The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…
Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…
A security researcher discovered a vulnerability in Windows theme files in the previous year, which…
The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…