Trustwave Corporation

03/08/2023 | News release | Distributed by Public on 03/08/2023 08:04

A Noteworthy Threat: How Cybercriminals are Abusing OneNote – Part 2

In part one, we examined how threat actors abuse a OneNote document to install an infostealer. Part 2 of this series discusses an AsyncRAT infection chain while detailing important parts of the code. We'll also quickly analyze other notable malware strains such as Qakbot and RemcosRAT.

AsyncRAT

This campaign starts with threat actors emailing potential victims claiming that they have an unpaid invoice. The email has a sense of urgency trying to push victims to open the OneNote attachment.

[Link]

Figure 1. MailMarshal console showing the suspicious batch file, images and text contained in the OneNote notebook.

The OneNote document contains only one section with a 'click to view document' button image placed right above the batch script. When a user clicks the button image, the batch script is implicitly clicked and executed, prompting a security warning that recipients often ignore. As a trick to increase the click rate, threat actors purposely arrange copies of the script across the width of the button image.

[Link]

Figure 2. The OneNote document uses a plain background with a button image placed right above the batch file.

Infection Chain

[Link]

Figure 3. This delivery mechanism employs a lot of containerization. Starting from the OneNote, to the batch file which contains the loader, then the main payload embedded inside the loader.

Batch Script

The batch script uses obfuscation by splitting its main code into multiple parts. Notice that it sets the environment variables to the value 'set,' and these variables referencing the set operator were then used to create variables containing the code slices. Then, the batch script concatenates the variables to generate the main code.

[Link]

Figure 4. This batch script uses a chain of set function calls to obfuscate and split its malicious code. To reconstruct the code, the script concatenates the variables. To view the actual code, just add the echo command at the start of each concatenation.

The script copies a PowerShell executable to the current working directory and then renames it as skyy.bat.exe. It runs a PowerShell instance with hidden window and bypassed execution policy while using the original batch script as an input.

The PowerShell command reads the batch script and then looks for a commented base64 chunk marked by the '::' symbol. Next, the command initially decodes the base64 chunk, followed by an AES-CBC decryption routine with the hardcoded key and initialization vector, then passing the output for decompression using Gzip. A .NET-based executable is the file hidden in the base64 chunk. Finally, the command loads the executable in memory using the .NET Assembly.Load method.

[Link]

Figure 5. This is the reconstructed code used to unpack and decrypt the code inside the batch script. Notably, it obfuscates function names like Load, ReadAllText and FromBase64String by reversing their character order.

.NET Loader

Let's now examine the entry point. The loader dynamically resolves Windows API functions using a combination of GetProcAddress and LoadLibrary calls.

As a quick note, some Windows API names and notable strings are encrypted using the AES-CBC algorithm and then base64-encoded. The key and initialization vector (IV) is hardcoded in the executable, and the AES decryption function in the loader requires three arguments, namely: input, key and IV. The same key-IV pair is also used to decrypt the main payload.

  • Key: CLUnQ5OX0VGId/0Mcukekl6k3e72rzwV4EupkumpVGQ=

[Link]

Figure 6. The loader function used to decrypt encrypted strings with AES in CBC mode.


IV: 7WJ4i/8wa+eRcMTbbLS/+g==

[Link]

Figure 7 . At the loader entry point, it starts with evading defenses by bypassing the Antimalware Scan Interface (AMSI) and disabling Event Trace for Windows (ETW) through memory patching.

Moving on, the loader first resolves the memory address of VirtualProtect followed by the AmsiScanBuffer API function from their respective libraries. The AmsiScanBuffer API name was originally encrypted, then consecutively decrypted and resolved in a function chain. After resolving the memory address of AmsiScanBuffer, the loader sets the memory space of the function to writable by calling VirtualProtect. Then, it overwrites that AmsiScanBuffer memory region with a crafted byte array before reverting the memory space to its original protection state. This technique bypasses Antimalware Scan Interface (AMSI) by forcing the scan result to clean, allowing the malicious code to run unrestricted.

Next, the loader resolves the memory address of EtwEventWrite from the ntdll.dll library. A similar process occurs with the AmsiScanBuffer bypass, which passes an opcode to disable the Event Trace for Windows (ETW) functionality. Both techniques aim to evade defenses like anti-virus and event logging setting up the environment for the successful execution of the malicious payload.

The loader proceeds to retrieve the main payload stored in its resource section by decrypting the resource name, payload.exe, before passing the resource name to a method that loads the resource's data in memory. Subsequently, the loader passes the data in memory to the AES decrypt function followed by Gzip decompress obtaining another .NET-based executable.

Eventually, the main payload is reflectively loaded in memory and executed using the Assembly.Load function.

At the end of the loader routine, a command line process is started with arguments consisting of the concatenation of encrypted strings and the calling process referring to skyy.bat.exe, which is a PowerShell copy. The resulting command 'cmd.exe /c choice /c y /n /d y /t 1 & attrib -h -s skyy.bat.exe & del skyy.bat.exe' removes the hidden and system attributes of the skyy.bat.exe then deletes it afterwards.

[Link]

Figure 8. Calling the 'Assembly.Load(rawAssembly).Entrypoint' functions loads the main payload in the memory. After that, the loader removes the copy of PowerShell from its working directory.

Main Payload: Async RAT

AsyncRAT is a .NET-based open-source remote access tool (RAT) used to gain control of computers and access data remotely. It provides a range of capabilities, such as keylogging and defense evasion features making it a popular choice for cybercriminals.

The AsyncRAT variant had its configuration encrypted using AES-256 in CBC mode. Its full capabilities are well-documented in its public repository, available from 2019.

[Link]

Figure 9. The original filename of the assembly is 'AsyncClient', which is a common name of binaries generated from AsyncRAT builder.

Async RAT configuration:

  • Key: QXVacHdzc0VabU1jaFVCQU5zbDBJWVZTbDdSd1pkU3A=
  • Ports: 6606,7707,8808
  • Hosts: mikludoykxx[.]ddns.net, mikeludomax[.]ddns.net, mikeludoyyxx[.]ddns.net
  • Version: 0.5.7B
  • InstallFolder: %AppData%
  • MTX: AsyncMutex_6SI8OkPnk
  • Delay: 3

Other Notable Malware Strains

Recently, we have seen Qakbot actively abusing OneNote to deliver its payload. Compared with its previous campaigns, it has a similar infection chain, and what varies is the attachment used, shifting from HTML smuggling to a trojanized OneNote notebook.

The Qakbot's email lure retains the email thread hijacking technique as part of its arsenal. Email thread hijacking is an attack where a threat actor inserts malicious content into an existing conversation between two or more people. This technique takes advantage of the trust that already exists between recipients of the email, thus, increasing the chances of those users clicking the malicious links or attachments.

The OneNote attachment disguises itself as a document coming from the cloud. Right behind the 'Open' button hides an embedded batch file that will invoke PowerShell to download an additional payload that further leads to the Qakbot DLL.

[Link]

Figure 10. Qakbot's OneNote lure attempts to trick the users into clicking the hidden batch script.

[Link]

Figure 11. The Qakbot's batch script encodes its download URL and execution command with hex codes. It attempts to bypass static scanning and AV signatures.

Qakbot continues to infest enterprise networks and users by tapping into new delivery methods, this time abusing OneNote to its advantage.

Another campaign abusing OneNote delivers Remcos RAT. Remcos is a commercial remote access tool with robust features out-of-the-box which appeals to threat actors.

The email lure disguised as a property information notice from a construction company comes with a OneNote document. An executable embedded in the OneNote hides behind the 'click to view document' button.

[Link]

Figure 12. This lure sports a simpler design like the AsyncRAT campaign, but this OneNote has an embedded executable.

When we examine the executable, it appears to be a Delphi-based loader known as ModiLoader. Upon executing, the loader excludes the path C:\Users from AV scanning. Doing so prevents the AV scanner from blocking the execution of the payload. Eventually, the loader downloads a binary from a remote URL leading to Remcos RAT being installed on the victim's machine.

Remcos RAT configuration.

  • Version: Remcos 3.1.0 Pro
  • C2 Servers:
  • 184[.]75[.]221[.]171:5129
  • 199[.]249[.]230[.]27:5129
  • 185[.]103[.]96[.]143:5129
  • 185[.]104[.]184[.]43:5129
  • Mutex: -O1VWSP

Conclusion

In this analysis, we observed the shift to OneNote documents as the initial payload for AsyncRAT delivery. We explored the stages of the infection chain, highlighting defense evasion techniques such as memory patching to bypass antivirus, file obfuscation, and reflective code loading.

Overall, the extent of defense evasion techniques exhibited shows how aggressively the threat actors are attempting to increase the effectiveness of their attacks and make them more difficult to detect and analyze.

From what we have seen, any files can be easily embedded in OneNote. Together with tricky social engineering techniques, threat actors can successfully take control of a target's system and steal sensitive data. Furthermore, OneNote documents do not include 'Protected View' and Mark-of-the-Web (MOTW) protection increasing the risk of exposure to potentially malicious files and making it attractive to cybercriminals.

These campaigns show that threat actors are quick to adapt to new and trending methods, riding the wave to achieve their malicious goals. We expect a wave of campaigns leveraging OneNote to continue for a while yet.

Indicators of Compromise

AsyncRAT

ce7a8a6a8fdc7846b9022a746c39a00a6eb4d19c

Invoice #10974543.one

a2bbfb23b51cb1f2bb213dfe410601bc7fa53875

skyy.bat

7a0ccfb531bdc864a87bd47ce4af91e4243d9c9b

loader

d2fd7053dc13293a02851cb74837d0788dc1d159

AsyncRAT

Qakbot

1523e0e1f454e480e6e2f8c0282d3fa6ed589059

372068.one

9ff9c3c674cfd13e2ed6199815d5f1287cd95ff2

Open.Bat

hxxp://198[.]44[.]140[.]78/210/184/187737.dat

Remcos RAT

360c70c00d6c2804b3b64f53ef2b68a7e9d79016

Property List.one

adb39f9a5f7d82e3886f551418344761f1e668df

Kgthldmuaxrymp.exe (Modiloader)

hxxps[://]tottenham02[.]duckdns[.]org/Kgthldmuaxr

162[.]247[.]153[.]39