The OneNote malware attack – A retrospective

At Binalyze we’re always actively monitoring for the latest exploits and attack vectors. We’re also in constant conversation with our customers, discussing threats in the wild and sharing best practice. 

In this article, we’re going to discuss the surge in Microsoft OneNote malware attack vectors that started popping up towards the end of January this year, and the potential threat they continue to pose for enterprise security.

OneNote Malware Attacks on the Rise

During a research session, in early January we spotted a significant uptick in activity related to OneNote documents, whose popularity had skyrocketed. 

We started to dig deeper and ensure AIR’s detection capabilities were tuned to this potential threat. This is when the undetected document named Invoice.one really caught our attention.

Initial Investigation and VirusTotal Results

Searching on VirusTotal resulted in 11/60 vendors detecting this file and a quick investigation revealed nothing seemingly wrong with the document itself, but its ITW (in the wild) distribution urls pointed to something far more suspicious.

To be 100% sure that the document was not malicious, we executed the file in a sandbox environment, and it indeed turned out to be a clean looking invoice - so no immediate cause for concern, yet something about the file aroused our suspicions.

Uncovering the Social Engineering Trick

There was still one more possibility we had yet to explore, that this document could be used as a decoy during malware deployment. This is an increasingly common trick, used to distract a victim with the legitimate document, whilst malware is then silently deployed in the background.

As we dug even deeper, our suspicions were validated when we found that one of the ITW urls (shown in the previous picture) had referenced another OneNote document. This time the document had a lot more detections.

So, we set about opening that document , discovering it yielded another social engineering trick -  where an attacker wants you to double-click on a window in order to view that file.

After clicking once, and then moving that window to the side, we revealed a series of hidden VBS documents.

In this instance you’re able to click once, on just one of them, and then drag it out of the document to another location. Opening them in Notepad finally revealed the truth behind how our Invoice.one decoy document was being used. It was actually concealing another BAT file being downloaded, and this is how this multi-stage malware deployment worked.

The Hunt is On

Let’s talk practically about how we can now locate this malicious activity using AIR. Our first step is to log into the AIR console, selecting our organization and suitable endpoints. If the agent isn’t already installed, we need to deploy it to the endpoints, which takes just minutes.

Once the agent is up and running on the endpoint, it’s super easy, we just go to Acquire. There’s an option to name this case, and we’re going to set our acquisition profile to quick.

You’ll notice underneath there’s some options tabs, in this instance we’re going to need DRONE turned on and for simplicity, we’re going to have our Analyzers set to auto-pilot before clicking start.(Both DRONE and our Analyzers are all turned on by default, but dependant on your needs, you’ve got full flexibility to turn these off or select Analyzers ad-hoc.)

Thanks to AIR’s lightning fast speed, within just 2 minutes (on our test endpoint) we’ve got a full report ready to view. Here we can see that AIR has correctly identified and flagged the OneNote file as suspicious. From start to finish, it’s only taken minutes to complete this entire task.  

The Importance of Vigilance and Enterprise Security

Sadly, this sort of malicious activity is increasingly commonplace and just highlights how vigilant every enterprise needs to be. The potential damage caused by a single breach can be significant. The typical investigation costs following a breach are on average $1.5 million with the average cost of a data leak, potentially from a file just like this, totalling upwards of $4.2 million.

To find out more about AIR, how it can improve your DFIR capabilities and help maintain a more resilient cyber security posture - why not sign up for a free 14 day trial? 

Simply click the link below to start your trial today.