Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Trustwave SpiderLabs “noted” in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.
In this blog, we uncover the current attack techniques with the detection of network indicators and MITRE coverage.
For details about the initial decoy document, please refer to the TWSL blog Trojanized OneNote Document Leads to Formbook Malware.
Figure 1. Initial Decoy OneNote
The current investigation starting January 31, 2023, shows the campaign is primarily delivering Qakbot and stealers like XWorm, Icedid, and AsyncRAT. We observed different infection chains with the PowerShell download cradle, VBS downloaders and batch file executions. Below are some of the techniques observed.
PowerShell Download Cradle:
Figure 2. PowerShell download cradle - Method 1
Figure 3. PowerShell download cradle - Method 2
Figure 4. PowerShell download cradle - Method 3
VBS Downloader/Installer:
Figure 5. VBS Installer with PowerShell - Method 1
Figure 6. VBS Installer with PowerShell - Method 2
SpiderLabs has observed Qakbot more than any other malware variants. As of this date, we have observed five-bot campaigns from Qakbot with 264 C2s. Below is the analysis from the Qakbot file.
As seen from the above techniques, Qakbot was delivered using multiple downloading techniques with PowerShell or MSHTA predominantly used as the initial payload delivery.
Figure 7. Qakbot Infection Chain
Figure 8. PowerShell Download Cradle Parser
Figure 9. Qakbot Injected into ‘grpconv.exe’ Process.
Figure 10. Qakbot C2's Decrypted in Memory
Figure 11. Qakbot Post C2 Connections
Figure 12. Decrypted Strings from Registry Shows the Qakbot Botnet Tag ‘BB15’
Figure 13. Decrypted Strings from Registry Shows the Qakbot Persistence
The decrypted Qakbot strings from memory show lots of their behaviors, some of which are:
Figure 14. Decrypted Qakbot Strings
Figure 15. Checking for Installed Security Products and Debuggers Running
Figure 16. Post Infection Data Collected
Figure 17. More info - Campaign Name, Persistence, Victim BotID
SpiderLabs has observed the usage of OneNote decoy documents by other malware variants like XWorm and Icedid. This is because they share a similar infection pattern along with VB Script payload installers.
Figure 18. XWorm Infection Flow
Figure 19. ICEdid Infection Flow
From the above infection flow, we can frame our detection rules custom to the working security appliances, some of which are:
The Rundll32 events will be noisy, but it is a good starting point for an investigation that, as a goal, is "Better safe than sorry."
Tactic |
Technique |
Defense Evasion |
File and Directory Permissions Modification - T1222 |
|
Obfuscated Files or Information - T1027 |
|
Obfuscated Files or Information: Indicator Removal from Tools - T1027.005 |
|
Rundll32 - T1218.011 |
|
Regsvr32 - T1218.010 |
|
Deobfuscate/Decode Files or Information - T1140 |
|
Mshta - T1218.005 |
|
Process Injection - T1055 |
|
Modify Registry - T1112 |
Discovery |
File and Directory Discovery - T1083 |
|
System Information Discovery - T1082 |
|
System Location Discovery - T1614 |
|
Query Registry - T1012 |
Execution |
Command and Scripting Interpreter - T1059 |
|
User Execution - T1204 |
|
Malicious File - T1204.002 |
|
Malicious Link - T1204.001 |
|
Windows Management Instrumentation - T1047 |
Initial Access |
Spearphishing Attachment - T1566.001 |
Persistence |
Registry Run Keys / Startup Folder - T1547.001 |
|
Scheduled Task - T1053.005 |
Command and Control |
Application Layer Protocol - T1071 |
Once an adversary has successfully gained a foothold with their initial access being a phishing email, they must establish a backdoor and persistence. There are many ways to accomplish these feats, all while evading detection. Depending on what reconnaissance informs them and the intel they gather from their target’s environment, the tools they use to employ those techniques can vary. Therefore, it is ever important to remain vigilant and continually hunt for these behaviors.
Trustwave's recent revamp of its Advanced Continual Threat Hunt (ACTH) with a new patent-pending methodology enables Trustwave to conduct threat hunts and monitor our customers as this campaign continues. ACTH is now offered as an option in Trustwave's Managed Detection and Response Services. For more information, please read Trustwave Revamps Continual Threat Hunting Enabling Significantly More Hunts and Unique Threat Findings.
IoCs for payload delivery URLs and Qakbot C2 IP Addresses are available here: https://github.com/SpiderLabs-Threat-Ops/SpiderLabs-Threat-Hunt/tree/main/Threat%20Indicators/OneNote_Campaign_February2023.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.