Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

OneNote Spear-Phishing Campaign

Trustwave SpiderLabs “noted” in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.

In this blog, we uncover the current attack techniques with the detection of network indicators and MITRE coverage.

For details about the initial decoy document, please refer to the TWSL blog Trojanized OneNote Document Leads to Formbook Malware.

19680_image002

Figure 1. Initial Decoy OneNote

 

Malware Campaigns

The current investigation starting January 31, 2023, shows the campaign is primarily delivering Qakbot and stealers like XWorm, Icedid, and AsyncRAT. We observed different infection chains with the PowerShell download cradle, VBS downloaders and batch file executions. Below are some of the techniques observed.

PowerShell Download Cradle:

  • PowerShell download cradle -> Qbot DLL download -> Execute via Rundll32.exe -> Inject to process.

19681_image004

Figure 2.  PowerShell download cradle - Method 1

19682_image006

Figure 3. PowerShell download cradle - Method 2

19683_image008

Figure 4. PowerShell download cradle - Method 3

 

VBS Downloader/Installer:

  • exe -> VBS Downloader -> Download batch file with encrypted payload -> Drops PowerShell.exe as renamed -> PowerShell.exe decrypts and executes payload.

19684_image010

Figure 5. VBS Installer with PowerShell - Method 1

  • exe -> JavaScript payload execution - > VBS script execution -> PowerShell download cradle downloads and executes payload.

19685_image012

Figure 6. VBS Installer with PowerShell - Method 2

 

Analysis of Qakbot aka Qbot

SpiderLabs has observed Qakbot more than any other malware variants. As of this date, we have observed five-bot campaigns from Qakbot with 264 C2s. Below is the analysis from the Qakbot file.

 

Qakbot Infection Flow

As seen from the above techniques, Qakbot was delivered using multiple downloading techniques with PowerShell or MSHTA predominantly used as the initial payload delivery.

19686_image014

Figure 7. Qakbot Infection Chain

  1. The initial decoy OneNote document is embedded with an ‘Open.cmd’ file.
  2. Upon execution of ‘Open.cmd’, it invokes the PowerShell download cradle.
  3. The hex encoded data is then decoded and passed to the parser to download the Qbot DLL.

19687_image016

Figure 8. PowerShell Download Cradle Parser

  1. Once downloaded, it will get executed with Rundll32.exe with the ‘Wind’ function.
  2. The Qbot packed DLL then injects into memory of process ‘grpconv.exe’ (‘msra.exe’ in some instances), and starts networking connections to Qbot C2’s.

19688_image018

Figure 9. Qakbot Injected into ‘grpconv.exe’ Process.

19689_image020

Figure 10. Qakbot C2's Decrypted in Memory

19690_image022

Figure 11. Qakbot Post C2 Connections

  1. The encrypted data is stored in the registry. The key would be random and not in a readable format. The decrypted stored registry values show the Qbot campaign name and persistence created.
  • The variant of Qbot malware will have its unique BotName tag for campaign identification. As of now we have five Qbot bot tags: BB12, BB14, BB15, tok01, and Obama239.

19691_image024

Figure 12. Decrypted Strings from Registry Shows the Qakbot Botnet Tag ‘BB15’

  • The decrypted registry value shows the persistence to Qakbot DLL.

19692_image026

Figure 13. Decrypted Strings from Registry Shows the Qakbot Persistence

 

Decrypted Qakbot Strings from Memory

The decrypted Qakbot strings from memory show lots of their behaviors, some of which are:

  • Querying for installed security products and running debuggers.

19693_image028

Figure 14. Decrypted Qakbot Strings

19694_image030

Figure 15. Checking for Installed Security Products and Debuggers Running

  • Post infection data collected for profiling victim and sent to C2.

19695_image032

Figure 16. Post Infection Data Collected

  • The memory dumps show more interesting traces like campaign name, persistence, victim bot-id, and C2 requests.

19696_image034

Figure 17. More info - Campaign Name, Persistence, Victim BotID

 

XWorm and Icedid

SpiderLabs has observed the usage of OneNote decoy documents by other malware variants like XWorm and Icedid. This is because they share a similar infection pattern along with VB Script payload installers.

19697_image036

Figure 18. XWorm Infection Flow

19698_image038

Figure 19. ICEdid Infection Flow

 

Detections

From the above infection flow, we can frame our detection rules custom to the working security appliances, some of which are:

  • OneNote with child process ‘cmd.exe’ with command line contains ‘.cmd,.gif,.jpeg,.jpg,.pdf,.bat.'
  • Multiple variants of PowerShell download cradles
  • OneNote with child process ‘wscript.exe, mshta.exe.’
  • A process events search for mshta.exe. In some cases, this will be run as a new instance.
  • The command line contains ‘Rundll32’ and ‘.cmd,.gif,.jpeg,.jpg,.pdf,.bat.’
  • Rundll32 events with DLLs run with ordinal functions ‘Wind’, ‘Updt’
  • Rundll32 events with network connections are a good indicator.
  • Rundll32 as parent process with any child (Suspected Injected Process) and having network connections.

The Rundll32 events will be noisy, but it is a good starting point for an investigation that, as a goal, is "Better safe than sorry."

 

MITRE Coverage

Tactic

Technique

Defense Evasion

File and Directory Permissions Modification - T1222

 

Obfuscated Files or Information - T1027

 

Obfuscated Files or Information: Indicator Removal from Tools - T1027.005

 

Rundll32 - T1218.011

 

Regsvr32 - T1218.010

 

Deobfuscate/Decode Files or Information - T1140

 

Mshta - T1218.005

 

Process Injection - T1055

 

Modify Registry - T1112

Discovery

File and Directory Discovery - T1083

 

System Information Discovery - T1082

 

System Location Discovery - T1614

 

Query Registry - T1012

Execution

Command and Scripting Interpreter - T1059

 

User Execution - T1204

 

Malicious File - T1204.002

 

Malicious Link - T1204.001

 

Windows Management Instrumentation - T1047

Initial Access

Spearphishing Attachment - T1566.001

Persistence

Registry Run Keys / Startup Folder - T1547.001

 

Scheduled Task - T1053.005

Command and Control

Application Layer Protocol - T1071

 

Conclusion

Once an adversary has successfully gained a foothold with their initial access being a phishing email, they must establish a backdoor and persistence. There are many ways to accomplish these feats, all while evading detection. Depending on what reconnaissance informs them and the intel they gather from their target’s environment, the tools they use to employ those techniques can vary. Therefore, it is ever important to remain vigilant and continually hunt for these behaviors.

Trustwave's recent revamp of its Advanced Continual Threat Hunt (ACTH) with a new patent-pending methodology enables Trustwave to conduct threat hunts and monitor our customers as this campaign continues. ACTH is now offered as an option in Trustwave's Managed Detection and Response Services. For more information, please read Trustwave Revamps Continual Threat Hunting Enabling Significantly More Hunts and Unique Threat Findings.

IOCs

IoCs for payload delivery URLs and Qakbot C2 IP Addresses are available here: https://github.com/SpiderLabs-Threat-Ops/SpiderLabs-Threat-Hunt/tree/main/Threat%20Indicators/OneNote_Campaign_February2023.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More