Recent variants have been embedded with Windows Command (.CMD) files that are used to execute shell commands and PowerShell scripts, as well as. To achieve code execution, the OneNote attachments were initially embedded with HTML Application (.HTA) files, capable of executing JavaScript, Jscript and VBScript. Since the start of 2023, the Falcon Complete team has observed multiple phishing campaigns attempting to distribute OneNote documents embedded with malicious files. Overview of Observed TTPs and Characteristics OneNote file builders, which can be used to generate malicious OneNote files on the fly, are also being advertised on criminal forums. While much of the early waves of OneNote files were used to deliver a custom loader popular with access brokers - a technique commonly used to deliver payloads such as AsyncRAT, QuasarRAT and Redline Stealer - OneNote files have now been adopted by high-end eCrime adversaries such as LUNAR SPIDER and MALLARD SPIDER. OneNote files can be configured to contain embedded HTA, LNK and EXE files, which is likely of high value to eCrime actors to embed and distribute malicious files. While many adversaries continue to abuse search engines, since early January 2023, CrowdStrike Intelligence and Falcon Complete have observed a sharp rise in eCrime adversaries abusing OneNote files to deliver payloads. Initially, this change saw adversaries move to methods such as malvertising and search engine optimization poisoning. Comparison of likely malicious ISO and OneNote files submitted to a public malware repository by month, October 2022-February 2023 (Click to enlarge)
0 kommentar(er)
