Last week, the cybersecurity researchers on Perception Point’s IR team uncovered an attack that leverages password-protected OneNote files to deliver malware. Caught by our advanced threat detection platform, the attack was flagged due to the executables embedded in the document. Upon further review, our researchers analyzed the new evasion technique that aims to conceal the malicious payload by exploiting encrypted OneNote documents. Read on to learn more. 

The OneNote Attack

In recent years, threat actors have increasingly turned to social engineering tactics and sophisticated malware delivery methods to target individuals and organizations. One technique involves the use of OneNote documents to deliver malware via malicious spam emails. By tricking recipients into downloading seemingly harmless OneNote files, attackers can effectively infect systems and steal sensitive information. What makes this attack particularly unique, however, is the addition of encryption. Instead of relying on the target to click on the file, automatically triggering the payload, the architects of this attack employ this extra step under the guise of “security” and to evade detection. Here’s how it works:  

The user receives a phishing email, detailing the remittance advice of an online transaction for a payment of $175k.

Figure 1: The phishing email 

By mentioning such a large sum of money, the attacker adds a sense of urgency to the email. The goal is to convince the user to open the document without a second thought. However, perhaps more interesting is that the attacker includes password details to download the encrypted OneNote file. 

Attached to the email is a file called “0323 Remittance.onepkg.”

Figure 2: The OneNote attachment

This attachment is a OnePKG file, a Microsoft OneNote package file that contains multiple files and folders related to a specific notebook, including the pages, sections, and images that comprise the notebook. OnePKG files can be used to backup, transfer, or share OneNote notebooks.

When the user double clicks on the file, the OneNote application opens, displaying the following window:

Figure 3: OneNote display window

The user is then prompted to enter the password included in the initial email.

Figure 4: The OneNote password

Once the user enters the password, the malicious notebook is presented:

Figure 5: The malicious notebook 

What then appears is a fake document with a “click to action” button. Once the user clicks, an embedded executable starts running, unleashing RedLine Stealer malware. RedLine Stealer is a malware used to harvest credentials and data from browsers, steal cryptocurrency, and execute commands. This means that once a computer is infected, the user faces potentially irreparable consequences.

Learn more about RedLine Stealer malware in the Tweets below: 

Behind the OneNote Attack

When our researchers saw this attack, they wanted to dive deeper and extract the payload manually. In order to do so, they needed to first extract the OneNote attachment payload statically without running the OneNote document. To do this, they used the tool “OneNoteAnalyzer,” created by @knight0x07.

They wanted to extract the OneNote document itself (.one) and not the initial OneNote package file. By opening the .onepkg in 7zip, they were able to extract the .one file individually (this was necessary because the .one file is the actual document that the user would open).

Figure 6: Opening the OneNote file

Upon running the extracted document through the OneNoteAnalyzer tool, an error pops up:

Figure 7: OneNoteAnalyzer Error

The error appears because the document is password encrypted, as are the files. This means that they cannot be accessed without the password. To overcome this, our researchers modified the tool slightly and added the support for password input (by adding the flag –pass). By doing this, we were able to easily extract the embedded files.

Figure 8: The modified tool

Takeaways from the OneNote Attack

The use of OneNote attachments as a delivery method for malware highlights the importance of being cautious when opening attachments, even if they appear to be from a trusted source. Social engineering tactics such as creating a sense of urgency or fear, and presenting seemingly harmless documents, can be effective in tricking users into opening malicious files. Additionally, using passwords as a means of evasion can further increase the risk of infection, as we saw in this attack. It is crucial for individuals and organizations to remain vigilant and stay informed about the latest cybersecurity threats to mitigate the risk of falling victim to these types of attacks.

Learn more about how to protect your organization against malware here.

IOC’s

• Files:
  • 0323 Remittance.onepkg – 1155a4bda37531553661a61fcee361d664103ced30ace615406c6cd298a2c93d
  • New Section 1.one – 462bf8a2e19a3e2dd4e5635aa5089e7bdc291d5c5c4665549f64f67abf0b598a
• URLs:
  • https://rentry[.]co/u3y8w/raw
  • https://cdn.discordapp[.]com/attachments/1090282375688245381/1090289652914716702/message.txt
• C2:
  • 172.245.45[.]213:3235
• Botnet:
  •  kento