This article discusses a recent increase in malware sent via phishing emails with a OneNote attachment. Unlike Microsoft Word or Excel, OneNote does not support macros, which threat actors previously used to install malware. The tactics, techniques, and procedures (TTPs) employed in these attacks have not been extensively documented. However, some observed TTPs include the use of Powershell.exe and Curl.exe to execute hidden processes and establish connections to external sites to download and execute malware. SentinelOne, a cybersecurity tool, detected and mitigated the malicious files in this case.
The investigation into this malware began when SentinelOne detected a OneNote file containing malware sourced from Outlook, indicating a phishing email. The MES SOC Threat Hunters initiated a deep dive into the activity. They utilized Deep Visibility, a feature within SentinelOne, to gain greater insight into the purpose and processes of the detected file. Deep Visibility allows security teams to investigate and respond to threats by providing comprehensive information on processes, network connections, and file activities.
During the expanded investigation, the Threat Hunters conducted an events search using Deep Visibility. They found a Curl.exe process associated with the external domain minaato[.]com. Further analysis revealed that this domain was a file-sharing website with additional malicious indicators. Through the analysis of DNS requests, SECTOR identified a chain of processes involving mshta.exe, curl.exe, and onenote.exe, which triggered an alert in SentinelOne. Another file named Cancellation[.]one was also detected.
The Threat Hunters conducted an event deep dive, creating search queries based on initial indicators of compromise (IOCs) found in the investigation. They also shared these IOCs with the AT&T AlienLabs team for additional detection and correlation rules. A third heuristic-based search query was created to identify any remaining events related to the malware that SentinelOne might have missed. This demonstrates the importance of combining threat hunting with SentinelOne’s Deep Visibility for enhanced security.
After gathering all the necessary information, SECTOR detonated the malicious OneNote file in a sandbox environment. They discovered that the file contained a hidden malicious link disguised under a stock Microsoft image, leading to the domain minaato[.]com. The findings were shared with affected customers and other cybersecurity teams within AT&T for situational awareness.
Affected customers were provided with remediation steps based on their specific experience with the malware. Some customers were successfully compromised, while others avoided execution or downloads associated with the malware. Remediation steps included removing all files from affected devices, resetting user passwords, scanning assets for unauthorized activity, blocking all IOCs, and implementing firewall block rules.
In conclusion, this article highlights the increase in malware sent via phishing emails with OneNote attachments. The investigation into these attacks utilized SentinelOne’s Deep Visibility feature and involved the identification of IOCs, analysis of malicious domains, and remediation steps for affected customers. It emphasizes the importance of combining threat hunting and cybersecurity tools for comprehensive security measures.