![]() We will gather some basic information about the file, such as its name, hash, size and type. For confidentiality purposes, we cannot display the email content, but we have extracted the attachment and will continue with our malware analysis process. AnalysisĪ client received an email from their colleague claiming to contain an invoice for recently purchased hardware. We have finished discussing the theoretical aspect and will now begin analyzing the OneNote malware. Will explain the purpose of tools while driving throug the malware analysis steps. OS : REMnux (A Linux Tool kit for Malware Analysis) OS and Tools used during this malware analysis are: The author assumes no liability for any damages or losses resulting from the use or misuse of the information provided. The information provided here is for educational purposes only and is not intended to encourage or endorse the handling of malware or doing malware analysis by individuals without the proper training and experience. Ultimately the goal is to enhance the security and resilience of systems and networks against Onenote malware attacks. The analysis also aims to identify the source of the malware and its intended targets and to develop countermeasures to prevent or mitigate its spread and damage. This involves analyzing the methods and techniques used by the malware to propagate through OneNote, as well as its persistence and ability to evade detection. The objective of OneNote malware analysis is to study and understand the behavior, characteristics, and impact of malware that uses OneNote as a means of spreading and infecting systems. The shift to OneNote is seen as a response to Microsoft’s decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML and LNK. “These file types include CHM, HTA, JS, WSF, and VBS.” “Most file types that can be processed by MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote,” TrustedSec researcher Scott Nusbaum said. This is known as a “payload smuggling” attack. The infection chains are made possible because of a OneNote feature that enables the execution of specific file types from within the note-taking application. This method has been used to distribute various malware families, including AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook. It is important to keep OneNote and other software updated with the latest security patches to reduce the risk of malware infection. ![]() In both cases, the malware can remain hidden in OneNote and continue to spread to other users until it is detected and removed. Once the user opens the file, the malware is executed on their system. This can be done by embedding malicious code within a OneNote notebook or section file and then sending it to the target user via email or other means. ![]() ![]() This can result in the malware spreading to other users who access the shared page.Īnother method involves using OneNote as a carrier file to deliver malware to a target system. One method involves using a malicious macro to execute PowerShell commands that create a new OneNote page insert a malicious payload into the page and then share the page with other OneNote users or groups. Malware can use OneNote to spread itself in a number of ways. Malware Spreading Techniques Using OneNote Its features include handwriting and text recognition, audio and video recording, tagging, search functions and integration with other Microsoft Office tools and in this blog we discussed about the malware analysis. ![]() The application serves as a repository for managing notes, research, ideas and other types of content. OneNote is a software developed by Microsoft that facilitates digital note-taking, enabling users to capture, store and share information across different devices. ![]()
0 Comments
Leave a Reply. |