Stories from the SOC: OneNote MalSpam – Detection & response

This blog was co-written with Kristen Perreault – Professional Cybersecurity andJames Rodriguez – Sr. Specialist Cybersecurity.

Executive summary

Since December 22nd, 2022, there has been an increase in malware sent via Phishing emails via a OneNote attachment. As with most phishing emails, the end user would open the OneNote attachment but unlike Microsoft Word or Microsoft Excel, OneNote does not support macros. This is how threat actors previously launched scripts to install malware.

Minimal documentation has been made towards the tactics, techniques, and procedures (TTP’s) observed in these attacks. Some of the TTP’s observed included executions of Powershell.exe usage and Curl.exe once a hidden process was ran. Once the hidden executable was clicked on, a connection was made to an external site to attempt to install and execute malware. Once executed the attacker will unload additional malicious files and gain internal information from within the organization. In this case, malicious files were detected and mitigated by SentinelOne.

Investigation

Initial Alarm Review

Indicators of Compromise (IOC)

The initial alarm came in for malware being detected by SentinelOne which was a .One file type. The file sourced from Outlook indicated this was likely a phishing email. Shortly after receiving the initial alarm, the MES SOC Threat Hunters (SECTOR Team) were alerted by a customer experiencing this activity and began their deep dive. Upon entering the file hash obtained from the SentinelOne event, no discernible information regarding the file’s purpose was uncovered. This prompted SECTOR to utilize Deep Visibility to gain further insight into the process and purpose of the detected file.

Deep Visibility is a feature within SentinelOne that provides comprehensive insight into the activities and behaviors of threats within a network environment. This feature allows security teams, such as SECTOR, to investigate and respond to threats by providing greater insight in processes, network connections, and file activities. It is an incredibly powerful tool in SentinelOne and is commonly used during the Incident Response process.

Expanded investigation

Events Search

A search string was created for Deep Visibility which included the file name and associated file hashes. An event in SentinelOne was found that included a Curl.exe process with the external domain minaato[.]com. When reviewing the domain further, it was determined that this was a file sharing website and additional malicious indicators were uncovered. Analyzing the DNS request to minaato[.]com, showed events with the source process mshta.exe with the target process curl.exe, and the parent process of onenote.exe. This chain of processes were the heuristic (behavioral) attributes that prompted SentinelOne to fire off an alert. Utilizing these TTP and previous source processes, a new query was generated to find any potential file populating the same activity. This led SECTOR to detect another file under Cancellation[.]one.

Event Deep Dive

SECTOR began their event deep dive with an initial IOC based search query that included the file name and the domain that generated outbound network connections.

Pivoting off of the results from the initial IOC based search query, SECTOR created a secondary search query that included multiple file names, domains, and hashes that were found. These IOCs had not been previously discovered in the wild but once they were found, SECTOR provided them to the AT&T AlienLabs team for additional detection engines, correlation rules, and OTX (AT&T Open Threat Exchange Platform) pulse updates.

After gathering all the IOCs, a third heuristic-based search query was created. This new query aimed to find any remaining events related to the malware that SentinelOne might not have alerted on, as it mainly focuses on execution-based activities rather than behavior-based ones. This demonstrates the importance of using threat hunting in conjunction with SentinelOne's Deep Visibility feature for enhanced security.

In the final stage of the event search, SECTOR created a final heuristic search query that detected any outreach to a domain with the same behavioral attributes observed in this environment. Although the results contained false positives, they were able to sift through and find an event where the “ping.exe” command successfully communicated with the malicious domain, “minaato[.]com”. In this case, SentinelOne did not alert on this activity due to it being a common process execution.

Response

Building the Investigation

After gathering all necessary information and event findings, SECTOR was able to pull the malicious OneNote file and detonate it within their sandbox environment. They were then able to see that once the file was opened, the malicious link was hidden under an overlayed stock Microsoft image that asked the user to click open. This then brought the user to the malicious domain, minaato[.]com.

SECTOR provided all data gathered from this threat hunt to the affected customers and fellow CyberSecurity Teams within AT&T for situational awareness.

Customer interaction

The affected customers were given remediation steps based on the specific activity they experienced with this malware. Some of them were successfully compromised, while others were able to avoid any execution or downloads in association with the malware itself. These remediation steps included removing all files from the affected devices, resetting all user passwords for best practices, scanning assets to ensure no further unauthorized or malicious activity was occurring in the background, globally blocking all IOC’s, and implementing block rules on their firewalls.

IOCS

Article Link: Stories from the SOC: OneNote MalSpam – Detection & response | AT&T Cybersecurity