top of page
  • Writer's pictureSecneurX Threat Analysis

Malware Starts up Abusing Microsoft's OneNote

Analysts at SecneurX have found that the Redline malware is abusing Microsoft’s OneNote to spread malware. OneNote is one of the highly popular components of the Microsoft 365 package which is still under support and recieving important software updates from Microsoft. However, the frequent beta testing of the product has resulted in hackers exploiting vulnerabilities for phishing-based malware attacks. Malicious actors are exploiting the frequent feature updates to OneNote by Microsoft by using double-clicks on spam emails, which automatically runs a script, installing malware from remote sites into the user’s computer.

Our Secneurx Analysts found in its lab one of the Redline malware which is using OneNote to spread malware that is performing few evading techniques, so that the Antivirus Software would not be able to flag it as malicious.

Screenshots of OneNote malware spoofing as legitimate document

After opening the OneNote through Microsoft OneNote, it prompts the user to click the "Review Documents" image.

After clicking the "Review Documents" image a Warning Message gets popped up displaying the message as “Opening attachments will harm your computer and data”

Behind the "Review Documents" image multiple link files are attached so threat actor tries to spoof the victim to click "Review Documents" image as the victim clicked the "Review Documents" image link file will be executed.

Performing Evading Techniques

Once the user clicked on OK button, the link file will run through powershell command and a Portable Executable (PE) file gets downloaded in the preferred location and gets executed automatically.

After executing the file, a powershell command is passed with base64 encryption

The Start-Sleep cmdlet in PowerShell is often used to introduce delays in a script or command to avoid detection by security software.

It downloads an executable file "Opgcxhsdw.exe" and it saves the downloaded file as svhost.exe by mimicking the legitimate process svchost.exe. After executing and performing all the functions of the malware, the data gets exfiltrated from the user PC's and is communicated with c2.










What can you do to avoid being a malware victim?

As dangerous as malware is, simply being aware and staying updated with the latest malware trends can go a long way in securing your data and systems. Here are helpful tips on how you can defend yourself from a likely attack.

Scrutinize emails & its attachments before opening them

Be wary of emails from unverified sources. You can check by communicating directly with the purported sender to confirm if they sent the messages. To check its validity, you can use SecneurX Sandbox to verify the sanity of the email.

Avoid clicking embedded links found in unverified emails

Such social engineering tricks can lead to the download of malware. Additionally, be wary of sites that prompt you to enter a CAPTCHA code as this could be linked to a malware attack. To check its validity, you can use services like SecneurX Sandbox to verify the reputation of the site.

Back up your important files

While prevention is always better than the cure, having a backup of important files can at least lessen the potential damage done by a malware attack. While being locked out of your own system is always a bad thing, at least it's not a total disaster since you can always retrieve your important files. The 3-2-1 backup rule applies here—three backup copies of your data on two different media, and one of those copies in a separate location.

Regularly update software, programs, applications

Updating them to the latest versions can provide an added layer of protection against online threats as some malware arrive via vulnerability exploits.

Use a layered protection suite

Doing so can detect threats before they enter your network. Security solutions like SecneurX ATP can block Infectious files (like executables (.exe, .run, etc.), archives (ZIP, RAR, etc.), Microsoft Office and PDF documents, JavaScript, and so on) by scanning them at the point of entry of the organizations (File uploads, USB file transfers etc)

163 views0 comments

Bình luận

bottom of page