Microsoft OneNote is a file type now entrenched in the ongoing saga of abused file formats leveraged by adversaries to reach through defenses and deliver malware payloads to end users. Recently, we have seen OneNote's sudden rise to prominence, following a pattern of other types of files used in the same capacity.
Key Takeaways:
TOAD (Telephone-oriented attack delivery) threat actors are still an active threat in Q4 2022 with no indications of attacks diminishing in the near future.InQuest believes that attacks will likely increase in frequency as we enter th
In this post I want to cover an item called "CustomXMLParts".
Trying to look up this term you can find variations on what it is. In short, it is an XML container to store arbitrary data to be used in the document. The intention for it appears to give the developer a way to change the formatting of the Office document that is not already available or add additional functionality.
In this case they are storing a hex encoded executable in the “customXml –> item1.xml
In a previous post, we discussed the “@” symbol used to separate an apparent legitimate URL from the real target. In this case, there has been a small flood using the URL of “http://jmcglone.com@” with many different URLs or IP addresses after the “@” symbol. If we look at the VirusTotal information for this page, we see the online scan says it is clean and that it has also been around for ten years.
In this post we will be working with this Excel Sample from InQuest Labs.
The sample today is an Office DocumentSha256: 2cc30a017cf7312c737be593f36f2d84dd38c285a75512c9ab2e78f0bc1ba48b
Found Here on InQuest Labs.
The purpose of InQuest Labs is to enable independent security researchers with a convenient mixture of files and threat intelligence. Users can register for free and interface via the UI/UX, an open API, or via a Python library / command-line interface.
Without doubt, one of the hottest and most stressful regions on the planet currently is Eastern Europe. The military conflict that has been ongoing for more than 4 months has unfortunately claimed many victims and is fueling an economic and food crisis in several nations spanning across the globe. This far reaching tension also bleeds into cyberspace.
History of Headlines
Microsoft Office has been a long favorite delivery mechanism for malicious payloads, from pen-testers to nation-state threat actor groups, and for good reason. Widely adopted. Large attack surface. Robust legacy support. These traits have been the source of news headlines for decades.
For several weeks, eyes around the world have been set on the war in Ukraine and events that have transpired as a result.
Some time ago, we discovered a novel payload delivery method in malicious documents. The focus of this article is to explore this technique via samples of the document. The treat sequencing follows the chain of a malicious spreadsheet that downloads an archive containing thinBasic binaries and a malicious thinBasic script.
In recent months, there has been continuous media coverage of the geopolitical tensions in Eastern Europe around the threats of a Russian invasion of Ukraine. As one may expect, there has been an observable uptick in cyberattacks on related government networks and personnel.
Some time ago, we discovered a large wave of phishing emails with an exciting delivery method. This article will describe this method and show how it works, starting from a malicious document. We will explore the following documents, each with a beautiful visual lure that abuses the names and logos of Chase Bank and Bank of America.
How does fishing work in real life? The fisherman chooses a suitable place for fishing, he chooses the right tools; a fishing rod or nets, and he also needs to choose the right bait. When everything is ready, he can expect a good degree of success.
We found a wave of phishing documents containing a very interesting lure. We researched the tactics of this attack in more depth and discovered some unique TTPs including a Stage 2 Blogspot service marked as adult content requiring that you must be logged in as an authorized user with an account no less than a year old.
Let's look at how the next sample works.
A few days ago, we discovered a wave of phishing emails with an attached document. The fact is that a considerable number of samples had zero detection on the VT service. While several files had no AV detection for some time, we decided to focus on this wave and explore it in more detail.
Protecting an organization from today's cyber threats is not a simple but rather extensive task. The threat landscape is constantly changing, requiring a flexible approach to defense. The threats, techniques, and vulnerabilities that cybercriminals exploit may be unknown to organizations that provide protection to their users. This is a prime example of the exploitation of a critical vulnerability. An exploit that was found in the wild.
Microsoft MSHTML Remote Code Execution Vulnerability
As we roll into autumn and the season changes, so does the threat landscape. The emergence of new CVE signals another arms race with both sides vying for effectively leveraging the exploit and understanding how to mitigate the effects respectively.
The Trystero Project
The "Trystero Project" is our code name for an experiment that we're actively conducting to measure the security efficacy of the two largest mail providers, Google (Workspace, aka GSuite) and Microsoft (O365), against real-world emerging malware. The name and icons are sourced from Crying of Lot 49, a novel written by American author Thomas Pynchon and published in 1965. Why e-mail security?
Mobile devices as an espionage tool.
Email-borne pathogens frequently commence with the inclusion of a malicious document. This long-running trend continues to pose a serious threat to the security of organizations and users. Criminals are constantly improving their methods and looking for new ways to compromise victims. Payload trends change over time, with Ransomware being one that is capturing many headlines.
We have found an exciting document that hides a whole chain of PS scripts. Unfortunately, the original document has used a coercive lure to make the victim enable macros that drop malicious artifacts. This specific document's lure is written in French "BIENVENUE DANS WORD Microsoft Word a ete mise a jour avec succes"
At InQuest, we're fanatical about malware analysis and ingest real-world samples at-scale, dissecting millions of files daily. We leverage a combination of our Deep File Inspection (DFI™) analysis engine and a proprietary machine-learning apparatus to distill a daily volume of millions of samples down to a harvest consisting of dozens of "interesting" samples.
The staff at InQuest have been busy running a variety of different research experiments in the realm of bleeding-edge maldoc discovery to ensure the efficacy of detection for our customers and generate threat intelligence. One such experiment is our Twitter bot that tweets about malicious stage-2 RTFs referenced from documents found within the InQuest Labs Corpus. Another additional research project includes the mass curation and password cracking attempts of encrypted files.
Throughout InQuest's research into detecting maldocs, deserving attention has been given to the graphical asset that is used as the coercive lure. From "Worm Charming", InQuest's Malware Lures Gallery, and Optical Character Recognition inspection of the instructive text to enable embedded logic, uncountable wins have been brought to the community's attention. This quick blog details a couple of approaches for acquiring maldoc images without the need to open the document and copy the image.
On December 16th, 2020 Twitter user Insomnihack @pro_integritate posted an interesting obfuscated document, where it was flagged as Dridex in some sandboxes. This sample threw an error and would not open in Office 2010 until I changed the file extension to “doc’. The thing that stood out the most on initial inspection is the massive use of the properties “wd.. “ like “wdArtWeavingStrips” each of these properties map to constant values of “Word Enumerated Constants”
The SOC-Class is a niche course on cybersecurity operations, training CISOs, SOC Managers, and technical leads to build and excel in Cybersecurity Operations Centers SOCs/CSOCs. This use case development methodology is one of the approaches discussed in the course and is intended to provide a framework for mature and repeatable construction of engineered detections.
Cerbero Suite
We would like to thank InQuest for this interesting malware sample: it's a great sample to show the power of Cerbero Suite!
A while back we had an interesting alert generated from one of the InQuest DFI sensors that were initially very suspicious, but proved to be entertaining and still questionable regarding the true purpose of the activity. My initial suspicion was driven to an event highlighting an Image with an Embedded executable.
A common tactic seen used in Phishing campaigns today is to embed the phish within Google's Firebase Cloud Storage platform called Firebase. Follow along with this workflow to analyze some phishing lures.
This DLL was created by p3nt4 and allows you to execute PowerShell Scripts, commands, encoded commands, and even an interactive shell. Ok, so I could download this on a box and execute it, and boom, now I have PowerShell without PowerShell. I began to think, why not take it a step further. If you’re thinking about it from an adversary’s perspective, and for this particular scenario, we want to execute some PowerShell scripts or commands without triggering any detections.
On February 1st, Adobe published bulletin APSA18-01 for CVE-2018-4878 describing a use-after-free (UAF) vulnerability affecting Flash versions 28.0.0.137 and earlier. As of February 6th, Adobe has patched the issue in version 28.0.0.161, APSB18-03. This post provides an overview of the vulnerability, a walk-through of the exploit seen in the wild, and covers several detection mechanisms.
