Tales from the SOC: OneNote MalSpam – Detection & response

This weblog was co-written with Kristen Perreault – Skilled Cybersecurity andJames Rodriguez – Sr. Specialist Cybersecurity.

Government abstract

Since December twenty second, 2022, there was a rise in malware despatched by way of Phishing emails by way of a OneNote attachment. As with most phishing emails, the tip consumer would open the OneNote attachment however not like Microsoft Phrase or Microsoft Excel, OneNote doesn’t assist macros. That is how risk actors beforehand launched scripts to put in malware.

Minimal documentation has been made in direction of the ways, strategies, and procedures (TTP’s) noticed in these assaults. Among the TTP’s noticed included executions of Powershell.exe utilization and Curl.exe as soon as a hidden course of was ran. As soon as the hidden executable was clicked on, a connection was made to an exterior web site to try to put in and execute malware. As soon as executed the attacker will unload further malicious recordsdata and acquire inside data from throughout the group. On this case, malicious recordsdata had been detected and mitigated by SentinelOne.

Investigation

Preliminary Alarm Evaluation

Indicators of Compromise (IOC)

The preliminary alarm got here in for malware being detected by SentinelOne which was a .One file sort. The file sourced from Outlook indicated this was doubtless a phishing e mail. Shortly after receiving the preliminary alarm, the MES SOC Menace Hunters (SECTOR Group) had been alerted by a buyer experiencing this exercise and commenced their deep dive. Upon coming into the file hash obtained from the SentinelOne occasion, no discernible data relating to the file’s objective was uncovered. This prompted SECTOR to make the most of Deep Visibility to achieve additional perception into the method and objective of the detected file.

Deep Visibility is a function inside SentinelOne that gives complete perception into the actions and behaviors of threats inside a community surroundings. This function permits safety groups, equivalent to SECTOR, to analyze and reply to threats by offering larger perception in processes, community connections, and file actions. It’s an extremely highly effective software in SentinelOne and is usually used throughout the Incident Response course of.

Expanded investigation

Occasions Search

A search string was created for Deep Visibility which included the file title and related file hashes. An occasion in SentinelOne was discovered that included a Curl.exe course of with the exterior area minaato[.]com. When reviewing the area additional, it was decided that this was a file sharing web site and extra malicious indicators had been uncovered. Analyzing the DNS request to minaato[.]com, confirmed occasions with the supply course of mshta.exe with the goal course of curl.exe, and the guardian means of onenote.exe. This chain of processes had been the heuristic (behavioral) attributes that prompted SentinelOne to fireplace off an alert. Using these TTP and former supply processes, a brand new question was generated to search out any potential file populating the identical exercise. This led SECTOR to detect one other file underneath Cancellation[.]one.

Occasion Deep Dive

SECTOR started their occasion deep dive with an preliminary IOC based mostly search question that included the file title and the area that generated outbound community connections.

Pivoting off of the outcomes from the preliminary IOC based mostly search question, SECTOR created a secondary search question that included a number of file names, domains, and hashes that had been discovered. These IOCs had not been beforehand found within the wild however as soon as they had been discovered, SECTOR supplied them to the AT&T AlienLabs workforce for extra detection engines, correlation guidelines, and OTX (AT&T Open Menace Trade Platform) pulse updates.

After gathering all of the IOCs, a 3rd heuristic-based search question was created. This new question aimed to search out any remaining occasions associated to the malware that SentinelOne won’t have alerted on, because it primarily focuses on execution-based actions fairly than behavior-based ones. This demonstrates the significance of utilizing risk looking along side SentinelOne’s Deep Visibility function for enhanced safety.

Within the ultimate stage of the occasion search, SECTOR created a ultimate heuristic search question that detected any outreach to a website with the identical behavioral attributes noticed on this surroundings. Though the outcomes contained false positives, they had been capable of sift via and discover an occasion the place the “ping.exe” command efficiently communicated with the malicious area, “minaato[.]com”. On this case, SentinelOne didn’t alert on this exercise as a consequence of it being a typical course of execution.

Response

Constructing the Investigation

After gathering all needed data and occasion findings, SECTOR was capable of pull the malicious OneNote file and detonate it inside their sandbox surroundings. They had been then capable of see that after the file was opened, the malicious hyperlink was hidden underneath an overlayed inventory Microsoft picture that requested the consumer to click on open. This then introduced the consumer to the malicious area, minaato[.]com.

SECTOR supplied all knowledge gathered from this risk hunt to the affected clients and fellow CyberSecurity Groups inside AT&T for situational consciousness.

Buyer interplay

The affected clients got remediation steps based mostly on the precise exercise they skilled with this malware. A few of them had been efficiently compromised, whereas others had been capable of keep away from any execution or downloads in affiliation with the malware itself. These remediation steps included eradicating all recordsdata from the affected units, resetting all consumer passwords for greatest practices, scanning property to make sure no additional unauthorized or malicious exercise was occurring within the background, globally blocking all IOC’s, and implementing block guidelines on their firewalls.

IOCS