Threat Actors Ramp Up OneNote Attachment Usage in their Attacks
Threat Actors (TAs) are using spam emails to trick individuals into downloading malware, such as Remote Access Trojans (RATs) and Stealers, to infect their devices and steal sensitive information. Cyble Research & Intelligence Labs (CRIL) closely monitors different malware families and routinely publishes informative blogs to educate our readers. Recently, we observed a new type of BAT loader used to distribute a range of RAT and Stealer malware families.
This loader utilizes a distinctive method to deliver the malicious payload to the user system. We have seen multiple malware families delivered using this new BAT loader.
The image below illustrates the infection chain of the new BAT loader.
Our research indicates that the new BAT loader variant is being used by OneNote Attachment, which spreads via spam email. This analysis covers the infection technique of the BAT loader and its payload delivery in detail.
Technical Analysis
Delivery of QuasarRAT
Recently, CRIL came across an Open Directory (OpenDir) that hosted several malware binaries. OpenDir is an unprotected directory with lists of direct links to files stored on the remote server. Within that, we have downloaded the binary file named “Bill.exe”, which is a new BAT loader malware.
The image below shows that OpenDir contains links to download malware files.
Upon execution of “Bill.exe”, it drops an obfuscated BAT file named “Bill.bat” in the %temp% folder and executes it. T
The figure below shows the dropped BAT file and its obfuscated content.
The executed BAT file copies legitimate PowerShell.exe from system32 and drops it in the %temp% location as “Bill.bat.exe” to run the PowerShell content inside the obfuscated BAT file, as shown in the figure below.
The below image shows the de-obfuscated PowerShell script launched by the “Bill.bat” file.
The PowerShell script performs the process of decrypting, decompressing, and loading the data as a .NET assembly and executes the malicious code within it by using the following steps:
- Initially, the PowerShell script reads a Base64 encoded content that starts with “:: ” from the “Bill.bat” file located at the path “C:\Users\<Admin>\AppData\Local\Temp\IXP000.TMP\”.
- Then, the Base64-encoded content is decoded using the method [System.Convert]::FromBase64String, which is an AES encrypted content.
- Next, the encrypted content is decrypted using AES.CreateDecryptor() method. The encryption key and initialization vector (Key & IV) are obtained from hardcoded strings encoded in Base64 format.
- Now, a System.IO.MemoryStream object is created and filled with the AES decrypted content, which is Gzip compressed data.
- The data is then decompressed using a method [IO.Compression.CompressionMode]::Decompress from an object System.IO.Compression.GZipStream.
- The decompressed data (Portable Executable) is then loaded into a .NET assembly using the [System.Reflection.Assembly]::Load method.
- The entry point of the assembly is invoked using an Invoke method, which runs the code within the assembly.
The diagram below illustrates the BAT loader delivering QuasarRAT to the victim’s system.
The figure below shows the static details of an extracted binary file, a 32-bit .NET compiled executable.
Upon execution of the .NET file, it decrypts and runs encrypted data embedded in the .NET resource directory in the name of “payload.exe”.
This “payload.exe” file is an actual malware payload “QuasarRAT”, as shown in the below figure.
Delivery of AsyncRAT
We have also observed a few samples in the wild that shows a similar technique to distribute a Remote Access Trojan named “AsyncRAT”.
The below figure shows the spam email, which contains a OneNote attachment named “SHIPMENT_DOCUMENTS.one”. When opened, it displays a message “CLICK TO VIEW DOCUMENT”.
When a user clicks the button present in the OneNote file to view the document, it drops the “update.bat” file in the %temp% folder and executes it. The executed BAT file exhibits the same behavior mentioned above in the technical analysis section.
The image below shows the BAT loader’s process tree delivered via spam email.
As mentioned previously, the PowerShell script retrieves and loads the payload malware “AsyncRAT” in memory, as shown below.
CRIL also noticed a few more samples in the wild that exhibit similar behavior to spread malware families, such as DCRAT, Stormkitty, and RedLine stealer.
Conclusion
BAT loader is a highly adaptable and challenging threat that employs malspam and social engineering tactics to spread RATs, Stealers, and other malware. It gains access to the target network through batch and PowerShell scripts, making it difficult to detect. This ability to evolve and adapt makes BAT loader a persistent and dangerous malware.
Cyble Research and Intelligence Labs will continue monitoring the new malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
Our Recommendations
- The initial infection may happen via spam emails or phishing websites, so enterprises should use security products to detect phishing emails and websites.
- Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 T1064 T1047 T1059 | User Execution Command and Scripting Interpreter Scripting Windows Management Instrumentation PowerShell |
| Persistence | T1053 | Scheduled Task/Job |
| Privilege Escalation | T1055 | Process Injection |
| Defense Evasion | T1222 T1564 T1036 T1070 T1497 | File and Directory Permissions Modification Hidden Files and Directories Masquerading File Deletion Virtualization/Sandbox Evasion |
| Discovery | T1082 T1518 T1083 | System Information Discovery Security Software Discovery File and Directory Discovery |
| Command and Control | T1071 T1095 | Application Layer Protocol Non-Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 7677442c6afc8aee0f4dfaaafb69fa290d1ec8d53b84763484e25c316df267cc | Sha256 | Bill.exe |
| cb36052775ff82522c60883729071f69b66a00413edce7d554e8af4c0d15e931 | Sha256 | Bill.bat (QuasarRAT) |
| 66329a56f2ab10fdd3050c07349ad41f802e9f100b9bd2925f9b0940ec3ff0a6 | Sha256 | tmp995D.exe (QuasarRAT) |
| 9cd24f62ecb15856de992b14f2b44f09a8ba74f1220d9ae544e6919ada0335ad | Sha256 | Spam email |
| 13ca7d5e399860423c237d2597f799f104facf971d0552080049f5d618ccb582 | Sha256 | SHIPMENT_DOUMENTS.one |
| 764250ddf94b90441193fe1c29754f231e0868d1878fdf3150e5744dd8d8c378 | Sha256 | Update.bat (AsyncRAT) |
| 2e0b02dbfc729d375e38d6cbc88a186c48f9250ab5d13a2f350c1a4a3137c4bf | Sha256 | tmp3680.tmp (AsyncRAT) |
| d71cdb791f3f58bd064fb840488f7e708d707b1d39e70fbe5c597f7fbcc0699e | Sha256 | Batch file (DCRAT) |
| d5d8deb0a6da4352ded02c6a51c10efae2b030518247713ecb28274123b76fb8 | Sha256 | Batch file (RedLine) |
| fa78bb7d250a3893f188e5e7651070a20dd690fc6647020d5d399874e71c8e88 | Sha256 | Batch file (Stormkitty) |
| 103.146.23.112 | IP | OpenDir |
