Executive Summary 摘要
In this post, we look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files. Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files. The interaction then executes an embedded malicious payload.
在这篇文章中,我们将介绍攻击者用来滥用 Microsoft OneNote 文件的嵌入式有效负载类型。我们对来自 WildFire 的大约 6,000 个恶意 OneNote 样本的分析表明,这些样本具有类似网络钓鱼的主题,攻击者使用一个或多个图像来引诱人们单击 OneNote 文件或与 OneNote 文件进行交互。然后,交互将执行嵌入的恶意负载。
Since macros have been disabled by default in Office, attackers have turned to leveraging other Microsoft products for embedding malicious payloads. As a result, malicious OneNote files have grown in popularity. The OneNote desktop app is included by default in Windows in Office 2019 and Microsoft 365, which can load malicious OneNote files if someone accidentally opens one.
由于 Office 中默认禁用宏,攻击者已转向利用其他 Microsoft 产品来嵌入恶意负载。因此,恶意 OneNote 文件越来越受欢迎。默认情况下,OneNote 桌面应用包含在 Office 2019 和 Microsoft 365 的 Windows 中,如果有人意外打开恶意 OneNote 文件,则可以加载恶意 OneNote 文件。
We find that attackers have the freedom to embed either text-based malicious scripts or binary files inside OneNote. This offers them more flexibility compared to traditional macros in documents.
我们发现攻击者可以自由地在 OneNote 中嵌入基于文本的恶意脚本或二进制文件。与文档中的传统宏相比,这为它们提供了更大的灵活性。
Palo Alto Networks customers are better protected from the threats discussed above through the following products:
Palo Alto Networks 客户通过以下产品可以更好地抵御上述威胁:
- Next-Generation Firewall with cloud-delivered security services including WildFire.
下一代防火墙,提供云交付的安全服务,包括 WildFire。
- Prisma Access devices with cloud-delivered security services including WildFire.
具有云交付安全服务(包括 WildFire)的 Prisma Access 设备。
- Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.
Cortex XDR 和 XSIAM 代理使用多层保护方法帮助防止开发后活动。
- The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
Unit 42 事件响应团队也可以参与帮助达成妥协或提供主动评估以降低风险。
Table of Contents 目录
Background 背景
Methodology 方法论
Payload Types and Average Size Distribution
有效负载类型和平均大小分布
Presence of Images in Malicious OneNote Samples
恶意 OneNote 示例中存在图像
Analysis of an Embedded EXE Payload
嵌入式 EXE 有效负载分析
Conclusion 结论
Indicators of Compromise
妥协指标
Additional Resources 其他资源
Background 背景
Microsoft OneNote is a digital note-taking application that is part of the Microsoft Office suite. A OneNote file is essentially a digital notebook where people can store various types of information.
Microsoft OneNote 是一个数字笔记应用程序,是 Microsoft Office 套件的一部分。OneNote 文件本质上是一个数字笔记本,人们可以在其中存储各种类型的信息。
Additionally, Microsoft OneNote allows people to embed external files, enabling them to store files such as videos, images or even scripts and executables. However, Microsoft has started blocking embedded objects with certain extensions that are considered dangerous within OneNote files running on Microsoft 365 on Windows.
此外,Microsoft OneNote 允许人们嵌入外部文件,使他们能够存储视频、图像甚至脚本和可执行文件等文件。但是,Microsoft 已开始阻止具有某些扩展名的嵌入对象,这些扩展名在 Windows 上的 Microsoft 365 上运行的 OneNote 文件中被认为是危险的。
However, attackers often abuse the ability to embed objects by planting malicious payloads. Malicious OneNote samples typically disguise themselves as legitimate notes, often including an image and a button.
但是,攻击者经常通过植入恶意负载来滥用嵌入对象的能力。恶意 OneNote 示例通常将自己伪装成合法笔记,通常包括图像和按钮。
Attackers use images to draw people’s attention, and they rely on unsuspecting people clicking buttons to launch malicious payloads. This technique is popular for payload delivery as it leverages people’s trust in legitimate note-taking applications.
攻击者使用图像来吸引人们的注意力,他们依靠毫无戒心的人点击按钮来启动恶意负载。这种技术在有效载荷传输中很受欢迎,因为它利用了人们对合法笔记应用程序的信任。
Figures 1, 2 and 3 show three different varieties of malicious OneNote samples with different types of embedded images and buttons. By hovering over the fake button, we can see the location and type of the payload planted in the OneNote file.
图 1、2 和 3 显示了三种不同种类的恶意 OneNote 示例,其中包含不同类型的嵌入图像和按钮。通过将鼠标悬停在假按钮上,我们可以看到 OneNote 文件中植入的有效负载的位置和类型。
In Figure 1, the malicious OneNote sample asks the target to click on the view button to see the “protected” document. Upon doing so, a malicious VBScript file executes.
在图 1 中,恶意 OneNote 示例要求目标单击查看按钮以查看“受保护”文档。执行此操作后,将执行恶意 VBScript 文件。
Figure 1. OneNote sample with embedded malicious VBS.
图 1.具有嵌入式恶意 VBS 的 OneNote 示例。
Similarly, Figures 2 and 3 show malicious OneNote documents with fake buttons that entice victims to execute an embedded EXE payload and an Office 97-2003 payload, respectively.
同样,图 2 和图 3 显示了带有虚假按钮的恶意 OneNote 文档,这些按钮分别诱使受害者执行嵌入的 EXE 有效负载和 Office 97-2003 有效负载。
Figure 2. OneNote sample with embedded malicious EXE file.
图2.带有嵌入式恶意 EXE 文件的 OneNote 示例。
Figure 3. OneNote sample with embedded malicious Office 97-2003 file.
图3.带有嵌入式恶意 Office 97-2003 文件的 OneNote 示例。
Methodology 方法论
As mentioned above, attackers mostly abuse OneNote files for malicious payload delivery. To do so, they tend to embed a few specific payload types such as the following:
如上所述,攻击者主要滥用 OneNote 文件进行恶意负载传递。为此,他们倾向于嵌入一些特定的有效负载类型,如下所示:
- JavaScript JavaScript的
- VBScript
- PowerShell PowerShell的
- HTML application (HTA) HTML 应用程序 (HTA)
Despite the different file types, these payloads often show similar behaviors and aim to achieve the same malicious objectives. However, we won’t delve into the entire attack and infection chain, as we have covered this in a previous article on malicious OneNote attachments.
尽管文件类型不同,但这些有效负载通常表现出相似的行为,旨在实现相同的恶意目标。但是,我们不会深入研究整个攻击和感染链,因为我们在之前关于恶意 OneNote 附件的文章中对此进行了介绍。
The telltale sign of a malicious OneNote file is the presence of embedded objects. While benign OneNote files can also contain embedded objects, malicious OneNote files almost invariably include them.
恶意 OneNote 文件的明显迹象是存在嵌入对象。虽然良性 OneNote 文件也可以包含嵌入对象,但恶意 OneNote 文件几乎总是包含它们。
According to Microsoft, files embedded in OneNote start with a specific globally unique identifier (GUID) tag:
根据 Microsoft 的说法,OneNote 中嵌入的文件以特定的全局唯一标识符 (GUID) 标记开头:
- {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}
This GUID indicates the presence of a FileDataStoreObject object. The GUID is then followed by the size of the embedded file.
此 GUID 指示存在 FileDataStoreObject 对象。然后,GUID 后跟嵌入文件的大小。
The actual embedded file follows 20 bytes after the aforementioned GUID tag and will be as long as the defined size. For example, in Figure 4 below:
实际的嵌入文件在上述 GUID 标记之后遵循 20 个字节,并且与定义的大小一样长。例如,在下面的图 4 中:
- Box 1 represents the embedded object GUID tag
框 1 表示嵌入对象 GUID 标记
- Box 2 indicates the size of the embedded object
方框 2 表示嵌入对象的大小
- Box 3 represents the actual embedded object
框 3 表示实际的嵌入对象
Figure 4. Identification of embedded objects in a OneNote file.
图4.标识 OneNote 文件中的嵌入对象。
Payload Types and Average Size Distribution
有效负载类型和平均大小分布
As illustrated in Figure 5, attackers predominantly use the following seven file types for their OneNote payloads:
如图 5 所示,攻击者主要使用以下七种文件类型作为其 OneNote 有效负载:
- PowerShell PowerShell的
- VBScript
- Batch 批
- HTA
- Office 97-2003 办公室 97-2003
- EXE
- JavaScript (this file type is the most commonly used)
JavaScript(此文件类型是最常用的)
Figure 5. Distribution of payload types embedded in malicious OneNote files.
图5.恶意 OneNote 文件中嵌入的有效负载类型的分布。
We also extracted and noted the size of each payload type, as shown in Figure 6.
我们还提取并记录了每种有效载荷类型的大小,如图 6 所示。
Figure 6. Average sizes of payloads found in malicious OneNote samples grouped by payload type.
图6.在恶意 OneNote 示例中找到的有效负载的平均大小,按有效负载类型分组。
While larger binary embedded payloads such as EXE and Office 97-2003 are more capable, attackers tend to use them less often (as shown in Figure 5) because they increase the overall size of the OneNote sample. Attackers tend to prefer a smaller overall file size, as smaller-sized malware is easier to include in common malware delivery mechanisms such as email attachments, thus raising less suspicion.
虽然较大的二进制嵌入式有效负载(如 EXE 和 Office 97-2003)功能更强大,但攻击者往往不太频繁地使用它们(如图 5 所示),因为它们会增加 OneNote 示例的整体大小。攻击者倾向于选择较小的整体文件大小,因为较小尺寸的恶意软件更容易包含在常见的恶意软件传递机制(如电子邮件附件)中,从而减少怀疑。
As illustrated in Figure 6 above, embedded malicious EXE and Office 97-2003 file payloads tend to be larger, and embedded malicious HTA and JavaScript files tend to be smaller.
如上面的图 6 所示,嵌入的恶意 EXE 和 Office 97-2003 文件有效负载往往较大,而嵌入的恶意 HTA 和 JavaScript 文件往往较小。
Presence of Images in Malicious OneNote Samples
恶意 OneNote 示例中存在图像
Attackers creating malicious OneNote lures use images that look like buttons to trick people into launching harmful payloads. We mapped out the number of images in each malicious OneNote sample with the payload type, and then calculated the median number of images.
创建恶意 OneNote 诱饵的攻击者使用看起来像按钮的图像来诱骗人们启动有害有效负载。我们用有效负载类型映射了每个恶意 OneNote 示例中的图像数,然后计算了图像的中位数。
In analyzing the 6,000 samples in our dataset, we found that all but three (99.9%) of the malicious OneNote samples contained at least one image. Since almost all of the samples contain at least one image, we can confirm our hypothesis that OneNote samples are primarily used as phishing vehicles.
在分析数据集中的 6,000 个样本时,我们发现除了三个 (99.9%) 恶意 OneNote 样本外,其他所有样本都包含至少一个图像。由于几乎所有样本都包含至少一个图像,因此我们可以确认 OneNote 样本主要用作网络钓鱼工具的假设。
Figure 7 shows that the median number of images per payload type is two. For instance, attackers could use both a fake button and an attention-grabbing image like a fake “secure” document banner to make their phishing campaign more believable (such as in Figure 3).
图 7 显示,每种有效负载类型的图像中位数为 2。例如,攻击者可以使用虚假按钮和引人注目的图像(如虚假的“安全”文档横幅)来使他们的网络钓鱼活动更加可信(如图 3 所示)。
Figure 7. Median image count for different payload types embedded in OneNote malware grouped by payload type.
图7.OneNote 恶意软件中嵌入的不同有效负载类型的图像计数中位数,按有效负载类型分组。
The chart above demonstrates that two to three images typically accompany payloads in malicious OneNote samples, some used to make the document more believable and some serving as fake buttons.
上图显示,恶意 OneNote 示例中的有效负载通常附带两到三个图像,其中一些用于使文档更可信,一些用作虚假按钮。
Analysis of an Embedded EXE Payload
嵌入式 EXE 有效负载分析
While our previous research examined OneNote samples that carry the more common and popular payload types, such as PowerShell or HTA, EXE payloads have gotten less attention. In this section, we will analyze a OneNote sample with an embedded EXE payload.
虽然我们之前的研究检查了携带更常见和更流行的有效负载类型(如 PowerShell 或 HTA)的 OneNote 示例,但 EXE 有效负载受到的关注较少。在本节中,我们将分析具有嵌入式 EXE 有效负载的 OneNote 示例。
The payload below is extracted from a OneNote sample with the following SHA256 hash:
以下有效负载是从具有以下 SHA256 哈希的 OneNote 示例中提取的:
- d48bcca19522af9e11d5ce8890fe0b8daa01f93c95e6a338528892e152a4f63c
The payload itself has the following SHA256 hash:
有效负载本身具有以下 SHA256 哈希值:
- 92d057720eab41e9c6bb684e834da632ff3d79b1d42e027e761d21967291ca50
Figure 8 shows our analysis of the EXE payload in IDA Pro. We found a handful of code blocks, which often signal that we might be dealing with shellcode.
图 8 显示了我们对 IDA Pro 中 EXE 有效负载的分析。我们发现了一些代码块,这些代码块通常表明我们可能正在处理 shellcode。
Our assumption was confirmed by the existence of GS:60, which points to the Process Environment Block (PEB) and the rotate right (ROR) instruction. This indicates that the malware is using dynamic address resolution for functions and hashing for function identification.
GS:60的存在证实了我们的假设,GS:60指向过程环境块(PEB)和右旋转(ROR)指令。这表明恶意软件正在对函数使用动态地址解析,并使用哈希进行函数识别。
Figure 8. EXE payload opened in IDA.
图8.在 IDA 中打开 EXE 有效负载。
To get an understanding of the objective of the shellcode and identify the libraries it was dynamically loading, we opened it in the x64dbg debugger. We then put a breakpoint at the function that repeatedly calls the loc_140004021 function block in a loop, as shown in Figure 9.
为了了解 shellcode 的目标并确定它动态加载的库,我们在 x64dbg 调试器中打开了它。然后,我们在循环中重复调用loc_140004021功能块的函数处放置一个断点,如图 9 所示。
Figure 9. Breakpoint set to identify the functions that are being dynamically loaded.
图 9.设置断点以标识正在动态加载的函数。
The combination of the WSAStringToAddressA function (shown in Figure 10) and WSASocketW functions (shown in Figure 11) makes it clear that the shellcode is attempting to send or receive data by establishing a network socket.
WSAStringToAddressA 函数(如图 10 所示)和 WSASocketW 函数(如图 11 所示)的组合清楚地表明,shellcode 正在尝试通过建立网络套接字来发送或接收数据。
Figure 10. Function name WSAStringToAddressA recorded in the RSI register.
图 10.函数名称 WSAStringToAddressA 记录在 RSI 寄存器中。
Figure 11. Function name WSASpclertW recorded in the RSI register.
图 11.函数名称 WSASpclertW 记录在 RSI 寄存器中。
Since reverse TCP shells are the most common type of shellcode used for connecting back to the attacker’s machine, we set up breakpoints in ws2_32.dll (shown in Figure 12) to determine whether the connect function is called. And if so, we could extract the arguments passed down to it. These arguments often have the IP address and port number to which the payload attempts to connect.
由于反向 TCP shell 是用于连接回攻击者计算机的最常见 shellcode 类型,因此我们在 ws2_32.dll 中设置了断点(如图 12 所示)以确定是否调用了连接函数。如果是这样,我们可以提取传给它的参数。这些参数通常具有有效负载尝试连接到的 IP 地址和端口号。
Figure 12. Breakpoint set at function connect in ws2_32.dll.
图 12.在 ws2_32.dll 函数连接处设置的断点。
As expected, the shellcode stopped at the connect function call. Upon dumping the values of the RDX register, we were able to identify the contents of the sockaddr_in struct, as shown in Figure 13.
不出所料,shellcode 在 connect 函数调用时停止。在转储 RDX 寄存器的值后,我们能够识别sockaddr_in结构的内容,如图 13 所示。
Figure 13. Content of sockaddr_in struct dump.
图 13.sockaddr_in结构转储的内容。
As shown in Figure 14, we then wrote a Python script to unpack the content of the sockaddr_in structure identified above.
如图 14 所示,然后我们编写了一个 Python 脚本来解压缩上面确定的 sockaddr_in 结构的内容。
Figure 14. Python script unpacking content of sockaddr_in struct.
图 14.Python 脚本解压缩sockaddr_in结构的内容。
Executing the above Python script gave us the output shown in Figure 15, indicating the attacker is connecting to a local machine on port 4444, potentially to an attacker-controlled machine.
执行上述 Python 脚本后,我们得到了如图 15 所示的输出,表明攻击者正在连接到端口 4444 上的本地计算机,可能连接到攻击者控制的计算机。
Figure 15. IP address and port the payload is connecting to.
图 15.有效负载连接到的 IP 地址和端口。
Conclusion 结论
We conclude that OneNote as an attack vector is more versatile than we initially thought. It can carry executable payloads, in addition to script-based downloaders. Also, like many other file types, attackers can use it for lateral movement.
我们得出的结论是,OneNote 作为一种攻击媒介比我们最初想象的更通用。除了基于脚本的下载器外,它还可以携带可执行的有效载荷。此外,与许多其他文件类型一样,攻击者可以使用它来进行横向移动。
When embedding malicious payloads inside OneNote files, attackers mainly leverage JavaScript, PowerShell, Batch and VBScript. However, attackers occasionally use binary payloads such as executables or even Office 97-2003 files to achieve their objectives.
在 OneNote 文件中嵌入恶意负载时,攻击者主要利用 JavaScript、PowerShell、Batch 和 VBScript。但是,攻击者偶尔会使用二进制有效负载(如可执行文件甚至 Office 97-2003 文件)来实现其目标。
Organizations can consider blocking embedded payloads with dangerous extensions within OneNote files to protect their users against such attacks. More broadly, we recommend people limit their exposure by checking the embedded payload filenames and extensions in OneNote files by hovering over any buttons or images before clicking them.
组织可以考虑阻止 OneNote 文件中具有危险扩展名的嵌入有效负载,以保护其用户免受此类攻击。更广泛地说,我们建议用户通过在单击任何按钮或图像之前将鼠标悬停在任何按钮或图像上来检查 OneNote 文件中嵌入的有效负载文件名和扩展名,从而限制其暴露。
Palo Alto Networks customers are better protected from the threats discussed above through the following products:
Palo Alto Networks 客户通过以下产品可以更好地抵御上述威胁:
- Next-Generation Firewall with cloud-delivered security services including WildFire.
下一代防火墙,提供云交付的安全服务,包括 WildFire。
- Prisma Access devices with cloud-delivered security services including WildFire.
具有云交付安全服务(包括 WildFire)的 Prisma Access 设备。
- Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.
Cortex XDR 和 XSIAM 代理使用多层保护方法帮助防止开发后活动。
- The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
Unit 42 事件响应团队也可以参与帮助达成妥协或提供主动评估以降低风险。
Indicators of Compromise
入侵指标
The following are links to our Github repository containing file hashes for the OneNote files and payloads discovered during our research for this article.
以下是指向 Github 存储库的链接,其中包含我们在本文研究期间发现的 OneNote 文件和有效负载的文件哈希。
Additional Resources 其他资源
