Author: Thomas Elkins
Contributors: Andrew Iwamaye, Matt Green, James Dunne, and Hernan Diaz
Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.
Recently, we (Rapid7) observed malicious actors using OneNote files to deliver malicious code. We identified a specific technique that used OneNote files containing batch scripts, which upon execution started an instance of a renamed PowerShell process to decrypt and execute a base64 encoded binary. The base64 encoded binary subsequently decrypted a final payload, which we have identified to be either Redline Infostealer or AsyncRat.
This blog post walks through analysis of a OneNote file that delivered a Redline Infostealer payload.
Analysis of OneNote File
The attack vector began when a user was sent a OneNote file via a phishing email. Once the OneNote file was opened, the user was presented with the option to “Double Click to View File” as seen in Figure 1.
Figure 1 - OneNote file "Remittance" displaying the button “Double Click to View File”
We determined that the button “Double Click to View File” was moveable. Hidden underneath the button, we observed five shortcuts to a batch script,
nudm1.bat. The hidden placement of the shortcuts ensured that the user double-clicked on one of the shortcuts when interacting with the “Double Click to View File” button.
Figure 2 - Copy of Batch script
nudm1.bat revealed after moving “Double Click to View File” button
Once the user double clicked the button “Double Click to View File”, the batch script
nudm1.bat executed in the background without the user’s knowledge.
Analysis of Batch Script
In a controlled environment, we analyzed the batch script
nudm1.bat and observed variables storing values.
Figure 3 - Beginning contents of
Near the middle of the script, we observed a large section of base64 encoded data, suggesting at some point, the data would be decoded by the batch script.
Figure 4 - Base64 encoded data contained within
At the bottom of the batch script, we observed the declared variables being concatenated. To easily determine what the script was doing, we placed
echo commands in front of the concatenations. The addition of the echo commands allowed for the batch script to deobfuscate itself for us upon execution.
Figure 5 -
echo command placed in front of concatenated variables
We executed the batch file and piped the deobfuscated result to a text file. The text file contained a PowerShell script that was executed with a renamed PowerShell binary,
Figure 6 - Output after using
echo reveals PowerShell script
We determined the script performed the following:
Base64 decoded the data stored after
nudm1.bat, shown in Figure 4
AES Decrypted the base64 decoded data using the base64 Key
4O2hMB9pMchU0WZqwOxI/4wg3/QsmYElktiAnwD4Lqw=and base64 IV of
Decompressed the decrypted contents using gunzip
Reflectively loaded the decrypted and decompressed contents into memory
Using CyberChef, we replicated the identified decryption method to obtain a decrypted executable file.
Figure 7 - AES decryption via Cyberchef reveals MZ header
We determined the decrypted file was a 32-bit .NET executable and analyzed the executable using dnSpy.
Analysis of .NET 32-bit Executable
In dnSpy we observed the original file name was
tmpFBF7. We also observed that the file contained a resource named
Figure 8 - dnSpy reveals name of original program
tmpFBF7 and a
We navigated to the entry point of the file and observed base64 encoded strings. The base64 encoded strings were passed through a function
SRwvjAcHapOsRJfNBFxi. The function
SRwvjAcHapOsRJfNBFxi utilized AES decryption to decrypt data passed as argument.
Figure 9 - AES Decrypt Function
As seen in Figure 9, the function
SRwvjAcHapOsRJfNBFxi took in 3 arguments:
We replicated the decryption process from the function
SRwvjAcHapOsRJfNBFxi using CyberChef to decrypt the values of the base64 encoded strings. Figure 9 shows an example of the decryption process of the base64 encoded string
vYhBhJfROLULmQk1P9jbiqyIcg6RWlONx2FLYpdRzZA= from line 30 of Figure 7 to reveal a decoded and decrypted string of
Figure 10 - Using Cyberchef to replicate decryption of function
Repeating the decryption of the other base64 encoded strings revealed some anti-analysis and anti-AV checks performed by the executable:
IsDebuggerPresent CheckRemoteDuggerPresent AmsiScanBuffer
Other base64 encoded strings include:
EtwEventWrite /c choice /c y /n /d y /t 1 & attrib -h -s
After passing the anti-analysis and anti-AV checks, the executable called upon the
payload.exe resource in line 94 of the code. We determined that the
payload.exe resource was saved into the variable
Figure 11 -
@string storing payload.exe
On line 113, the variable
@string was passed into a new function,
aBTlNnlczOuWxksGYYqb, as well as the AES decryption function
Figure 12 -
@string being passed through function
aBTlNnlczOuWxksGYYqb decompressed content passed to it using Gunzip.
Figure 13 - Function
aBTlNnlczOuWxksGYYqb decompresses content using Gzip
Using CyberChef, we decrypted and decompressed the
payload.exe resource to obtain another 32-bit .NET executable, which we named
payload2.bin. Using Yara, we scanned
payload2.bin and determined it was related to the Redline Infostealer malware family.
Figure 14 - Yara Signature identifying
payload2.bin as Redline Infostealer
We also analyzed
payload2.bin in dnSpy.
Analysis of Redline Infostealer
We observed that the original final name of
Footstools and that a class labeled
Arguments contained the variables
Key. The variable
IP stored a base64 encoded value
Figure 15 - Global variable
IP set as Base64 encoded string
Key stored a UTF8 value of
Figure 16 - Global variable Key set with value
We identified that the variable
IP was called into a function, WriteLine(), which passed the variables
Key into a
String.Decrypt function as arguments.
Figure 17 - String.Decrypt being passed arguments
The function String.Decrypt was a simple function that XOR’ed input data with the value of
Figure 18 - StringDecrypt utilizing XOR decryption
Using Cyberchef, we replicated the String.Decrypt function for the 'IP' variable by XORing the base64 value shown in Figure 13 with the value of
Key shown in Figure 16 to obtain the decrypted value for the
IP variable, 172.245.45[.]213:3235.
Figure 19 - Using XOR in Cyberchef to reveal value of argument
Redline Info Stealer has the capability to steal credentials related to Cryptocurrency wallets, Discord data, as well as web browser data including cached cookies. Figure 19 shows functionality in Redline Infostealer that searches for known Cryptocurrency wallets.
Figure 20 - Redline Infostealer parsing for known Cryptocurrency wallet locations
Rapid7 has existing rules that detect the behavior observed within customers environments using our Insight Agent including:
Suspicious Process - Renamed PowerShell
OneNote Embedded File Parser
Rapid7 has also developed a OneNote file parser and detection artifact for Velociraptor. This artifact can be used to detect or extract malicious payloads like the one discussed in this post.
Filename - SHA1 HASH
Rem Adv.one - 61F9DBE256052D6315361119C7B7330880899D4C
Nudm1.bat - ADCE7CA8C1860E513FB70BCC384237DAE4BC9D26
tmpFBF7.tmp - F6F1C1AB9743E267AC5E998336AF917632D2F8ED
Footstools.exe - 6c404f19ec17609ad3ab375b613ea429e802f063
IP Address - 172.245.45[.]213
MITRE Attack Techniques
- T1027 - Obfuscated Files or Information
- T1036 - Masquerading
- T1070.006 - Timestomp
- T1497 - Virtualization/Sandbox Evasion
- T1562.001- Disable or Modify Tools
- T1057 - Process Discovery
- T1082 - System Information Discovery
- T1012 - Query Registry
- T1016 - System Network Configuration Discovery
- T1083 - File and Directory Discovery
.one attachments at the network perimeter or with an antiphishing solution if
.one files are not business-critical
User awareness training
If possible, implement signatures to search for PowerShell scripts containing reverse strings such as
Watch out for OneNote as the parent process of cmd.exe executing a .bat file
Source Link: https://blog.rapid7.com/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/